Build Any Data Policy

1.1 Overview

Build Any is a wholly owned brand of Newton Day Ltd., and this Data Policy serves to provide subscribers of the Build Any Agent platform with a detailed understanding of our operational safeguards and protocols, which are designed to ensure the safety and integrity of data using Proactive Law principles.

1.2 Aim

This Data Policy is created to outline the framework and practices adopted by Newton Day Ltd. to ensure the protection, management, and use of data within its SaaS solutions. We are committed to:

• Upholding the highest standards of data privacy and security.
• Meeting compliance demands.
• Reinforcing trust among our clients and partners.
• Protecting against liabilities arising from the use of third-party APIs and mitigating risks associated with the misuse of our platform.

1.3 Scope

This policy applies to all data processed by Newton Day Ltd., including customer data, internal data, and data obtained through third-party integrations.

It extends to all employees, contractors, and third-party service providers involved in data processing activities.

1.4 Key Policy Objectives

• Data Protection: Implement and maintain robust security measures to prevent unauthorized access, data breaches, and data loss.
• Compliance: Adhere to applicable data protection laws and industry standards.
• Transparency: Provide clear guidelines and responsibilities for all stakeholders to ensure accountable and transparent data handling.
• Risk Management: Continuously assess and manage data-related risks to enhance the resilience of our data management infrastructure.
• Third-Party Interactions: Clearly define boundaries regarding our liability once data leaves our platform, especially concerning third-party API interactions.
• Platform Usage: Take preventive measures against inappropriate use, such as requiring age verification upon registration and lacking direct integrations with imaging and video creation tools.

1.5 Disclaimer

Build Any and Newton Day Ltd. disclaim liability for actions resulting from data usage outside our platform or misuse of our services for inappropriate purposes, such as pornography. This includes urging users to register with third-party API providers directly.

2.1 Data Collection Principles

• Minimal Data Collection: We commit to data minimization, collecting only what is necessary to provide and enhance our services. Personal data will only be collected when strictly required for a defined purpose.
• Transparency: Clear and concise information will be provided to data subjects about the type of data collected, the purposes of collection, and its subsequent use.
• User Consent: Data collection practices are in accordance with obtaining valid user consent or will rely on other lawful bases for data processing as mandated by relevant data protection laws. We expressly communicate that consent is a foundational requirement for data processing, whilst providing users with the ability to revoke consent.

2.2 Usage of Data

• Operational Use: Collected data will be utilized for service delivery, performance optimization, and enabling personalized user experiences.
• Improvement and Development: Anonymized data analytics may be employed to enhance our service offerings and develop new features.
• Compliance and Reporting: Data usage will comply with legal obligations, fulfill lawful requests, and support audit processes, while strictly adhering to data protection principles.
• Non-Consensual Sharing: Data will not be shared with third parties without explicit user consent, unless mandated by law or necessary for service provisioning under strict confidentiality.

2.3 Third-Party Integrations

• Careful Selection: Third-party services are thoroughly vetted for their data protection practices to ensure compliance with our security and privacy standards.
• Data Transfer and Protection: Any data shared with these third parties will be protected through encryption and governed by data protection agreements to ensure compliance with applicable regulations.
• Additional Point: Limitation of Liability for Third-Party APIs: Newton Day Ltd. maintains no liability for actions or outcomes once data has left our platform via third-party APIs. Users are encouraged to understand and accept the third-party's terms and conditions independently.

3.1 Encryption Standards

• Data in Transit: All data transmitted over networks will be encrypted using industry-standard protocols, such as TLS, to prevent unauthorized access during transmission.
• Data at Rest: Sensitive data will be secured with AES-256 encryption to ensure protection against unauthorized access when stored.

3.2 Access Control

• Role-Based Access Control (RBAC): Access to data and systems is strictly controlled, using RBAC to ensure only authorized individuals have access based on their roles.
• Multi-Factor Authentication (MFA): MFA will be employed for accessing sensitive systems, providing an additional layer of security to prevent unauthorized access.

3.3 Regular Data Backups

• Routine Backups: Automated and regular data backups are conducted to ensure data redundancy and facilitate swift recovery in the event of data loss or system failure.
• Secure Storage: Backups are stored securely, using the same encryption and access controls as primary data stores.

