Security & Data Protection Policy

INTRODUCTION

This Security and Data Protection Policy (the "Policy") describes the security measures, operational practices, and data protection commitments that Uonyx, a corporation incorporated under the laws of the State of California, United States, with its principal place of business at 7421 Edinger Ave, Huntington Beach, CA 92647 ("Uonyx", "we", "us", or "our"), maintains to protect the confidentiality, integrity, and availability of the Uonyx platform and the data entrusted to us by our customers.

Uonyx is a cloud-based enterprise resource planning (ERP) SaaS platform used by organisations to manage business operations across a broad range of functional areas, including CRM, accounting, HR and payroll, manufacturing, inventory, procurement, project management, customer support, healthcare, property management, and AI-powered automation. Given the operational and commercial sensitivity of the data processed through the platform, Uonyx treats information security as a foundational commitment — not a secondary consideration.

Important: This Policy is an informational document intended to provide customers, prospective customers, auditors, and enterprise procurement teams with a clear understanding of Uonyx's security posture and data protection practices. It complements but does not replace the Uonyx Data Processing Agreement (DPA), which governs the legal obligations applicable to the processing of personal data. The DPA is available at https://uonyx.com/legal/dpa.

1. SECURITY GOVERNANCE

Uonyx's approach to information security is governed by a set of principles, policies, and controls that are embedded into the design of the platform, the operation of our infrastructure, and the day-to-day practices of our team. Security is treated as an organisational priority with cross-functional accountability, and not as the exclusive responsibility of any single team or function.

1.1 Security Principles

Uonyx's security programme is built on the following foundational principles:

• Security by Design: Security controls and risk considerations are incorporated into the design of platform features, system architectures, and operational processes from the outset — not applied retrospectively.
• Defence in Depth: Uonyx employs multiple, overlapping layers of security controls at the infrastructure, network, application, and operational levels, so that the compromise of any single control does not result in the compromise of the overall system.
• Least Privilege: Access to systems, data, and infrastructure is granted only to individuals and processes that have a documented business need, and only to the minimum extent necessary to fulfil that need.
• Continuous Improvement: Uonyx's security programme is subject to regular review, testing, and improvement in response to emerging threats, technological changes, and lessons learned from operational experience.
• Transparency: Uonyx is committed to communicating transparently with customers about material security matters, including the measures we take to protect their data and, where required, security incidents that may affect them.

1.2 Security Frameworks and Standards

Uonyx's security programme is aligned with, and informed by, the following widely recognised industry frameworks and standards:

• NIST Cybersecurity Framework (CSF): Uonyx's security programme is structured around the NIST CSF's five core functions — Identify, Protect, Detect, Respond, and Recover — providing a systematic and risk-based approach to cybersecurity management.
• OWASP (Open Web Application Security Project): Uonyx's application security practices are informed by OWASP guidance, including the OWASP Top 10 Web Application Security Risks and the OWASP Application Security Verification Standard (ASVS), which inform our secure development practices, code review processes, and vulnerability testing methodology.
• CIS Controls: Uonyx references the Center for Internet Security (CIS) Critical Security Controls to inform the prioritisation and implementation of foundational security measures across the platform and organisation.
• Cloud Security Best Practices: Uonyx follows the security best practice guidance published by its cloud infrastructure provider, including the AWS Well-Architected Framework Security Pillar, to ensure that cloud architecture decisions reflect current security standards.

1.3 Security Policies and Documentation

Uonyx maintains a library of internal security policies and procedures covering key operational and technical security domains, including access management, incident response, vulnerability management, change management, data classification, and secure software development. These policies are reviewed and updated on a regular basis, and are made available to Uonyx personnel through internal governance processes.

1.4 Security Roles and Responsibilities

Uonyx has designated security responsibilities across its organisation, including a security function responsible for programme management, risk assessment, policy governance, and incident coordination. All Uonyx personnel who access production systems or customer data complete security awareness training at the time of onboarding and on an ongoing periodic basis. Personnel in technical and engineering roles receive additional role-specific security training commensurate with their responsibilities.

