# Company Processes
1. Introduction
This document outlines the operational, governance, security and support processes followed for We360.ai. The purpose of this document is to provide enterprise customers with transparency into the systems, processes and controls that ensure reliable and secure service delivery.
This document is intended to address common requirements raised during:
* Vendor Due Diligence
* Security Questionnaires
* Enterprise RFP processes
* IT and Risk Assessments
**The document covers:**
* Product Release Management
* Change Management
* Incident Management
* Infrastructure Governance
* Data Security Practices
* Business Continuity & Disaster Recovery
* Customer Onboarding
* Customer Support & Escalation
* Vendor & Third-Party Governance
* Compliance and Operational Governance
* Continuous Improvement
* Security Certifications, Compliance & Regulatory Alignment
* Data Protection & Data Flow Architecture
* Security Controls & Technical Safeguards
* Risk Management & Security Governance Framework
* Secure Software Development Lifecycle (SSDLC)
* Service Level Agreements (SLA) & Operational Commitments
· Data Residency, Data Ownership & Customer Rights
· Audit, Reporting & Compliance Assurance
2. Product Release Management
We360.ai follows a structured release management process to ensure that all product updates are delivered in a controlled, reliable and secure manner.
Release Lifecycle
2.1 Product Planning
Product features and enhancements are identified through:
* Product roadmap planning
* Customer feedback
* Security improvements
* Performance enhancements
Features are prioritized based on customer impact and business value.
2.2 Development
Engineering teams develop product features in controlled development environments. Secure development practices are followed, including:
* Version control
* Code reviews
* Branch management
* Development environment segregation
2.3 Code Review
All code changes undergo peer review to ensure:
* Code quality
* Security best practices
* Performance standards
* Compliance with architecture guidelines
2.4 Testing
Multiple testing layers are performed before release:
* Functional testing
* Regression testing
* Performance testing
* Integration testing
Where applicable, security checks and vulnerability scans are also conducted.
2.5 Staging Validation
Approved builds are deployed to staging environments that replicate production configurations. This allows teams to validate:
* System stability
* Integration compatibility
* Feature behaviour
2.6 Production Release
Once validation is complete, releases are deployed to production environments through controlled deployment pipelines.
Deployment typically occurs during planned release windows to minimize service impact.
2.7 Post-Release Monitoring
After deployment, system monitoring tools track:
* Performance metrics
* Error logs
* System availability
Any anomalies are investigated immediately.
2.8 Release Types
| Release Type | Description |
| ----------------- | --------------------------------------- |
| Minor Release | Bug fixes and small improvements |
| Feature Release | New features or enhancements |
| Emergency Release | Critical fixes such as security patches |
Release notes and change logs are maintained for traceability.
3. Change Management
A structured change management process ensures that modifications to the system are implemented in a controlled and auditable manner.
3.1 Change Categories
Standard Changes
Routine operational updates with minimal risk.
Examples:
* Minor configuration updates
* System optimizations
Normal Changes
Planned system updates requiring internal review and approval.
Examples:
* Feature updates
* Infrastructure modifications
Emergency Changes
Urgent changes implemented to resolve critical issues such as system outages or security vulnerabilities.
3.2 Change Management Process
1\. Change Request Initiation
o Internal change request logged
2\. Impact Assessment
o Risk analysis conducted
o Technical impact reviewed
3\. Approval
o Relevant technical stakeholders approve the change
4\. Deployment Planning
o Release window defined
o Rollback plan prepared
5\. Implementation
o Change deployed in production environment
6\. Validation
o System performance verified
o Functionality confirmed
7\. Documentation
o Change logs updated
o Records maintained for audit purposes
4. Incident Management
We360.ai follows a structured incident management framework to ensure that service disruptions are addressed quickly and effectively.
4.1 Incident Sources
Incidents may be identified through:
* System monitoring alerts
* Customer support reports
* Internal engineering detection
* Infrastructure monitoring tools
4.2 Incident Response Workflow
1\. Incident detection
2\. Incident logging
3\. Severity classification
4\. Investigation by engineering team
5\. Issue resolution or mitigation
6\. Root cause analysis
7\. Preventive actions
4.3 Incident Severity Levels
| Severity | Description |
| -------- | ---------------------------------- |
| Critical | Complete system outage |
| High | Major feature disruption |
| Medium | Partial functionality issue |
| Low | Minor issue or enhancement request |
Critical incidents receive immediate attention from engineering teams.
5\. Infrastructure & Cloud Hosting
We360.ai is hosted on secure cloud infrastructure designed for scalability, availability and reliability.