3.4 Monitoring and Logging

• Continuous Monitoring: Systems will be continuously monitored for security threats, unusual activity, and compliance with security policies.
• Comprehensive Logging: All critical data access and processing activities are logged to maintain an audit trail for security analysis and incident response.

3.5 Incident Response Protocols

• Preparation and Prevention: A comprehensive incident response plan will be maintained, detailing procedures for identifying, managing, and mitigating data breaches or security incidents.
• Timely Notification: In case of a data breach, affected parties will be notified promptly in accordance with regulatory requirements, and corrective actions will be implemented immediately.

3.6 Prevention of Inappropriate Use

• Data Loss Prevention: Implement data loss prevention rules to monitor and prevent data misuse through the platform, with specific targeting on detecting inappropriate uses such as pornography.
• Registration Verification: The user's age will be verified upon registration to aid in minimizing liability for inappropriate use.

4.1 Role-Based Access Controls (RBAC)

• Defined Access Levels: Access to sensitive data and critical systems will be governed by RBAC policies to ensure users have access only to the information necessary for their roles.
• Regularly Reviewed Roles: User roles and access permissions will be regularly reviewed and updated to accommodate changes in responsibilities and prevent unauthorized access.

4.2 Multi-Factor Authentication (MFA)

• Mandatory Implementation: MFA is mandatory for all access to sensitive systems, requiring multiple forms of verification for added security beyond passwords.
• Secure Identity Verification: Verification methods will include combinations such as password entry and a unique code sent to the user's registered mobile device or email.

4.3 Password Management

• Strong Password Policies: Users must create strong passwords adhering to complexity requirements and change them regularly to maintain security.
• Easy and Secure Password Resets: Password reset processes will be user-friendly and incorporate security measures such as identity verification through MFA.

4.4 Access Logging and Monitoring

• Detailed Logging: All access attempts to sensitive data and systems, including successful entries and access denials, will be logged to monitor for unauthorized or suspicious activities.
• Proactive Monitoring: Security systems will actively monitor access logs to detect and respond to potential breaches or misuse of data access rights.

4.5 Session Management

• Timeout Protocols: User sessions will automatically time out after periods of inactivity to reduce risks if a device is left unattended.
• Secure Reconnection: Users will be required to re-authenticate to continue access following a timeout or system disconnect.

5.1 Data Retention Policy

• Defined Retention Periods: Data will be retained only as long as necessary to fulfill its intended purpose, comply with legal obligations, or meet business needs.
• Regular Review and Deletion: Data retention periods will be regularly reviewed to ensure compliance, with redundant data being securely deleted or anonymized.

5.2 Data Archival

• Secure Archiving: Data identified for long-term retention will be archived securely, using encryption and access controls to ensure continued protection.
• Access to Archived Data: Access to archived data will be restricted to authorized personnel and managed under strict security protocols, with full audit trails maintained.

5.3 Data Deletion and Disposal

• Secure Deletion Methods: Data will be deleted using secure methods that prevent recovery, whether through physical media shredding or secure erasure software.
• Data Disposal Protocols: Disposal of data-storing hardware will follow secure destruction procedures to prevent data leakage.

5.4 Data Quality and Accuracy

• Regular Updates: Data will be regularly reviewed and updated to ensure accuracy, completeness, and reliability.
• Correction Mechanisms: Mechanisms will be in place to allow data subjects to request updates or corrections to their data.

5.5 Data Lifecycle Documentation

• Lifecycle Tracking: The stages of data, from collection to disposal, will be documented, with clear responsibility assignments for each stage.
• Accountability: Staff involved in each phase are accountable for their roles and will be trained in best practices for data management.

6.1 Regular Vulnerability Assessments

• Scheduled Scans: Regular vulnerability assessments will be conducted to identify security weaknesses across systems, networks, and applications.
• Comprehensive Testing: These assessments will include penetration testing, security audits, and code reviews to uncover potential entry points.

6.2 Patch Management

• Timely Updates: Security patches and updates will be applied promptly to mitigate risks identified during vulnerability assessments.
• Automatic Update Systems: Where feasible, systems will be configured to automatically apply verified patches.