2. INFRASTRUCTURE SECURITY

The Uonyx platform is hosted on enterprise-grade cloud infrastructure located primarily in the United States. Uonyx's cloud infrastructure provider is independently certified to internationally recognised security standards, providing a foundation of physical and environmental security controls that Uonyx builds upon with its own application and operational security measures.

The following table summarises the key infrastructure security controls maintained by Uonyx:

2.1 Physical Security

The physical security of Uonyx's cloud infrastructure — including data centre access controls, environmental monitoring, and physical asset management — is managed by Uonyx's cloud infrastructure provider in accordance with its own independently audited security standards. Uonyx does not operate its own data centres.

2.2 Multi-Tenancy and Tenant Isolation

Uonyx operates a multi-tenant platform architecture in which each customer's data is logically isolated from other customers' data through dedicated database instances, tenant-specific access controls, and application-layer isolation mechanisms. Uonyx's architecture is designed to prevent one customer's data from being accessible to or commingled with another customer's data. Cross-tenant access controls are technically enforced at both the application and database layers.

3. DATA PROTECTION

Uonyx is committed to protecting the confidentiality, integrity, and availability of customer data entrusted to the platform. The data protection measures described in this section apply to all customer data processed through the Services.

3.1 Encryption

Uonyx implements encryption as a core data protection control:

• Encryption in Transit: All data transmitted between customer devices and the Uonyx platform is encrypted using Transport Layer Security (TLS) version 1.2 or 1.3. Uonyx enforces HTTPS for all platform endpoints and disables deprecated or insecure protocol versions (including TLS 1.0 and 1.1). API communications are also encrypted in transit.
• Encryption at Rest: Customer data stored within the Uonyx platform — including database storage, file storage, and backup data — is encrypted at rest using AES-256 encryption managed through the key management services provided by Uonyx's cloud infrastructure provider.
• Key Management: Encryption keys are managed using a dedicated key management service with automatic key rotation policies. Cryptographic key material is not stored in plaintext and is decrypted only in memory when required for processing.

3.2 Credential Security

Uonyx implements the following controls to protect authentication credentials:

• User passwords are stored using strong one-way cryptographic hashing algorithms, such that plaintext passwords are never stored by Uonyx;
• API keys and authentication tokens are generated using cryptographically secure random number generation and are stored in hashed or encrypted form;
• Sensitive credentials (database passwords, API keys, service account credentials) are stored using dedicated secrets management tooling, with access restricted to authorised systems and personnel; and
• Uonyx's platform enforces configurable password complexity requirements and supports multi-factor authentication for Authorised Users.

3.3 Data Minimisation and Retention

Uonyx processes only the data necessary to provide the Services as configured by the Customer. Uonyx's data retention practices are governed by its Data Retention Policy and the terms of the applicable Data Processing Agreement. Customer data is deleted or returned to the Customer in accordance with the DPA following the termination of the Agreement.

3.4 Data Residency

Customer data is processed and stored on cloud infrastructure located primarily in the United States. Customers who require specific data residency arrangements should contact Uonyx at privacy@uonyx.com to discuss available options. Information regarding international data transfers, including applicable transfer safeguards, is set out in the Uonyx Data Processing Agreement available at https://uonyx.com/legal/dpa.

3.5 Compliance with Data Protection Laws

Uonyx processes personal data in its role as a data processor on behalf of its customers in accordance with applicable data protection and privacy laws, including the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and equivalent applicable legislation. The legal framework governing Uonyx's processing of personal data is set out in the Uonyx Data Processing Agreement, available at https://uonyx.com/legal/dpa.

4. ACCESS CONTROLS

Uonyx implements layered access control measures to ensure that access to the platform, its infrastructure, and customer data is restricted to authorised individuals and systems, and is granted only to the minimum extent necessary.

4.1 Role-Based Access Control (RBAC)

Uonyx operates a role-based access control model both internally (for Uonyx personnel) and within the customer-facing platform:

• Internally, access to production systems and customer data by Uonyx personnel is governed by documented role definitions that specify permitted access levels based on job function and business need;
• Customer account administrators have granular control over the roles and permission sets assigned to their Authorised Users within the platform, enabling organisations to enforce their own access governance policies; and
• The Uonyx platform supports configurable permission sets, custom role definitions, and module-level access restrictions, enabling customers to implement least-privilege access across their teams.