5.1 Infrastructure Characteristics
* Cloud-native architecture
* Scalable infrastructure resources
* High availability configuration
* Continuous system monitoring
5.2 Hosting Environment
We360.ai is hosted on secure cloud infrastructure with primary hosting located in India to support enterprise data residency expectations.
Infrastructure includes:
* Secure networking layers
* Firewall configurations
* Access restrictions
* Monitoring systems
5.3 Infrastructure Monitoring
Infrastructure monitoring tools track:
* Server health
* System availability
* Resource usage
* Error logs
Alerts are triggered if abnormal behaviour is detected.
6. Data Security & Privacy
Data security is a core operational priority.
6.1 Security Controls
Key security practices include:
* Encryption of data in transit using secure protocols
* Controlled access to infrastructure and administrative systems
* Continuous monitoring of system activity
* Logging and auditing mechanisms
6.2 Access Management
Access to We360.ai is governed through:
· Role-Based Access Control (RBAC): Users are assigned permissions based on their roles within the organization.
· Least Privilege Model: Users and administrators receive only the minimum access required to perform their responsibilities.
· Administrative Access: Administrative system access is restricted to authorized personnel and monitored through logging systems.
7. Business Continuity & Disaster Recovery
Business continuity processes ensure that We360.ai can continue operating even during unexpected disruptions.
7.1 Key Measures
* Automated data backup procedures
* Infrastructure redundancy
* Disaster recovery planning
* Operational monitoring
7.2 Backup Policy
System configurations and essential operational data are backed up regularly to ensure recoverability.
7.3 Disaster Recovery
In the event of infrastructure disruption:
1\. Engineering teams investigate the failure
2\. Recovery procedures are initiated
3\. Services are restored using backup infrastructure
Periodic reviews ensure disaster recovery readiness.
8. Customer Onboarding
Customer onboarding is designed to allow new organizations to start using We360.ai quickly and efficiently.
8.1 Onboarding Steps
Step 1: Account Creation
Users register on We360.ai and verify their accounts.
Step 2: Organization Setup
Customers configure their organization profile and workspace.
Step 3: Onboarding Wizard
A guided onboarding wizard assists users with:
* Initial configuration
* Team member setup
* System settings
Step 4: User Management
Administrators add team members and assign roles.
Step 5: System Setup
Customers configure productivity & team mapping role setting required for data collection.
Step 6: Data Synchronization
Once setup is complete, operational data begins appearing in We360.ai dashboard.
Documentation such as the 5-Minute Launch Guide helps users quickly understand We360.ai functionality.
9. Customer Support & Escalation
Customer support ensures that users receive assistance when needed.
9.1 Support Channels
Customers can reach support through:
* Email support
* Support ticket system
* Customer success engagement
9.2 Support Escalation Model
| Level | Responsibility |
| ------- | --------------------------- |
| Level 1 | Customer Support Team |
| Level 2 | Product Support Specialists |
| Level 3 | Engineering Team |
Critical issues are escalated immediately to engineering teams for investigation.
10. Vendor & Third-Party Management
We360.ai may utilize third-party service providers to support infrastructure and operations.
10.1 Vendor Categories
Typical vendors include:
* Cloud infrastructure providers
* External Auditors
* Security tools
10.2 Vendor Evaluation
Before engaging with any vendor, the following factors are reviewed:
* Security posture
* Infrastructure reliability
* Compliance standards
* Operational stability
Vendor relationships are periodically reviewed to ensure ongoing compliance.
11. Compliance & Security Governance
Governance processes ensure alignment with enterprise operational and security expectations.
11.1 Governance Controls
The organization maintains documentation related to:
* Product architecture
* Security practices
* Release history
* Change logs
* Operational procedures
These documents support enterprise:
* Vendor risk assessments
* Security reviews
* Compliance audits
* RFP evaluations
12. Continuous Improvement
We360.ai follows a continuous improvement approach to enhance reliability, security and customer experience.
12.1 Improvement Initiatives
* Monitoring system performance
* Reviewing incident trends
* Implementing security improvements
* Incorporating customer feedback
* Enhancing operational processes
Regular internal reviews ensure We360.ai evolves to meet enterprise operational standards.
13. Security Certifications, Compliance & Regulatory Alignment
We360.ai follows industry-recognized security and privacy standards to ensure the protection of customer data and operational integrity. The organization aligns with globally accepted frameworks, regulatory requirements and security best practices.
These certifications and compliance programs demonstrate our commitment to maintaining enterprise-grade security, privacy protection and regulatory adherence.