6.3 Risk Prioritization

• Impact Analysis: Vulnerabilities will be classified based on their potential impact, allowing for prioritization in remediation efforts.
• Risk Mitigation Strategies: High-risk vulnerabilities will receive immediate attention, while medium- and low-risk ones will be scheduled for resolution.

6.4 Continuous Monitoring and Improvement

• Real-Time Monitoring: Systems will be continuously monitored for new vulnerabilities using both internal tools and third-party threat intelligence.
• Feedback Loop: Learnings from vulnerability assessments will inform updates to security protocols, contributing to ongoing improvements.

6.5 Employee Training

• Security Awareness: Regular training and awareness programs will be conducted to help employees identify and report vulnerabilities promptly.
• Empowered Reporting: Clear

7.1 Appointed Data Controller

• Designation: Ian Tomlin, CEO of Newton Day Ltd, is appointed as the Data Controller, responsible for overseeing the Company's data protection strategy and implementation.
• Responsibilities: The Data Controller will ensure compliance with relevant data protection laws, standards, and best practices, facilitating effective data management and governance.
• Leadership Role: Acts as the primary point of contact for data protection matters and liaises with internal teams and external entities to maintain compliance.

7.2 Governance Structure

• Data Protection Team: A dedicated team will support the Data Controller, composed of representatives from IT, legal, compliance, and other departments to oversee and implement data management policies.
• Policy Enforcement: The Data Controller is responsible for ensuring consistent and effective enforcement of company-wide policies, providing leadership in data protection and governance initiatives.

7.3 Continual Improvement

• Ongoing Evaluation: The Data Controller will oversee the continuous evaluation and improvement of data protection practices, adapting to technological and regulatory changes.
• Stakeholder Engagement: Regular engagement with both internal and external stakeholders ensures alignment of data protection measures with business needs and stakeholder expectations.

7.4 Responsibility & Accountability

• Defined Roles: Clearly defined roles and responsibilities for data governance, ensuring everyone involved understands their duties in the data protection framework.
• Training and Education: Continual education and training to maintain a high standard of awareness and adherence to policies across the organisation.

8.1 Incident Response Plan

• Structured Approach: Newton Day Ltd. will maintain a comprehensive Incident Response Plan (IRP) that outlines procedures for identifying, managing, and mitigating data breaches or security incidents.
• Defined Stages: The IRP will encompass the stages of Preparation, Detection, Analysis, Containment, Eradication, Recovery, and Post-Incident Review.

8.2 Incident Detection and Reporting

• Immediate Reporting Mechanism: Mechanisms will be established for the swift reporting of any anomalies, potential breaches, or security incidents by all employees, partners, and stakeholders.
• Dedicated Response Team: A specialized response team trained in handling data breaches and cybersecurity threats will be deployed to manage incidents as they arise.

8.3 Incident Containment and Eradication

• Rapid Containment: Immediate actions will be taken to contain any verified incidents, minimizing their impact and preventing further damage.
• Root Cause Analysis: Efforts will focus on identifying and eliminating the root cause of the incident to prevent recurrence, using forensic analysis when necessary.

8.4 Recovery and Communication

• Efficient Recovery Processes: Systems will be restored to normal operations as soon as possible, supported by backup data to ensure minimal disruption.
• Timely Communication: Stakeholders, including affected clients, will be informed promptly about the incident, its impact, and the steps taken to address it, in accordance with applicable regulations.

8.5 Post-Incident Review and Learning

• Comprehensive Review: A thorough post-incident review will be conducted to understand the incident, evaluate the response, and identify areas for improvement.
• Continual Improvement: Lessons learned will be integral to refining security policies, enhancing response strategies, and updating employee training programs.

9.1 Regulatory Compliance

• Legal Adherence: Newton Day Ltd. commits to complying with all applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and any local data privacy laws relevant to operational regions.
• Continuous Monitoring: Regular monitoring will ensure adherence to the latest regulatory changes across all jurisdictions where the company operates.

9.2 Internal Audits

• Annual Audits: Comprehensive internal audits will be conducted annually to assess compliance with the company's data policies, procedures, and statutory requirements.
• Audit Methodology: Audits will follow established guidelines, employing both automated tools and manual reviews to validate adherence to policy standards.

