Company Processes

This document outlines the operational, governance, security and support processes followed for We360.ai. The purpose of this document is to provide enterprise customers with transparency into the systems, processes and controls that ensure reliable and secure service delivery.

This document is intended to address common requirements raised during:

• Vendor Due Diligence

• Security Questionnaires

• Enterprise RFP processes

• IT and Risk Assessments

The document covers:

• Product Release Management

• Change Management

• Incident Management

• Infrastructure Governance

• Data Security Practices

• Business Continuity & Disaster Recovery

• Customer Onboarding

• Customer Support & Escalation

• Vendor & Third-Party Governance

• Compliance and Operational Governance

• Continuous Improvement

• Security Certifications, Compliance & Regulatory Alignment

• Data Protection & Data Flow Architecture

• Security Controls & Technical Safeguards

• Risk Management & Security Governance Framework

• Secure Software Development Lifecycle (SSDLC)

• Service Level Agreements (SLA) & Operational Commitments

· Data Residency, Data Ownership & Customer Rights

· Audit, Reporting & Compliance Assurance

We360.ai follows a structured release management process to ensure that all product updates are delivered in a controlled, reliable and secure manner.

Release Lifecycle

2.1 Product Planning

Product features and enhancements are identified through:

• Product roadmap planning

• Customer feedback

• Security improvements

• Performance enhancements

Features are prioritized based on customer impact and business value.

2.2 Development

Engineering teams develop product features in controlled development environments. Secure development practices are followed, including:

• Version control

• Code reviews

• Branch management

• Development environment segregation

2.3 Code Review

All code changes undergo peer review to ensure:

• Code quality

• Security best practices

• Performance standards

• Compliance with architecture guidelines

2.4 Testing

Multiple testing layers are performed before release:

• Functional testing

• Regression testing

• Performance testing

• Integration testing

Where applicable, security checks and vulnerability scans are also conducted.

2.5 Staging Validation

Approved builds are deployed to staging environments that replicate production configurations. This allows teams to validate:

• System stability

• Integration compatibility

• Feature behaviour

2.6 Production Release

Once validation is complete, releases are deployed to production environments through controlled deployment pipelines.

Deployment typically occurs during planned release windows to minimize service impact.

2.7 Post-Release Monitoring

After deployment, system monitoring tools track:

• Performance metrics

• Error logs

• System availability

Any anomalies are investigated immediately.

2.8 Release Types

Release notes and change logs are maintained for traceability.

A structured change management process ensures that modifications to the system are implemented in a controlled and auditable manner.

3.1 Change Categories

Standard Changes

Routine operational updates with minimal risk.

Examples:

• Minor configuration updates

• System optimizations

Normal Changes

Planned system updates requiring internal review and approval.

Examples:

• Feature updates

• Infrastructure modifications

Emergency Changes

Urgent changes implemented to resolve critical issues such as system outages or security vulnerabilities.

3.2 Change Management Process

1. Change Request Initiation

o Internal change request logged

2. Impact Assessment

o Risk analysis conducted

o Technical impact reviewed

3. Approval

o Relevant technical stakeholders approve the change

4. Deployment Planning

o Release window defined

o Rollback plan prepared

5. Implementation

o Change deployed in production environment

6. Validation

o System performance verified

o Functionality confirmed

7. Documentation

o Change logs updated

o Records maintained for audit purposes

We360.ai follows a structured incident management framework to ensure that service disruptions are addressed quickly and effectively.

4.1 Incident Sources

Incidents may be identified through:

• System monitoring alerts

• Customer support reports

• Internal engineering detection

• Infrastructure monitoring tools

4.2 Incident Response Workflow

1. Incident detection

2. Incident logging

3. Severity classification

4. Investigation by engineering team

5. Issue resolution or mitigation

6. Root cause analysis

7. Preventive actions

4.3 Incident Severity Levels

Critical incidents receive immediate attention from engineering teams.

5. Infrastructure & Cloud Hosting

We360.ai is hosted on secure cloud infrastructure designed for scalability, availability and reliability.

5.1 Infrastructure Characteristics

• Cloud-native architecture

• Scalable infrastructure resources

• High availability configuration

• Continuous system monitoring

5.2 Hosting Environment

We360.ai is hosted on secure cloud infrastructure with primary hosting located in India to support enterprise data residency expectations.