13.1 Security Certifications
SOC 2 Type II
We360.ai maintains compliance with SOC 2 Type II, which validates that the organization's internal controls meeting the Trust Service Criteria.
SOC 2 Type II focuses on the following trust principles:
* Security
* Availability
* Processing Integrity
* Confidentiality
* Privacy
The certification involves an independent audit that evaluates the effectiveness of security controls over a defined monitoring period. This ensures that security practices are not only designed appropriately but also operate effectively over time.
Key SOC 2 control areas include:
* Access control management
* Infrastructure monitoring
* Change management
* Incident response
* Data protection controls
* Vendor management
ISO/IEC 27001
We360.ai aligns with the ISO/IEC 27001 framework, which defines best practices for establishing and maintaining an Information Security Management System (ISMS).
ISO 27001 focuses on:
* Risk management
* Information security policies
* Asset management
* Access control
* Cryptography
* Incident management
* Business continuity
This framework ensures a systematic approach to managing sensitive information and maintaining strong security governance practices.
ISO/IEC 27017
We360.ai aligns with ISO/IEC 27017, which provides additional security guidance specifically for cloud service providers and cloud-based systems.
Key areas covered include:
* Cloud infrastructure security
* Shared responsibility model
* Virtual machine security
* Cloud service configuration controls
* Administrative access governance
This standard ensures that cloud deployments follow recognized best practices for protecting data and workloads in cloud environments.
ISO/IEC 27018
We360.ai follows privacy protection guidelines defined in ISO/IEC 27018, which focuses on protecting personally identifiable information (PII) in public cloud environments.
Key protections include:
* Restrictions on data processing
* Transparency in data handling
* Customer data ownership protections
* Secure deletion of data
* Privacy-focused operational controls
13.2 Security Assessments
Vulnerability Assessment & Penetration Testing (VAPT)
We360.ai undergoes periodic Vulnerability Assessment and Penetration Testing conducted by qualified security professionals.
The objective of VAPT is to identify potential security weaknesses and proactively address them before they can be exploited.
The assessment typically includes:
* Network vulnerability assessment
* Application security testing
* Infrastructure security review
* Penetration testing simulations
Findings from these assessments are prioritized based on severity and remediated according to internal security policies.
Regular VAPT exercises help ensure We360.ai remains resilient against emerging security threats.
13.3 Privacy & Data Protection Regulations
We360.ai is designed to support compliance with major global privacy regulations governing the protection of personal data.
Digital Personal Data Protection Act 2023 (DPDP)
We360.ai aligns with the requirements of the Digital Personal Data Protection Act 2023, which governs the processing of digital personal data in India.
Key principles supported include:
* Lawful data processing
* User consent management
* Data minimization
* Secure storage and processing
* Protection against unauthorized access
These measures help ensure compliance with India's evolving data protection landscape.
General Data Protection Regulation (GDPR)
We360.ai supports compliance with the General Data Protection Regulation, which governs the protection of personal data for individuals within the European Union.
GDPR compliance principles include:
* Lawful processing of personal data
* Transparency in data collection
* Data minimization
* Data subject rights
* Security safeguards
* Breach notification mechanisms
We360.ai incorporates controls that enable organizations to meet GDPR requirements when handling personal data.
California Consumer Privacy Act (CCPA)
We360.ai supports compliance with the California Consumer Privacy Act, which provides California residents with enhanced rights regarding the use of their personal data.
We360.ai enables organizations to support CCPA requirements including:
* Data transparency
* Consumer access rights
* Data deletion requests
* Data usage disclosures
Health Insurance Portability and Accountability Act (HIPAA)
For customers operating within healthcare ecosystems, We360.ai aligns with the principles of Health Insurance Portability and Accountability Act.
HIPAA focuses on protecting Protected Health Information (PHI) through:
* Administrative safeguards
* Physical safeguards
* Technical safeguards
These protections help ensure the confidentiality, integrity and availability of sensitive healthcare data.
13.4 Ongoing Security Governance
Security and compliance controls are continuously monitored and improved through:
* Periodic security assessments
* Internal security reviews
* Infrastructure monitoring
* Access control audits
* Incident response testing
* Security training and awareness
The organization is committed to maintaining high standards of security and privacy to meet enterprise and regulatory expectations.
14. Data Protection & Data Flow Architecture
We360.ai follows a secure data architecture designed to protect customer information throughout its lifecycle. The architecture incorporates security controls at every stage of data handling, including collection, transmission, processing, storage and deletion.
The system architecture is designed following security frameworks such as SOC 2 Type II and ISO/IEC 27001.