9.3 External Audits

• Third-Party Assessments: Independent external audits will be carried out periodically to validate internal findings and ensure objectivity in compliance assessments.
• Certification Pursuits: The company will seek and maintain relevant data protection and security certifications to demonstrate adherence to recognized standards.

9.4 Reporting and Correction

• Transparency in Findings: Key findings from audits will be documented and communicated to leadership, along with necessary corrective actions and implementation timelines.
• Corrective Measures: Identified deficiencies will be addressed through targeted corrective measures to ensure continuous improvement and compliance in all data management activities.

9.5 Training and Awareness

• Regulatory Training: Training resources are available to keep employees and subscribers informed about compliance obligations and their roles in maintaining compliance.
• Awareness Campaigns: Ongoing campaigns will highlight the importance of compliance and the role of each employee in supporting the company's commitment to data security.

10.1 Training Programs

• Regular Training Sessions: Newton Day Ltd. conducts regular training programs to ensure all employees are well-versed in data protection practices, security protocols, and compliance requirements.
• Customised Curriculum: Training content will be tailored to different roles and responsibilities within the organisation, ensuring relevance and practical applicability.

10.2 Continuous Learning

• Ongoing Education: Employees will have access to continuous learning resources, including e-learning modules, webinars, and workshops, to stay up-to-date with the latest in data management and security.
• Mandatory Updates: Training materials will be regularly updated to reflect changes in legal requirements and technological advancements.

10.3 Awareness Campaigns

• Company-Wide Campaigns: Awareness campaigns will be conducted throughout the year to reinforce key principles of data protection and the importance of maintaining data security.
• Cultural Integration: Efforts will be made to integrate data protection into the organisational culture, making security and compliance intrinsic aspects of daily operations.

10.4 Feedback and Improvement

• Feedback Mechanisms: Employees are encouraged to provide feedback on training programs and awareness campaigns to help identify areas for improvement.
• Iterative Development: Training and awareness content will be refined based on feedback and effectiveness, ensuring continuous improvement and engagement.

10.5 Empowerment and Responsibility

• Role Clarity: Employees will be made aware of their specific roles and responsibilities in protecting data and ensuring compliance, empowering them to take proactive steps in safeguarding information.
• Incentives for Engagement: Recognition and incentives will be given for employees who actively participate in and contribute to the company's data protection efforts.

11.1 Data Sharing Protocols

• Controlled Sharing: Data sharing, both internally and externally, will follow strict protocols to ensure information is shared only with authorized entities for legitimate purposes.
• Consent and Notification: Explicit consent will be obtained from data subjects where required, and they will be notified about how their data may be shared or used.

11.2 Internal Data Controls

• Access Limitations: Access to data internally will be limited to personnel who require it to perform their duties, adhering to the principle of least privilege.
• Data Handling Policies: Employees will follow established data handling policies to prevent unauthorized sharing and ensure data integrity.

11.3 External Data Transfers

• Third-Party Agreements: Data shared with third-party vendors will be protected under data protection agreements, ensuring compliance with security and privacy standards.
• Cross-Border Transfers: When transferring data across international borders, the company will ensure compliance with relevant laws, including GDPR, and use legal mechanisms like Standard Contractual Clauses where necessary.

11.4 Data Encryption in Transit

• Secure Transport Layers: Data in transit will be encrypted using secure protocols, such as TLS, to protect it from interception during transfers.
• End-to-End Security: Encryption ensures data remains secure from the point of departure to the point of arrival.

11.5 Monitoring and Auditing

• Regular Audits: Data sharing practices will be audited regularly to ensure compliance with internal policies and legal requirements.
• Incident Tracking: Any irregularities or unauthorized data transfers will be tracked and investigated promptly, with appropriate actions taken to mitigate risks.

12.1 Principle of Data Minimization

• Minimal Collection: Newton Day Ltd. is committed to collecting only the data necessary for specified, legitimate purposes, avoiding the accumulation of unnecessary personal or sensitive data.
• Periodic Review: Regular reviews of collected data will ensure alignment with the minimization principle, and any superfluous data will be archived or disposed of appropriately.