4.2 Least Privilege

Uonyx applies the principle of least privilege to all internal access decisions. Uonyx personnel are granted access only to the specific systems, tools, and data required to perform their documented job responsibilities. Access requests are subject to approval, and access entitlements are reviewed on a regular basis. Access is automatically revoked or modified upon changes in role or employment status.

4.3 Multi-Factor Authentication (MFA)

Multi-factor authentication is enforced for all Uonyx personnel accessing production infrastructure and internal systems containing customer data. The Uonyx platform supports MFA enforcement for Authorised Users, and customers are strongly encouraged to enable MFA across their user base. Enterprise customers may configure MFA as a mandatory control for all users in their organisation through the platform's account administration settings.

4.4 Privileged Access Management

Access to production databases, infrastructure management consoles, and other privileged systems is restricted to a limited number of authorised senior engineering and security personnel. Privileged access sessions are logged and audited. Just-in-time (JIT) access provisioning is used for database-level access where applicable, reducing the standing attack surface for high-value systems.

4.5 Administrative Access Controls

Administrative access to the Uonyx platform and its underlying infrastructure is subject to the following controls:

• All administrative access is authenticated using strong credentials and multi-factor authentication;
• Administrative actions on production systems are logged in tamper-evident audit logs, which are retained in accordance with Uonyx's security policies;
• Uonyx personnel do not access customer data except where necessary to provide contracted support services, as directed by the Customer, or as required by applicable law; and
• Access to customer accounts by Uonyx support personnel for troubleshooting purposes requires the Customer's prior consent on a case-by-case basis.

4.6 Single Sign-On and Identity Federation

The Uonyx platform supports Single Sign-On (SSO) integration via SAML 2.0 and OAuth 2.0, enabling Enterprise customers to integrate the platform with their existing identity provider (IdP) and enforce centralised authentication policies, including MFA, session controls, and conditional access rules.

5. SECURE SOFTWARE DEVELOPMENT

Uonyx integrates security into every stage of the software development lifecycle (SDLC), ensuring that security considerations are addressed proactively during design, development, testing, and deployment — rather than being applied as a retrospective control.

5.1 Secure Development Lifecycle

Uonyx's SDLC incorporates the following security activities:

• Security Requirements Analysis: Security requirements and risk considerations are identified and documented during the design phase of new features and platform changes.
• Threat Modelling: Uonyx performs threat modelling for significant new features and architectural changes to identify potential attack vectors and inform the selection of appropriate mitigating controls.
• Secure Coding Standards: Uonyx's engineering team follows documented secure coding standards aligned with OWASP guidance, covering input validation, output encoding, authentication, session management, error handling, and the prevention of injection vulnerabilities.
• Code Review: All code changes undergo peer review before merging, with security considerations forming part of the review criteria. Significant changes are subject to additional review by team members with security expertise.
• Static Application Security Testing (SAST): Automated static analysis tools are integrated into Uonyx's CI/CD pipeline to detect common security vulnerabilities in source code before deployment.
• Dynamic Application Security Testing (DAST): Dynamic analysis and automated vulnerability scanning are performed against the application in test environments to identify runtime security issues.
• Dependency Management: Third-party libraries and software dependencies are tracked and monitored for known vulnerabilities using automated dependency scanning tools. Vulnerable dependencies are remediated in accordance with Uonyx's vulnerability management procedures.

5.2 OWASP Top 10

Uonyx's application security controls are designed to mitigate the OWASP Top 10 Web Application Security Risks. These include protections against injection attacks (SQL injection, command injection, and others), broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfiguration, sensitive data exposure, and other commonly exploited vulnerability classes.

5.3 Penetration Testing

Uonyx engages qualified independent third-party security firms to conduct penetration testing of the platform and infrastructure on a periodic basis. Penetration tests cover both application-layer and infrastructure-layer security, and findings are remediated in accordance with Uonyx's vulnerability management procedures. Summary results of penetration tests may be made available to Enterprise customers under appropriate confidentiality arrangements upon request.