14.1 Data Flow Overview
We360.ai processes data through the following controlled stages:
1\. Data Collection
2\. Data Transmission
3\. Data Processing
4\. Data Storage
5\. Data Access & Usage
6\. Data Retention & Deletion
Each stage incorporates encryption, authentication and monitoring mechanisms to protect data integrity and confidentiality.
14.2 Data Collection
Data is collected from customer systems using secure integration methods configured during onboarding.
Collection mechanisms may include:
* Secure API integrations
* Platform connectors or agents
* System integrations configured by the customer
* User inputs through the application interface
Data collection follows the principle of data minimization, meaning only the data required for platform functionality is collected.
Customer administrators retain control over integration configurations and permissions.
14.3 Data Transmission
All communication between customer environments and We360.ai is secured using encrypted protocols.
Transmission protections include:
* HTTPS/TLS encrypted communication
* Secure API authentication
* Token-based authorization mechanisms
* Network traffic monitoring
Encryption prevents interception, tampering, or unauthorized access during data transmission.
14.4 Data Processing
After transmission, data is processed within secured application environments.
Processing operations may include:
* Data analysis
* Monitoring operations
* Event correlation
* System analytics
Application services operate in isolated environments to ensure secure processing and prevent unauthorized cross-access.
Strict access control policies ensure internal systems only access required datasets.
14.5 Data Storage
Customer data is stored within secure cloud infrastructure environments.
Security controls for storage include:
* Encryption of stored data
* Access-controlled databases
* Network segmentation
* Infrastructure monitoring
Data is logically separated by tenant to ensure that one organization's data cannot be accessed by another.
14.6 Data Access Controls
Access to platform data is governed through Role-Based Access Control (RBAC).
User roles may include:
* Organization Administrators
* Operational Users
* Read-Only Users
Permissions are granted according to job responsibilities following the least privilege principle.
Administrative system access is restricted to authorized personnel.
.7 Data Retention
Data retention policies define how long data is stored within We360.ai.
Retention periods depend on:
* Operational requirements and Agreements
* Customer configuration
* Security monitoring needs
* Regulatory requirements
Logs and operational data may be retained for monitoring, auditing and compliance purposes.
14.8 Data Deletion
Data deletion procedures are implemented when:
* Data reaches the end of its retention period
* Customers request deletion
* Customer contracts terminate
Deletion processes may include:
* Secure database deletion
* Storage cleanup
* Backup lifecycle expiration
These processes help ensure that customer data is not retained beyond required periods.
14.9 Monitoring & Data Protection Controls
Continuous monitoring is implemented to detect unauthorized activity or system anomalies.
Monitoring mechanisms include:
* Infrastructure monitoring
* Application log monitoring
* Security alerts
* Access activity tracking
Security events are handled through the incident management process.
14.10 Privacy Protection
We360.ai supports compliance with major privacy regulations including:
* Digital Personal Data Protection Act
* General Data Protection Regulation
* California Consumer Privacy Act
* Health Insurance Portability and Accountability Act
Privacy protections focus on secure data processing, transparency and protection of personal data.
15. Security Controls & Technical Safeguards
We360.ai implements a layered security model designed to protect systems and customer data from unauthorized access, misuse and security threats.
Security controls align with frameworks such as ISO/IEC 27001 and SOC 2 Type II.
15.1 Access Control
Access to systems and data is governed by strict identity and access management policies.
Controls include:
* Role-Based Access Control (RBAC)
* Least privilege access model
* User authentication mechanisms
* Administrative access restrictions
Access rights are reviewed periodically to ensure that users retain only necessary permissions.
Administrative access to production systems is limited to authorized personnel.
15.2 Authentication & Identity Management
User identity verification is implemented through secure authentication mechanisms.
These include:
* Secure login authentication
* Password policy enforcement
* Session management controls
* Access revocation procedures for inactive users
Identity verification helps ensure that only authorized users access We360.ai.
15.3 Encryption Controls
Encryption protects sensitive data during transmission and storage.
Encryption measures include:
Encryption in Transit
* TLS-based encrypted communication
* Secure API connections
Encryption at Rest
* Encrypted database storage
* Secure storage configurations
* Infrastructure-level encryption controls
These encryption practices prevent unauthorized access to stored or transmitted data.
15.4 Logging & Audit Trails
Logging systems capture activity across We360.ai to support monitoring, troubleshooting and security investigations.
Logged events may include:
* User authentication events
* Administrative activities
* System configuration changes
* Access attempts
* Security alerts
Logs are retained for operational monitoring and compliance purposes.
Audit trails help maintain accountability and transparency within We360.ai.