12.2 Purpose Limitation

• Specified Purposes: Data processing activities will be clearly defined, with data collected strictly for the purposes detailed in this policy or as communicated to data subjects.
• Purpose Adaptation: Any intention to use data outside its original purpose will require reassessment, additional consent from data subjects, or compliance with relevant legal bases for processing.

12.3 Transparency in Collection and Use

• Clear Communication: The company will provide data subjects with concise information on how and why their data is collected, ensuring understanding of the processing activities.
• Consent and Control: Data subjects will have control over their data, with rights to object to certain types of processing based on applicable data protection laws.

12.4 Evaluation and Documentation

• Regular Audits: Data collection and processing activities will undergo regular audits to ensure compliance with the principles of data minimization and purpose limitation.
• Documentation: Comprehensive documentation of the purposes and extent of data processing will support audits and accountability measures.

13.1 Management and Control Measures

• Vendor Assessment: We conduct comprehensive due diligence to evaluate potential vendors' data protection standards before engagement. This includes thorough checks on their policies, procedures, and historical performance concerning data protection.
• Regular Audits: We implement scheduled audits to ensure that vendors remain compliant with our data management practices, consistently enforcing our standards across all vendor relationships.
• Access Controls: Vendor data access is strictly limited to what is necessary for their contracted responsibilities, with robust authentication protocols in place to secure data integrity and confidentiality.

13.2 Due Diligence

• Risk Assessments: We perform initial risk assessments to identify potential legal, financial, or security risks associated with vendors, ensuring that only those with aligned risk profiles are contracted.
• Evidence of Compliance: It is mandatory for vendors to provide evidence of their data protection measures, certifications, and alignment with relevant regulations, ensuring adherence to high data protection standards.

13.3 Contractual Obligations

• Data Protection Agreements (DPA): Our contracts include specific clauses requiring vendors to adhere to data protection standards that meet or exceed Newton Day Ltd policies.
• Liability and Indemnity Clauses: Vendors are obligated to indemnify Newton Day Ltd for any breaches resulting from their negligence. This stipulation includes coverage for all costs related to breach incidents.
• Termination Clauses: We clearly define circumstances under which contracts can be terminated, including breaches of data protection obligations, to safeguard our interests.

13.4 Monitoring and Reporting

• KPIs and Reporting Requirements: We establish key performance indicators (KPIs) and detailed reporting requirements for vendors concerning their data handling practices, ensuring transparency and accountability.
• Timely Notification: Vendors are required to provide immediate notification of any detected vulnerabilities or incidents impacting our data, allowing for swift corrective action and mitigation of risks.

14.1 Breach Identification and Initial Response

• Rapid Response Team: We have a dedicated rapid response team on standby to address breach incidents immediately, ensuring prompt containment and mitigation.
• Automated Monitoring Systems: Our systems are equipped with automated monitoring technologies to detect breaches as they occur, allowing for swift action.

14.2 Processes

• Internal Protocols: Our internal protocol clearly outlines step-by-step procedures for confirming and managing breaches, ensuring a systematic and effective response.
• Defined Roles: Specific roles and responsibilities are assigned to team members during a breach incident, facilitating effective collaboration and communication.

14.3 Notification Timelines

• Timely Data Subject Notification: We notify data subjects without undue delay, and in any event, no later than 72 hours after becoming aware of a breach, in compliance with regulatory requirements such as GDPR.
• Authority Notification: Relevant authorities are notified simultaneously with details of the breach, including its nature, the data affected, and the mitigation measures in place.

14.4 Communication

• Communication Plan: We have a comprehensive plan for informing affected stakeholders, providing clear and relevant information on the scope of the data breach and recommended protective measures.
• Transparency and Clarity: Our communications are transparent and clear, maintaining trust and compliance with all regulatory requirements.

14.5 Recovery and Review

• Post-Breach Analysis: We conduct thorough post-breach analyses to identify root causes and implement corrective actions, reinforcing our security measures.
• Procedure Updates: Our breach notification procedures are regularly reviewed and updated to enhance effectiveness and ensure alignment with evolving regulations.

15.1 Access and Transparency

• Right to Access: We provide a clear and accessible process for data subjects to request access to their personal data, ensuring transparency in our data handling practices.
• Timely Responses: We are committed to providing timely responses to access requests, typically within one month, as stipulated by applicable laws.