Infrastructure includes:

• Secure networking layers

• Firewall configurations

• Access restrictions

• Monitoring systems

5.3 Infrastructure Monitoring

Infrastructure monitoring tools track:

• Server health

• System availability

• Resource usage

• Error logs

Alerts are triggered if abnormal behaviour is detected.

Data security is a core operational priority.

6.1 Security Controls

Key security practices include:

• Encryption of data in transit using secure protocols

• Controlled access to infrastructure and administrative systems

• Continuous monitoring of system activity

• Logging and auditing mechanisms

6.2 Access Management

Access to We360.ai is governed through:

· Role-Based Access Control (RBAC): Users are assigned permissions based on their roles within the organization.

· Least Privilege Model: Users and administrators receive only the minimum access required to perform their responsibilities.

· Administrative Access: Administrative system access is restricted to authorized personnel and monitored through logging systems.

Business continuity processes ensure that We360.ai can continue operating even during unexpected disruptions.

7.1 Key Measures

• Automated data backup procedures

• Infrastructure redundancy

• Disaster recovery planning

• Operational monitoring

7.2 Backup Policy

System configurations and essential operational data are backed up regularly to ensure recoverability.

7.3 Disaster Recovery

In the event of infrastructure disruption:

1. Engineering teams investigate the failure

2. Recovery procedures are initiated

3. Services are restored using backup infrastructure

Periodic reviews ensure disaster recovery readiness.

Customer onboarding is designed to allow new organizations to start using We360.ai quickly and efficiently.

8.1 Onboarding Steps

Step 1: Account Creation

Users register on We360.ai and verify their accounts.

Step 2: Organization Setup

Customers configure their organization profile and workspace.

Step 3: Onboarding Wizard

A guided onboarding wizard assists users with:

• Initial configuration

• Team member setup

• System settings

Step 4: User Management

Administrators add team members and assign roles.

Step 5: System Setup

Customers configure productivity & team mapping role setting required for data collection.

Step 6: Data Synchronization

Once setup is complete, operational data begins appearing in We360.ai dashboard.

Documentation such as the 5-Minute Launch Guide helps users quickly understand We360.ai functionality.

Customer support ensures that users receive assistance when needed.

9.1 Support Channels

Customers can reach support through:

• Email support

• Support ticket system

• Customer success engagement

9.2 Support Escalation Model

Critical issues are escalated immediately to engineering teams for investigation.

We360.ai may utilize third-party service providers to support infrastructure and operations.

10.1 Vendor Categories

Typical vendors include:

• Cloud infrastructure providers

• External Auditors

• Security tools

10.2 Vendor Evaluation

Before engaging with any vendor, the following factors are reviewed:

• Security posture

• Infrastructure reliability

• Compliance standards

• Operational stability

Vendor relationships are periodically reviewed to ensure ongoing compliance.

Governance processes ensure alignment with enterprise operational and security expectations.

11.1 Governance Controls

The organization maintains documentation related to:

• Product architecture

• Security practices

• Release history

• Change logs

• Operational procedures

These documents support enterprise:

• Vendor risk assessments

• Security reviews

• Compliance audits

• RFP evaluations

We360.ai follows a continuous improvement approach to enhance reliability, security and customer experience.

12.1 Improvement Initiatives

• Monitoring system performance

• Reviewing incident trends

• Implementing security improvements

• Incorporating customer feedback

• Enhancing operational processes

Regular internal reviews ensure We360.ai evolves to meet enterprise operational standards.

We360.ai follows industry-recognized security and privacy standards to ensure the protection of customer data and operational integrity. The organization aligns with globally accepted frameworks, regulatory requirements and security best practices.

These certifications and compliance programs demonstrate our commitment to maintaining enterprise-grade security, privacy protection and regulatory adherence.

13.1 Security Certifications

SOC 2 Type II

We360.ai maintains compliance with SOC 2 Type II, which validates that the organization's internal controls meeting the Trust Service Criteria.

SOC 2 Type II focuses on the following trust principles:

• Security

• Availability

• Processing Integrity

• Confidentiality

• Privacy

The certification involves an independent audit that evaluates the effectiveness of security controls over a defined monitoring period. This ensures that security practices are not only designed appropriately but also operate effectively over time.