15.5 Security Monitoring
Security monitoring systems continuously observe platform activity to identify potential threats.
Monitoring capabilities include:
* Infrastructure health monitoring
* Application monitoring
* Security alerting
* Log analysis
Alerts are generated for suspicious activities and investigated by engineering teams.
15.6 Vulnerability Management
We360.ai maintains a proactive vulnerability management process.
Security activities include:
* Regular vulnerability scanning
* Periodic Vulnerability Assessment and Penetration Testing
* Security patching
* Risk prioritization and remediation
Security findings are reviewed and remediated based on severity levels.
5.7 Incident Response
Security incidents are managed through a defined incident response process.
The process includes:
1\. Detection of security events
2\. Incident classification
3\. Investigation and containment
4\. Resolution and recovery
5\. Root cause analysis
Security incidents are handled in accordance with internal incident management procedures.
15.8 Security Governance & Continuous Improvement
Security controls are continuously reviewed and improved through:
* Security audits
* Compliance assessments
* Infrastructure monitoring
* Incident trend analysis
* Security awareness initiatives
These measures ensure that We360.ai maintains a strong and evolving security posture.
16. Risk Management & Security Governance Framework
The organization follows a structured risk management and security governance framework to ensure that information security risks are identified, assessed and mitigated in a systematic manner.
The framework aligns with industry standards such as ISO/IEC 27001 and incorporates security best practices to protect systems, infrastructure and customer data.
Security governance ensures that policies, procedures and controls are continuously reviewed and improved to maintain a strong security posture.
16.1 Information Security Governance
Information security governance establishes the policies and responsibilities required to manage and protect organizational information assets.
Key governance principles include:
* Defined security policies and procedures
* Role-based responsibilities for security management
* Security oversight and accountability
* Periodic review of security controls
* Alignment with regulatory and compliance requirements
Security governance helps ensure that security controls remain effective and aligned with business and regulatory expectations.
16.2 Risk Management Process
A formal risk management process is followed to identify and mitigate risks associated with information systems and infrastructure.
The risk management lifecycle includes the following stages:
Risk Identification
Potential risks are identified through:
· Security assessments
· Infrastructure reviews
· Vulnerability scans
· Incident analysis
· Vendor assessments
Risk Assessment
Identified risks are evaluated based on:
· Likelihood of occurrence
· Potential impact on systems or data
· Exposure to operational disruption
Risk Mitigation
Appropriate mitigation strategies are implemented, including:
· Security controls
· Process improvements
· Infrastructure safeguards
· Monitoring mechanisms
Risk Monitoring
Risks are continuously monitored to ensure controls remain effective.
Periodic reviews are conducted to reassess risks and update mitigation strategies.
16.3 Security Policies & Standards
The organization maintains documented security policies that guide operational and security practices.
Key policy areas include:
* Information security policy
* Access control policy
* Data protection policy
* Incident response policy
* Change management policy
* Vendor management policy
* Acceptable use policy
These policies establish the security framework for managing and protecting organizational assets.
16.4 Security Risk Assessments
Regular security assessments are conducted to identify vulnerabilities and evaluate the effectiveness of existing controls.
Security assessments may include:
* Internal security reviews
* Infrastructure security assessments
* Application security testing
* Threat analysis
Periodic Vulnerability Assessment and Penetration Testing is performed to detect potential vulnerabilities and strengthen We360.ai’s security posture.
Findings are prioritized based on severity and remediated through defined security processes.
16.5 Security Awareness & Training
Security awareness programs help ensure that employees understand their responsibilities in protecting organizational systems and data.
Training initiatives may include:
* Security awareness training
* Data protection best practices
* Secure system usage guidelines
* Phishing and social engineering awareness
These programs help reduce risks caused by human error and strengthen the overall security culture.
16.6 Vendor Risk Management
Third-party vendors that support infrastructure or operational services are evaluated to ensure they meet security and reliability standards.
Vendor risk assessments may include evaluation of:
* Security posture
* Compliance certifications
* Infrastructure reliability
* Data protection practices
Vendor relationships are periodically reviewed to ensure continued compliance with security expectations.
16.7 Compliance Monitoring
Security and compliance controls are regularly reviewed to ensure adherence to industry standards and regulatory requirements.
We360.ai supports compliance with frameworks such as:
* SOC 2 Type II
* ISO/IEC 27001
* ISO/IEC 27017
* ISO/IEC 27018
Compliance activities include:
* Security audits
* Policy reviews
* Control testing
* Continuous monitoring
16.8 Continuous Security Improvement
The organization follows a continuous improvement approach to maintain and enhance its security posture.