15.2 Rectification and Erasure

• Correction Mechanisms: Our systems allow data subjects to request corrections if inaccuracies are identified in their personal data, supporting the integrity and accuracy of our data.
• Right to Erasure: We facilitate an easy-to-use process for requesting the deletion of personal data under conditions outlined by relevant data protection laws like the GDPR.

15.3 Objection and Restriction

• Processing Objections: Data subjects are entitled to object to the processing of their data when based on legitimate interests or for direct marketing purposes.
• Restriction Requests: We accommodate requests to restrict data processing under certain conditions, providing clear guidelines on when this right may be exercised.

15.4 Portability

• Data Portability: We ensure data subjects can request their personal data in a structured, commonly used, and machine-readable format.
• Seamless Data Transfer: We facilitate the transfer of personal data to another controller upon request, where it is technically feasible.

15.5 Notification to Third Parties

• Third-Party Notification: We are responsible for notifying third parties of any rectification, erasure, or restriction of processing executed upon a data subject's request unless it is impossible or involves disproportionate effort.

15.6 Informing and Educating Data Subjects

• Educational Resources: We develop informational resources to educate data subjects about their rights and the processes we have in place for exercising these rights.
• Contact Points: We provide designated contact points, such as a Data Protection Officer, to address queries and offer guidance on data protection matters.

16.1 Disclaimers

• Limitations on Liability: Newton Day Ltd. explicitly states that we shall not be liable for indirect or consequential losses arising from data incidents, except where legally mandated.
• Force Majeure: Our agreements include a force majeure clause excusing performance failures due to unforeseeable events beyond our control, such as natural disasters or governmental actions.

16.2 Limitations of Liability

• Capped Liability: We establish a capped liability amount for which the company will be responsible in the event of data breaches, reflecting the nature and scope of our data services.

16.3 Indemnification

• Vendor and Third-Party Indemnity: We require vendors and third parties to indemnify our company for liabilities incurred due to their failure to comply with data protection and security policies.
• Comprehensive Coverage: Indemnification clauses cover all costs related to breach incidents, including legal fees and awarded damages.

16.4 Risk Management and Mitigation

• Proactive Risk Assessments: We integrate proactive risk assessments to identify and address potential liabilities before they occur, adhering to Proactive Law principles.
• Alternative Dispute Resolution: Contracts oblige parties to engage in mediation or arbitration as a first step before litigation, promoting dispute resolution and maintaining relationships.

16.5 Governing Standards and Regulations

• Legal Compliance: We ensure all legal frameworks and liability terms comply with applicable laws and standards, updating clauses as regulations evolve to maintain relevance and effectiveness.

17.1 Choice of Law

• Jurisdiction: This policy is governed by and construed in accordance with the laws of England and Wales, providing a consistent legal framework for all contractual and operational activities.

17.2 Jurisdiction Clause

• Exclusive Jurisdiction: The courts of England and Wales shall have exclusive jurisdiction over any disputes arising under this policy, ensuring clarity and consistency in legal proceedings.

17.3 International Considerations

• Conflicts of Law: If operations extend beyond a single jurisdiction, we address potential conflicts of law, particularly with international data protection regimes such as GDPR, ensuring compliance across all operational regions.

17.4 Alternate Dispute Resolution (ADR)

• Resolve-Driven Approach: We encourage the use of ADR methods such as arbitration or mediation before pursuing litigation, fostering a cost-effective and relationship-preserving resolution to disputes.

Introduction and Purpose (Clause 1)

• Service Commitment to Data Safety: We commit to ensuring data safety through operational safeguards and operating protocols, underscoring our preventative approach to potential data breaches.
• Support Level: 24/7 access to our data protection and security resources for continuous monitoring and quick intervention.

Data Collection and Use (Clause 2)

• Transparency in Data Processing: We guarantee transparency in how user data is collected, processed, and used.
• Support Level: Provide detailed processing explanations to data subjects within 5 business days upon request.

Data Security Measures (Clause 3)

• Robust Security Commitment: We ensure that both data in transit and at rest are secured with industry-leading encryption protocols.
• Support Level: Implementation of daily security checks and threat detection, ensuring 24/7 system integrity and immediate response to suspected breaches.