Key SOC 2 control areas include:

• Access control management

• Infrastructure monitoring

• Change management

• Incident response

• Data protection controls

• Vendor management

ISO/IEC 27001

We360.ai aligns with the ISO/IEC 27001 framework, which defines best practices for establishing and maintaining an Information Security Management System (ISMS).

ISO 27001 focuses on:

• Risk management

• Information security policies

• Asset management

• Access control

• Cryptography

• Incident management

• Business continuity

This framework ensures a systematic approach to managing sensitive information and maintaining strong security governance practices.

ISO/IEC 27017

We360.ai aligns with ISO/IEC 27017, which provides additional security guidance specifically for cloud service providers and cloud-based systems.

Key areas covered include:

• Cloud infrastructure security

• Shared responsibility model

• Virtual machine security

• Cloud service configuration controls

• Administrative access governance

This standard ensures that cloud deployments follow recognized best practices for protecting data and workloads in cloud environments.

ISO/IEC 27018

We360.ai follows privacy protection guidelines defined in ISO/IEC 27018, which focuses on protecting personally identifiable information (PII) in public cloud environments.

Key protections include:

• Restrictions on data processing

• Transparency in data handling

• Customer data ownership protections

• Secure deletion of data

• Privacy-focused operational controls

13.2 Security Assessments

Vulnerability Assessment & Penetration Testing (VAPT)

We360.ai undergoes periodic Vulnerability Assessment and Penetration Testing conducted by qualified security professionals.

The objective of VAPT is to identify potential security weaknesses and proactively address them before they can be exploited.

The assessment typically includes:

• Network vulnerability assessment

• Application security testing

• Infrastructure security review

• Penetration testing simulations

Findings from these assessments are prioritized based on severity and remediated according to internal security policies.

Regular VAPT exercises help ensure We360.ai remains resilient against emerging security threats.

13.3 Privacy & Data Protection Regulations

We360.ai is designed to support compliance with major global privacy regulations governing the protection of personal data.

Digital Personal Data Protection Act 2023 (DPDP)

We360.ai aligns with the requirements of the Digital Personal Data Protection Act 2023, which governs the processing of digital personal data in India.

Key principles supported include:

• Lawful data processing

• User consent management

• Data minimization

• Secure storage and processing

• Protection against unauthorized access

These measures help ensure compliance with India's evolving data protection landscape.

General Data Protection Regulation (GDPR)

We360.ai supports compliance with the General Data Protection Regulation, which governs the protection of personal data for individuals within the European Union.

GDPR compliance principles include:

• Lawful processing of personal data

• Transparency in data collection

• Data minimization

• Data subject rights

• Security safeguards

• Breach notification mechanisms

We360.ai incorporates controls that enable organizations to meet GDPR requirements when handling personal data.

California Consumer Privacy Act (CCPA)

We360.ai supports compliance with the California Consumer Privacy Act, which provides California residents with enhanced rights regarding the use of their personal data.

We360.ai enables organizations to support CCPA requirements including:

• Data transparency

• Consumer access rights

• Data deletion requests

• Data usage disclosures

Health Insurance Portability and Accountability Act (HIPAA)

For customers operating within healthcare ecosystems, We360.ai aligns with the principles of Health Insurance Portability and Accountability Act.

HIPAA focuses on protecting Protected Health Information (PHI) through:

• Administrative safeguards

• Physical safeguards

• Technical safeguards

These protections help ensure the confidentiality, integrity and availability of sensitive healthcare data.

13.4 Ongoing Security Governance

Security and compliance controls are continuously monitored and improved through:

• Periodic security assessments

• Internal security reviews

• Infrastructure monitoring

• Access control audits

• Incident response testing

• Security training and awareness

The organization is committed to maintaining high standards of security and privacy to meet enterprise and regulatory expectations.

We360.ai follows a secure data architecture designed to protect customer information throughout its lifecycle. The architecture incorporates security controls at every stage of data handling, including collection, transmission, processing, storage and deletion.

The system architecture is designed following security frameworks such as SOC 2 Type II and ISO/IEC 27001.

14.1 Data Flow Overview

We360.ai processes data through the following controlled stages:

1. Data Collection

2. Data Transmission

3. Data Processing

4. Data Storage

5. Data Access & Usage

6. Data Retention & Deletion

Each stage incorporates encryption, authentication and monitoring mechanisms to protect data integrity and confidentiality.