Security improvements are driven by:
* Incident reviews
* Security audit findings
* Vulnerability assessments
* Emerging threat intelligence
* Customer feedback and enterprise security reviews
These practices ensure that the security program evolves to address new risks and maintain alignment with global security standards.
17. Secure Software Development Lifecycle (SSDLC)
The organization follows a Secure Software Development Lifecycle (SSDLC) to ensure that security is integrated throughout the entire software development process. Security practices are incorporated from the initial design stage through development, testing, deployment and ongoing maintenance.
The SSDLC framework ensures that security risks are identified early, vulnerabilities are minimized and secure coding practices are consistently followed.
17.1 Security by Design
Security considerations are incorporated during the initial stages of product design and architecture planning.
Key design practices include:
* Threat modeling and risk identification during design stages
* Secure architecture planning
* Data protection and privacy considerations in system design
* Implementation of least-privilege access principles
* Secure API design and authentication mechanisms
By addressing security at the design stage, potential vulnerabilities can be prevented before development begins.
17.2 Secure Development Practices
Developers follow established secure coding guidelines to minimize vulnerabilities within application code.
Secure development practices include:
* Use of secure coding standards
* Input validation and output encoding
* Protection against common web vulnerabilities
* Proper error handling and logging
* Secure configuration management
Development environments are controlled and separated from testing and production environments to prevent unauthorized access.
17.3 Code Review & Version Control
All application code is maintained in version-controlled repositories and undergoes peer review before being merged into the main codebase.
Code review processes help ensure:
* Adherence to coding standards
* Security best practices
* Code quality and maintainability
* Identification of potential vulnerabilities
Version control systems maintain a history of changes, ensuring traceability and accountability for all modifications.
17.4 Security Testing
Security testing is integrated into the development and testing lifecycle to identify vulnerabilities before software is released.
Testing activities may include:
* Application security testing
* Static code analysis
* Dynamic testing of application behavior
* Dependency vulnerability checks
In addition, periodic Vulnerability Assessment and Penetration Testing may be conducted to evaluate the security posture of We360.ai.
Security issues discovered during testing are documented and remediated according to defined severity levels.
17.5 Environment Segregation
To maintain system integrity and security, the organization maintains separate environments for:
* Development
* Testing
* Staging
* Production
This separation ensures that development activities do not affect production systems and helps prevent unauthorized code from reaching live environments.
Access to production environments is restricted to authorized personnel.
17.6 Secure Deployment
Deployment processes follow controlled procedures to ensure that only approved and tested code is released into production environments.
Deployment controls include:
* Automated deployment pipelines where applicable
* Controlled release management processes
* Approval mechanisms for production releases
* Rollback procedures in case of deployment issues
Deployment logs are maintained to track system changes and maintain auditability.
17.7 Dependency & Vulnerability Management
Software dependencies and third-party libraries are monitored to ensure they remain secure.
Dependency management practices include:
* Tracking third-party libraries and components
* Monitoring known vulnerability databases
* Applying security updates and patches when required
Regular updates help reduce exposure to vulnerabilities present in external libraries.
17.8 Security Incident Handling
If vulnerabilities or security issues are identified within the application, they are addressed through the organization’s incident management and vulnerability management processes.
The process includes:
1\. Identification of the security issue
2\. Risk and severity assessment
3\. Remediation planning
4\. Deployment of security fixes
5\. Post-resolution review
Security incidents are documented and analyzed to prevent recurrence.
17.9 Continuous Security Improvement
The SSDLC framework is continuously improved through:
* Security reviews of development practices
* Feedback from security testing activities
* Monitoring emerging threat landscapes
* Improvements to development tools and processes
These efforts ensure that the software development process evolves alongside evolving security threats and industry best practices.
18. Service Level Agreements (SLA) & Operational Commitments
The organization is committed to maintaining reliable and consistent service delivery through clearly defined Service Level Agreements (SLAs) and operational processes. These commitments help ensure that enterprise customers receive dependable system availability, responsive support and timely resolution of operational issues.
Operational commitments are designed in alignment with enterprise best practices and security frameworks such as SOC 2 Type II and ISO/IEC 27001.
18.1 Service Availability
We360.ai is designed to provide high levels of service availability through resilient infrastructure and proactive monitoring.
Key availability practices include:
* Cloud-based infrastructure with scalable resources
* Infrastructure monitoring and alerting systems
* Redundant system components where applicable
* Incident response procedures for service disruptions
These measures help maintain continuous service availability and minimize downtime.
18.2 System Uptime Commitment
We360.ai targets a high level of service availability for production environments.