Access Controls and Authentication (Clause 4)

• Comprehensive Access Management: We deploy role-based access controls and mandatory multi-factor authentication across all systems.
• Support Level: 99.9% uptime for access management systems, with support available to resolve any access issues within 12 hours.

Data Lifecycle Management (Clause 5)

• Commitment to Data Quality: We adhere to strict data retention and deletion protocols, maintaining data integrity throughout its lifecycle.
• Support Level: Commit to bi-annual reviews of data management practices, with reports generated within 20 business days upon completion.

Regular Vulnerability Assessments (Clause 6)

• Commitment to Continuous Evaluation: We conduct regular vulnerability assessments, including penetration testing every quarter, to preemptively identify security gaps.
• Support Level: Timely application of patches and updates with a patch success rate above 95%.

Incident Response and Management (Clause 8)

• Efficient Incident Containment: Our Incident Response Team is trained to contain security breaches rapidly, functioning seamlessly across different time zones.
• Support Level: Incident notification to users and stakeholders is carried out within a regulatory adhered timeline of 72 hours with continuous updates during major incidents.

Compliance and Audits (Clause 9)

• Periodic Audits: We conduct thorough compliance checks internally and via external auditors annually to ensure ongoing legal adherence.
• Support Level: Full audit reports will be generated and shared within 15 business days after the completion of audit processes.

Data Sharing and Transfer Controls (Clause 11)

• Protection in Data Transfers: We ensure encrypted data transit for all external transfers using the highest standards of security protocols.
• Support Level: Real-time monitoring of data transfers and a 30-minute response time for any detected anomalies.

Data Subject Rights (Clause 15)

• Upholding Rights with Prompt Responses: We facilitate access, rectification, and erasure requests promptly, maintaining complete transparency.
• Support Level: Guaranteed response to data subject requests within one month, adhering strictly to GDPR timelines and protocols.

Other SLA Clauses

1. Scope and Purpose

• Roles and Responsibilities: As a supplier to the Newton Day marketplace, you are responsible for managing and protecting all data handled by your AI agents and any associated APIs.
• Authorized Use: Suppliers are permitted to develop and publish AI solutions that align with market needs while adhering to Newton Day's security protocols.

2. Rigorous Vetting Process

• Solution Appraisal: You must submit your AI solutions and APIs for a thorough technical and ethical appraisal. Approval is contingent upon meeting our rigorous data protection standards.
• Compliance Documentation: Suppliers must provide documentation demonstrating compliance with our security and privacy standards prior to publishing their solutions.

3. Data Governance and Compliance

• Data Handling Protocols: You must adhere to strict data governance standards, ensuring data minimization, encryption, and regular audits. Non-compliance will result in delisting.
• Legal Compliance: Suppliers are required to remain compliant with all applicable data protection regulations (e.g., GDPR, CCPA) and provide supporting compliance documentation.

4. Liability and Indemnification

• Limitation of Liability: Newton Day Ltd. is not liable for data breaches or misuse of the AI tools you develop. Suppliers assume full liability for their creations.
• Indemnification Clause: You must indemnify Newton Day against any legal claims, damages, or costs arising from data incidents associated with your agents.

5. Monitoring and Reporting Obligations

• Performance Monitoring: Suppliers must conduct ongoing monitoring of their solutions and promptly report operational security metrics and compliance status to Newton Day.
• Incident Notification: Immediate notification to Newton Day is required for any security incidents or data breaches, with full disclosure of affected data and remedial actions.

6. User Conduct and Usage Limitations

• Acceptable Use: Suppliers must enforce terms prohibiting misuse of their tools within the marketplace. Violations by end-users must be reported immediately.
• Identity Verification: Implement robust identity verification measures to manage user access to sensitive functionalities.

7. Regular Reviews and Updates

• Policy Updates: Suppliers are required to review and adapt to policy updates regularly issued by Newton Day to address technological and regulatory changes.
• Training Obligations: Participate in scheduled training sessions and updates provided by Newton Day on legal and ethical obligations in data protection.

8. Governance and Dispute Resolution

• Governing Law: These terms are governed by the laws of England and Wales.
• Dispute Resolution: Suppliers agree to engage in mediation or arbitration as a first resort in resolving disputes, prior to pursuing litigation.