14.2 Data Collection

Data is collected from customer systems using secure integration methods configured during onboarding.

Collection mechanisms may include:

• Secure API integrations

• Platform connectors or agents

• System integrations configured by the customer

• User inputs through the application interface

Data collection follows the principle of data minimization, meaning only the data required for platform functionality is collected.

Customer administrators retain control over integration configurations and permissions.

14.3 Data Transmission

All communication between customer environments and We360.ai is secured using encrypted protocols.

Transmission protections include:

• HTTPS/TLS encrypted communication

• Secure API authentication

• Token-based authorization mechanisms

• Network traffic monitoring

Encryption prevents interception, tampering, or unauthorized access during data transmission.

14.4 Data Processing

After transmission, data is processed within secured application environments.

Processing operations may include:

• Data analysis

• Monitoring operations

• Event correlation

• System analytics

Application services operate in isolated environments to ensure secure processing and prevent unauthorized cross-access.

Strict access control policies ensure internal systems only access required datasets.

14.5 Data Storage

Customer data is stored within secure cloud infrastructure environments.

Security controls for storage include:

• Encryption of stored data

• Access-controlled databases

• Network segmentation

• Infrastructure monitoring

Data is logically separated by tenant to ensure that one organization's data cannot be accessed by another.

14.6 Data Access Controls

Access to platform data is governed through Role-Based Access Control (RBAC).

User roles may include:

• Organization Administrators

• Operational Users

• Read-Only Users

Permissions are granted according to job responsibilities following the least privilege principle.

Administrative system access is restricted to authorized personnel.

.7 Data Retention

Data retention policies define how long data is stored within We360.ai.

Retention periods depend on:

• Operational requirements and Agreements

• Customer configuration

• Security monitoring needs

• Regulatory requirements

Logs and operational data may be retained for monitoring, auditing and compliance purposes.

14.8 Data Deletion

Data deletion procedures are implemented when:

• Data reaches the end of its retention period

• Customers request deletion

• Customer contracts terminate

Deletion processes may include:

• Secure database deletion

• Storage cleanup

• Backup lifecycle expiration

These processes help ensure that customer data is not retained beyond required periods.

14.9 Monitoring & Data Protection Controls

Continuous monitoring is implemented to detect unauthorized activity or system anomalies.

Monitoring mechanisms include:

• Infrastructure monitoring

• Application log monitoring

• Security alerts

• Access activity tracking

Security events are handled through the incident management process.

14.10 Privacy Protection

We360.ai supports compliance with major privacy regulations including:

• Digital Personal Data Protection Act

• General Data Protection Regulation

• California Consumer Privacy Act

• Health Insurance Portability and Accountability Act

Privacy protections focus on secure data processing, transparency and protection of personal data.

We360.ai implements a layered security model designed to protect systems and customer data from unauthorized access, misuse and security threats.

Security controls align with frameworks such as ISO/IEC 27001 and SOC 2 Type II.

15.1 Access Control

Access to systems and data is governed by strict identity and access management policies.

Controls include:

• Role-Based Access Control (RBAC)

• Least privilege access model

• User authentication mechanisms

• Administrative access restrictions

Access rights are reviewed periodically to ensure that users retain only necessary permissions.

Administrative access to production systems is limited to authorized personnel.

15.2 Authentication & Identity Management

User identity verification is implemented through secure authentication mechanisms.

These include:

• Secure login authentication

• Password policy enforcement

• Session management controls

• Access revocation procedures for inactive users

Identity verification helps ensure that only authorized users access We360.ai.

15.3 Encryption Controls

Encryption protects sensitive data during transmission and storage.

Encryption measures include:

Encryption in Transit

• TLS-based encrypted communication

• Secure API connections

Encryption at Rest

• Encrypted database storage

• Secure storage configurations

• Infrastructure-level encryption controls

These encryption practices prevent unauthorized access to stored or transmitted data.

15.4 Logging & Audit Trails

Logging systems capture activity across We360.ai to support monitoring, troubleshooting and security investigations.

Logged events may include:

• User authentication events

• Administrative activities

• System configuration changes

• Access attempts

• Security alerts

Logs are retained for operational monitoring and compliance purposes.