Typical uptime targets may include:
| Service Component | Target Availability |
| ------------------------- | ------------------------------- |
| Application Platform | 99.9% uptime |
| Core Services | 99.9% uptime |
| Infrastructure Components | High availability configuration |
Availability calculations typically exclude scheduled maintenance windows or extraordinary events beyond operational control.
18.3 Incident Response & Resolution Targets
Incidents are prioritized based on severity and business impact.
| Severity Level | Description | Response Target | Resolution Target |
| -------------- | ----------------------------------------------- | ----------------------------- | ------------------------------- |
| Critical | Complete service outage or major system failure | Immediate response | Highest priority resolution |
| High | Major feature unavailable or major degradation | Within defined support window | Prompt resolution |
| Medium | Partial functionality issue | Standard support response | Scheduled resolution |
| Low | Minor issue or enhancement request | Best effort response | Future release or scheduled fix |
Critical incidents receive immediate attention and escalation to engineering teams.
18.4 Support Availability
Customer support services are available to assist customers with operational issues and platform usage questions.
Support channels may include:
* Email-based support
* Customer success engagement
* Technical support ticket system
Support requests are tracked through internal ticketing systems to ensure accountability and timely resolution.
18.5 Escalation Process
An escalation framework ensures that issues are addressed by the appropriate technical teams.
| Escalation Level | Responsibility |
| ---------------- | --------------------------------------- |
| Level 1 | Customer Support Team |
| Level 2 | Product Support / Technical Specialists |
| Level 3 | Engineering Team |
Critical or complex issues are escalated to engineering teams for investigation and resolution.
18.6 Scheduled Maintenance
To maintain system reliability and performance, periodic maintenance activities may be performed.
Maintenance activities may include:
* Infrastructure updates
* Security patching
* Performance improvements
* Platform upgrades
Where possible, scheduled maintenance is conducted during predefined maintenance windows to minimize service disruption.
Customers may be notified in advance of planned maintenance activities when they are expected to impact service availability.
18.7 Monitoring & Operational Oversight
Continuous monitoring systems are implemented to detect and respond to operational issues.
Monitoring capabilities include:
* Infrastructure health monitoring
* Application performance monitoring
* System error tracking
* Security alerting
Alerts generated by monitoring systems are investigated promptly to maintain system stability.
18.8 Communication During Incidents
When significant incidents occur, communication may be provided to affected customers through appropriate channels.
Communication may include:
* Notification of service disruption
* Status updates during incident resolution
* Confirmation when services are restored
These communications help maintain transparency and provide customers with visibility into operational events.
18.9 Continuous Service Improvement
Operational performance is regularly reviewed to identify opportunities for improvement.
Service improvement initiatives may include:
* Monitoring service performance metrics
* Reviewing incident trends
* Enhancing infrastructure reliability
* Improving response and resolution procedures
Continuous improvement ensures that operational processes evolve alongside customer needs and industry best practices.
19. Data Residency, Data Ownership & Customer Rights
The organization is committed to ensuring transparency and accountability in how customer data is stored, processed and managed. This section outlines policies related to data residency, data ownership and customer rights concerning data hosted within We360.ai.
These policies are designed to align with global data protection regulations and enterprise data governance expectations.
19.1 Data Residency
Customer data is hosted in secure cloud infrastructure environments designed to meet enterprise security and compliance requirements.
Where applicable, We360.ai supports hosting customer data within specific geographic regions to comply with regulatory or organizational data residency requirements.
For customers operating in India, data may be hosted within infrastructure located in India to support compliance with the Digital Personal Data Protection Act and other applicable regulations.
Data residency ensures that organizations maintain appropriate jurisdictional control over their data and comply with regional data protection laws.
19.2 Data Ownership
Customers retain full ownership of the data they provide or generate within We360.ai.
The organization does not claim ownership over customer data. Data collected and processed by We360.ai remains the property of the respective customer organization.
Customer data is processed solely for the purpose of delivering platform services and supporting system functionality.
The organization does not sell, rent, or commercially exploit customer data.
19.3 Data Usage Limitations
Customer data is processed only for legitimate operational purposes related to the delivery of platform services.
Permitted uses of data include:
* Platform functionality and analytics
* System monitoring and troubleshooting
* Service improvement and reliability
Data usage is governed by strict access control policies and internal security procedures.
Unauthorized access, sharing, or use of customer data is strictly prohibited.
19.4 Customer Data Access Rights
Customers maintain control over access to their data within We360.ai.
Authorized customer administrators can:
* Manage user access permissions
* Configure system integrations
* View and analyze operational data
* Export data where functionality permits
These controls allow organizations to manage data access in accordance with their internal governance policies.