Audit trails help maintain accountability and transparency within We360.ai.

15.5 Security Monitoring

Security monitoring systems continuously observe platform activity to identify potential threats.

Monitoring capabilities include:

• Infrastructure health monitoring

• Application monitoring

• Security alerting

• Log analysis

Alerts are generated for suspicious activities and investigated by engineering teams.

15.6 Vulnerability Management

We360.ai maintains a proactive vulnerability management process.

Security activities include:

• Regular vulnerability scanning

• Periodic Vulnerability Assessment and Penetration Testing

• Security patching

• Risk prioritization and remediation

Security findings are reviewed and remediated based on severity levels.

5.7 Incident Response

Security incidents are managed through a defined incident response process.

The process includes:

1. Detection of security events

2. Incident classification

3. Investigation and containment

4. Resolution and recovery

5. Root cause analysis

Security incidents are handled in accordance with internal incident management procedures.

15.8 Security Governance & Continuous Improvement

Security controls are continuously reviewed and improved through:

• Security audits

• Compliance assessments

• Infrastructure monitoring

• Incident trend analysis

• Security awareness initiatives

These measures ensure that We360.ai maintains a strong and evolving security posture.

The organization follows a structured risk management and security governance framework to ensure that information security risks are identified, assessed and mitigated in a systematic manner.

The framework aligns with industry standards such as ISO/IEC 27001 and incorporates security best practices to protect systems, infrastructure and customer data.

Security governance ensures that policies, procedures and controls are continuously reviewed and improved to maintain a strong security posture.

16.1 Information Security Governance

Information security governance establishes the policies and responsibilities required to manage and protect organizational information assets.

Key governance principles include:

• Defined security policies and procedures

• Role-based responsibilities for security management

• Security oversight and accountability

• Periodic review of security controls

• Alignment with regulatory and compliance requirements

Security governance helps ensure that security controls remain effective and aligned with business and regulatory expectations.

16.2 Risk Management Process

A formal risk management process is followed to identify and mitigate risks associated with information systems and infrastructure.

The risk management lifecycle includes the following stages:

Risk Identification

Potential risks are identified through:

· Security assessments

· Infrastructure reviews

· Vulnerability scans

· Incident analysis

· Vendor assessments

Risk Assessment

Identified risks are evaluated based on:

· Likelihood of occurrence

· Potential impact on systems or data

· Exposure to operational disruption

Risk Mitigation

Appropriate mitigation strategies are implemented, including:

· Security controls

· Process improvements

· Infrastructure safeguards

· Monitoring mechanisms

Risk Monitoring

Risks are continuously monitored to ensure controls remain effective.

Periodic reviews are conducted to reassess risks and update mitigation strategies.

16.3 Security Policies & Standards

The organization maintains documented security policies that guide operational and security practices.

Key policy areas include:

• Information security policy

• Access control policy

• Data protection policy

• Incident response policy

• Change management policy

• Vendor management policy

• Acceptable use policy

These policies establish the security framework for managing and protecting organizational assets.

16.4 Security Risk Assessments

Regular security assessments are conducted to identify vulnerabilities and evaluate the effectiveness of existing controls.

Security assessments may include:

• Internal security reviews

• Infrastructure security assessments

• Application security testing

• Threat analysis

Periodic Vulnerability Assessment and Penetration Testing is performed to detect potential vulnerabilities and strengthen We360.ai’s security posture.

Findings are prioritized based on severity and remediated through defined security processes.

16.5 Security Awareness & Training

Security awareness programs help ensure that employees understand their responsibilities in protecting organizational systems and data.

Training initiatives may include:

• Security awareness training

• Data protection best practices

• Secure system usage guidelines

• Phishing and social engineering awareness

These programs help reduce risks caused by human error and strengthen the overall security culture.

16.6 Vendor Risk Management

Third-party vendors that support infrastructure or operational services are evaluated to ensure they meet security and reliability standards.

Vendor risk assessments may include evaluation of:

• Security posture

• Compliance certifications

• Infrastructure reliability

• Data protection practices

Vendor relationships are periodically reviewed to ensure continued compliance with security expectations.

16.7 Compliance Monitoring

Security and compliance controls are regularly reviewed to ensure adherence to industry standards and regulatory requirements.

We360.ai supports compliance with frameworks such as:

• SOC 2 Type II

• ISO/IEC 27001

• ISO/IEC 27017

• ISO/IEC 27018

Compliance activities include:

• Security audits

• Policy reviews

• Control testing

• Continuous monitoring

16.8 Continuous Security Improvement

The organization follows a continuous improvement approach to maintain and enhance its security posture.

Security improvements are driven by:

• Incident reviews

• Security audit findings

• Vulnerability assessments

• Emerging threat intelligence

• Customer feedback and enterprise security reviews

These practices ensure that the security program evolves to address new risks and maintain alignment with global security standards.

The organization follows a Secure Software Development Lifecycle (SSDLC) to ensure that security is integrated throughout the entire software development process. Security practices are incorporated from the initial design stage through development, testing, deployment and ongoing maintenance.

The SSDLC framework ensures that security risks are identified early, vulnerabilities are minimized and secure coding practices are consistently followed.

17.1 Security by Design

Security considerations are incorporated during the initial stages of product design and architecture planning.

Key design practices include:

• Threat modeling and risk identification during design stages

• Secure architecture planning

• Data protection and privacy considerations in system design

• Implementation of least-privilege access principles

• Secure API design and authentication mechanisms

By addressing security at the design stage, potential vulnerabilities can be prevented before development begins.

17.2 Secure Development Practices

Developers follow established secure coding guidelines to minimize vulnerabilities within application code.

Secure development practices include:

• Use of secure coding standards

• Input validation and output encoding

• Protection against common web vulnerabilities

• Proper error handling and logging

• Secure configuration management

Development environments are controlled and separated from testing and production environments to prevent unauthorized access.

17.3 Code Review & Version Control

All application code is maintained in version-controlled repositories and undergoes peer review before being merged into the main codebase.

Code review processes help ensure:

• Adherence to coding standards

• Security best practices

• Code quality and maintainability

• Identification of potential vulnerabilities

Version control systems maintain a history of changes, ensuring traceability and accountability for all modifications.

17.4 Security Testing

Security testing is integrated into the development and testing lifecycle to identify vulnerabilities before software is released.

Testing activities may include:

• Application security testing

• Static code analysis

• Dynamic testing of application behavior

• Dependency vulnerability checks

In addition, periodic Vulnerability Assessment and Penetration Testing may be conducted to evaluate the security posture of We360.ai.

Security issues discovered during testing are documented and remediated according to defined severity levels.

17.5 Environment Segregation

To maintain system integrity and security, the organization maintains separate environments for:

• Development

• Testing

• Staging

• Production

This separation ensures that development activities do not affect production systems and helps prevent unauthorized code from reaching live environments.

Access to production environments is restricted to authorized personnel.

17.6 Secure Deployment

Deployment processes follow controlled procedures to ensure that only approved and tested code is released into production environments.

Deployment controls include:

• Automated deployment pipelines where applicable

• Controlled release management processes

• Approval mechanisms for production releases

• Rollback procedures in case of deployment issues

Deployment logs are maintained to track system changes and maintain auditability.

17.7 Dependency & Vulnerability Management

Software dependencies and third-party libraries are monitored to ensure they remain secure.

Dependency management practices include:

• Tracking third-party libraries and components

• Monitoring known vulnerability databases

• Applying security updates and patches when required

Regular updates help reduce exposure to vulnerabilities present in external libraries.

17.8 Security Incident Handling

If vulnerabilities or security issues are identified within the application, they are addressed through the organization’s incident management and vulnerability management processes.

The process includes:

1. Identification of the security issue

2. Risk and severity assessment

3. Remediation planning

4. Deployment of security fixes

5. Post-resolution review

Security incidents are documented and analyzed to prevent recurrence.

17.9 Continuous Security Improvement

The SSDLC framework is continuously improved through:

• Security reviews of development practices

• Feedback from security testing activities

• Monitoring emerging threat landscapes

• Improvements to development tools and processes

These efforts ensure that the software development process evolves alongside evolving security threats and industry best practices.

The organization is committed to maintaining reliable and consistent service delivery through clearly defined Service Level Agreements (SLAs) and operational processes. These commitments help ensure that enterprise customers receive dependable system availability, responsive support and timely resolution of operational issues.

Operational commitments are designed in alignment with enterprise best practices and security frameworks such as SOC 2 Type II and ISO/IEC 27001.