19.5 Data Portability
Customers may request access to their data in order to export or transfer it for operational or compliance purposes.
Where technically feasible, data export capabilities may be provided through:
* Application interfaces
* System reports
* Data export mechanisms
Data portability supports customer flexibility and helps organizations maintain operational continuity.
19.6 Data Retention & Deletion Rights
Customers may request deletion of their data in accordance with contractual agreements and operational requirements.
Data deletion procedures may be initiated in the following circumstances:
* Customer request
* Contract termination
* Expiration of defined retention periods
Deletion processes ensure that customer data is securely removed from active systems and storage environments when no longer required.
19.7 Data Protection & Privacy Rights
We360.ai supports organizations in meeting their obligations under global privacy regulations such as:
* Digital Personal Data Protection Act
* General Data Protection Regulation
* California Consumer Privacy Act
* Health Insurance Portability and Accountability Act
Privacy protections include:
* Secure handling of personal data
* Controlled data access
* Data protection safeguards
* Transparent data processing practices
These controls help ensure that organizations using We360.ai can meet their regulatory and privacy obligations.
19.8 Customer Transparency
The organization is committed to transparency in data processing and privacy practices.
Customers may request information regarding:
* Data handling practices
* Security controls
* Compliance certifications
* Operational policies
This transparency supports enterprise due diligence and helps customers evaluate We360.ai’s security and compliance posture.
20. Audit, Reporting & Compliance Assurance
The organization maintains structured processes to ensure transparency, accountability and compliance with recognized security and privacy standards. These processes support internal governance, external audits and enterprise vendor due-diligence requirements.
Regular assessments, documentation and reporting mechanisms are maintained to ensure that operational, security and compliance controls are functioning effectively.
20.1 Internal Audits
Periodic internal audits are conducted to evaluate the effectiveness of security and operational controls across We360.ai.
Internal audits may review areas including:
* Access control management
* Infrastructure security
* Application security practices
* Incident management procedures
* Change management controls
* Data protection policies
Findings from internal audits are reviewed by relevant stakeholders and corrective actions are implemented where necessary.
20.2 External Audits & Independent Assessments
The organization may undergo independent third-party audits and security assessments to validate its compliance with industry standards.
External assessments may include:
* Security compliance audits
* Infrastructure security reviews
* Application security assessments
* Penetration testing exercises
Periodic Vulnerability Assessment and Penetration Testing helps identify potential vulnerabilities and ensures that We360.ai remains resilient against evolving threats.
20.3 Compliance Certifications
We360.ai aligns with globally recognized security and privacy standards.
Key certifications and frameworks include:
* SOC 2 Type II
* ISO/IEC 27001
* ISO/IEC 27017
* ISO/IEC 27018
These frameworks ensure that the organization maintains strong security governance, operational controls and privacy safeguards.
20.4 Regulatory Compliance Alignment
We360.ai is designed to support compliance with major global privacy and data protection regulations, including:
* Digital Personal Data Protection Act
* General Data Protection Regulation
* California Consumer Privacy Act
* Health Insurance Portability and Accountability Act
Operational policies and security controls help ensure that customer data is processed responsibly and in accordance with regulatory expectations.
0.5 Compliance Monitoring
Compliance monitoring mechanisms help ensure that controls remain effective and aligned with security standards.
Monitoring activities include:
* Periodic security reviews
* Policy compliance checks
* Infrastructure monitoring
* Security incident tracking
* Change management reviews
These processes ensure that security and compliance controls remain operational and up to date.
20.6 Audit Logging & Evidence Management
We360.ai maintains logs and documentation that support audit requirements and operational transparency.
Audit evidence may include:
* Access logs
* System activity logs
* Change management records
* Incident management reports
* Security assessment reports
These records support both internal governance and external compliance verification.
20.7 Customer Assurance & Transparency
Enterprise customers may require assurance regarding We360.ai’s security posture and compliance status.
Where applicable, customers may request information related to:
* Security policies and procedures
* Compliance certifications
* Security assessment reports
* Operational documentation
This transparency helps organizations conduct vendor risk assessments and verify security practices.
20.8 Continuous Compliance Improvement
Security and compliance programs are continuously improved through:
* Feedback from internal and external audits
* Security assessments and vulnerability testing
* Updates to regulatory requirements
* Improvements to operational controls
Continuous improvement ensures that We360.ai maintains a strong compliance posture as regulatory expectations and security threats evolve.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.we360.ai/reference/work-and-time-management/framework/company-processes.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.