18.1 Service Availability

We360.ai is designed to provide high levels of service availability through resilient infrastructure and proactive monitoring.

Key availability practices include:

• Cloud-based infrastructure with scalable resources

• Infrastructure monitoring and alerting systems

• Redundant system components where applicable

• Incident response procedures for service disruptions

These measures help maintain continuous service availability and minimize downtime.

18.2 System Uptime Commitment

We360.ai targets a high level of service availability for production environments.

Typical uptime targets may include:

Availability calculations typically exclude scheduled maintenance windows or extraordinary events beyond operational control.

18.3 Incident Response & Resolution Targets

Incidents are prioritized based on severity and business impact.

Critical incidents receive immediate attention and escalation to engineering teams.

18.4 Support Availability

Customer support services are available to assist customers with operational issues and platform usage questions.

Support channels may include:

• Email-based support

• Customer success engagement

• Technical support ticket system

Support requests are tracked through internal ticketing systems to ensure accountability and timely resolution.

18.5 Escalation Process

An escalation framework ensures that issues are addressed by the appropriate technical teams.

Critical or complex issues are escalated to engineering teams for investigation and resolution.

18.6 Scheduled Maintenance

To maintain system reliability and performance, periodic maintenance activities may be performed.

Maintenance activities may include:

• Infrastructure updates

• Security patching

• Performance improvements

• Platform upgrades

Where possible, scheduled maintenance is conducted during predefined maintenance windows to minimize service disruption.

Customers may be notified in advance of planned maintenance activities when they are expected to impact service availability.

18.7 Monitoring & Operational Oversight

Continuous monitoring systems are implemented to detect and respond to operational issues.

Monitoring capabilities include:

• Infrastructure health monitoring

• Application performance monitoring

• System error tracking

• Security alerting

Alerts generated by monitoring systems are investigated promptly to maintain system stability.

18.8 Communication During Incidents

When significant incidents occur, communication may be provided to affected customers through appropriate channels.

Communication may include:

• Notification of service disruption

• Status updates during incident resolution

• Confirmation when services are restored

These communications help maintain transparency and provide customers with visibility into operational events.

18.9 Continuous Service Improvement

Operational performance is regularly reviewed to identify opportunities for improvement.

Service improvement initiatives may include:

• Monitoring service performance metrics

• Reviewing incident trends

• Enhancing infrastructure reliability

• Improving response and resolution procedures

Continuous improvement ensures that operational processes evolve alongside customer needs and industry best practices.

The organization is committed to ensuring transparency and accountability in how customer data is stored, processed and managed. This section outlines policies related to data residency, data ownership and customer rights concerning data hosted within We360.ai.

These policies are designed to align with global data protection regulations and enterprise data governance expectations.

19.1 Data Residency

Customer data is hosted in secure cloud infrastructure environments designed to meet enterprise security and compliance requirements.

Where applicable, We360.ai supports hosting customer data within specific geographic regions to comply with regulatory or organizational data residency requirements.

For customers operating in India, data may be hosted within infrastructure located in India to support compliance with the Digital Personal Data Protection Act and other applicable regulations.

Data residency ensures that organizations maintain appropriate jurisdictional control over their data and comply with regional data protection laws.

19.2 Data Ownership

Customers retain full ownership of the data they provide or generate within We360.ai.

The organization does not claim ownership over customer data. Data collected and processed by We360.ai remains the property of the respective customer organization.

Customer data is processed solely for the purpose of delivering platform services and supporting system functionality.

The organization does not sell, rent, or commercially exploit customer data.

19.3 Data Usage Limitations

Customer data is processed only for legitimate operational purposes related to the delivery of platform services.

Permitted uses of data include:

• Platform functionality and analytics

• System monitoring and troubleshooting

• Service improvement and reliability

Data usage is governed by strict access control policies and internal security procedures.

Unauthorized access, sharing, or use of customer data is strictly prohibited.

19.4 Customer Data Access Rights

Customers maintain control over access to their data within We360.ai.

Authorized customer administrators can:

• Manage user access permissions

• Configure system integrations

• View and analyze operational data

• Export data where functionality permits

These controls allow organizations to manage data access in accordance with their internal governance policies.

19.5 Data Portability

Customers may request access to their data in order to export or transfer it for operational or compliance purposes.

Where technically feasible, data export capabilities may be provided through:

• Application interfaces

• System reports

• Data export mechanisms

Data portability supports customer flexibility and helps organizations maintain operational continuity.

19.6 Data Retention & Deletion Rights

Customers may request deletion of their data in accordance with contractual agreements and operational requirements.

Data deletion procedures may be initiated in the following circumstances:

• Customer request

• Contract termination

• Expiration of defined retention periods

Deletion processes ensure that customer data is securely removed from active systems and storage environments when no longer required.

19.7 Data Protection & Privacy Rights

We360.ai supports organizations in meeting their obligations under global privacy regulations such as:

• Digital Personal Data Protection Act

• General Data Protection Regulation

• California Consumer Privacy Act

• Health Insurance Portability and Accountability Act

Privacy protections include:

• Secure handling of personal data

• Controlled data access

• Data protection safeguards

• Transparent data processing practices

These controls help ensure that organizations using We360.ai can meet their regulatory and privacy obligations.

19.8 Customer Transparency

The organization is committed to transparency in data processing and privacy practices.

Customers may request information regarding:

• Data handling practices

• Security controls

• Compliance certifications

• Operational policies

This transparency supports enterprise due diligence and helps customers evaluate We360.ai’s security and compliance posture.

The organization maintains structured processes to ensure transparency, accountability and compliance with recognized security and privacy standards. These processes support internal governance, external audits and enterprise vendor due-diligence requirements.

Regular assessments, documentation and reporting mechanisms are maintained to ensure that operational, security and compliance controls are functioning effectively.

20.1 Internal Audits

Periodic internal audits are conducted to evaluate the effectiveness of security and operational controls across We360.ai.

Internal audits may review areas including:

• Access control management

• Infrastructure security

• Application security practices

• Incident management procedures

• Change management controls

• Data protection policies

Findings from internal audits are reviewed by relevant stakeholders and corrective actions are implemented where necessary.

20.2 External Audits & Independent Assessments

The organization may undergo independent third-party audits and security assessments to validate its compliance with industry standards.

External assessments may include:

• Security compliance audits

• Infrastructure security reviews

• Application security assessments

• Penetration testing exercises

Periodic Vulnerability Assessment and Penetration Testing helps identify potential vulnerabilities and ensures that We360.ai remains resilient against evolving threats.

20.3 Compliance Certifications

We360.ai aligns with globally recognized security and privacy standards.

Key certifications and frameworks include:

• SOC 2 Type II

• ISO/IEC 27001

• ISO/IEC 27017

• ISO/IEC 27018

These frameworks ensure that the organization maintains strong security governance, operational controls and privacy safeguards.

20.4 Regulatory Compliance Alignment

We360.ai is designed to support compliance with major global privacy and data protection regulations, including:

• Digital Personal Data Protection Act

• General Data Protection Regulation

• California Consumer Privacy Act

• Health Insurance Portability and Accountability Act

Operational policies and security controls help ensure that customer data is processed responsibly and in accordance with regulatory expectations.

0.5 Compliance Monitoring

Compliance monitoring mechanisms help ensure that controls remain effective and aligned with security standards.

Monitoring activities include:

• Periodic security reviews

• Policy compliance checks

• Infrastructure monitoring

• Security incident tracking

• Change management reviews

These processes ensure that security and compliance controls remain operational and up to date.

20.6 Audit Logging & Evidence Management

We360.ai maintains logs and documentation that support audit requirements and operational transparency.

Audit evidence may include:

• Access logs

• System activity logs

• Change management records

• Incident management reports

• Security assessment reports

These records support both internal governance and external compliance verification.

20.7 Customer Assurance & Transparency

Enterprise customers may require assurance regarding We360.ai’s security posture and compliance status.

Where applicable, customers may request information related to:

• Security policies and procedures

• Compliance certifications

• Security assessment reports

• Operational documentation

This transparency helps organizations conduct vendor risk assessments and verify security practices.

20.8 Continuous Compliance Improvement

Security and compliance programs are continuously improved through:

• Feedback from internal and external audits

• Security assessments and vulnerability testing

• Updates to regulatory requirements

• Improvements to operational controls

Continuous improvement ensures that We360.ai maintains a strong compliance posture as regulatory expectations and security threats evolve.