5.4 Change Management

Changes to the production platform are managed through a documented change management process that includes change classification, risk assessment, peer review, testing in pre-production environments, and rollback planning. Emergency changes required to address active security incidents are handled through an expedited process with appropriate post-implementation review.

6. MONITORING AND INCIDENT DETECTION

Uonyx maintains a continuous monitoring programme across its platform and infrastructure to enable the timely detection, investigation, and response to security events and service disruptions.

6.1 Security Monitoring

Uonyx's monitoring infrastructure includes:

• Centralised Log Management: Security-relevant events across the platform, network, and infrastructure are collected into a centralised log management system. Log data is retained in accordance with Uonyx's security policies and is protected against unauthorised modification.
• Security Information and Event Management (SIEM): Uonyx uses SIEM tooling to correlate and analyse security events across the environment, enabling the detection of complex attack patterns and anomalous behaviour that may not be apparent from individual log entries.
• Anomaly Detection: Automated anomaly detection capabilities monitor user behaviour, API usage patterns, and system activity for indicators of compromise, including unusual access patterns, privilege escalations, and abnormal data access volumes.
• Infrastructure Health Monitoring: Comprehensive infrastructure monitoring covers the availability, performance, and security posture of Uonyx's production systems, with automated alerting and escalation for critical conditions.
• 24/7 Alert Response: Critical security alerts generated by Uonyx's monitoring systems are triaged and responded to on a continuous basis by designated on-call personnel.

6.2 Audit Logging

Uonyx maintains comprehensive audit logs of security-relevant events across the platform, including:

• User authentication events (successful and failed login attempts);
• Administrative and privileged access activities;
• Platform configuration changes and account modifications;
• Data access events by Uonyx personnel; and
• API access and integration events.

Customer account administrators have access to audit logs relevant to activities within their own account through the Uonyx platform's administration console. Audit logs are retained for a minimum period in accordance with Uonyx's security and compliance policies.

6.3 Status and Transparency

Uonyx maintains a publicly accessible status page at https://status.uonyx.com providing real-time information on the operational status of the platform. Major incidents affecting service availability are communicated through the status page in accordance with the commitments in the Uonyx Service Level Agreement.

7. SECURITY INCIDENT RESPONSE

Uonyx maintains a documented Security Incident Response Plan that governs the detection, investigation, containment, remediation, and communication of security incidents affecting the platform or customer data. The plan is reviewed and updated periodically and is tested through planned exercises.

7.1 Incident Response Process

Uonyx's incident response process follows the phases described in the table below:

7.2 Customer Notification

Where Uonyx confirms that a security incident constitutes a personal data breach affecting customer data, Uonyx will notify affected Customers in accordance with its obligations under the applicable Data Processing Agreement and relevant data protection legislation, including the GDPR's 72-hour supervisory authority notification requirement (where applicable). Notification will include, to the extent then known, a description of the nature of the incident, the categories and approximate volume of data affected, likely consequences, and steps taken or proposed to address the incident.

7.3 Incident Records and Confidentiality

Uonyx maintains records of security incidents, including the investigation findings and remediation actions taken. Incident reports contain sensitive security information and are treated as confidential. Summary information regarding the nature and scope of significant incidents may be shared with affected Customers upon request, subject to appropriate confidentiality commitments.

7.4 Emergency Contacts

Customers who have identified or suspect an active security incident affecting their Uonyx account or data should contact Uonyx's security team immediately at security@uonyx.com. For confirmed critical incidents, Uonyx's on-call security team monitors the security@uonyx.com inbox continuously.

8. VULNERABILITY MANAGEMENT

Uonyx maintains a formal vulnerability management programme covering the identification, assessment, prioritisation, and remediation of security vulnerabilities across the platform and its supporting infrastructure.

8.1 Vulnerability Identification

Uonyx identifies security vulnerabilities through multiple mechanisms:

• Automated vulnerability scanning of application code, dependencies, and infrastructure configurations as part of the CI/CD pipeline and on a scheduled basis;
• Manual security code reviews for significant features and architectural changes;
• Periodic penetration testing by independent third-party security firms;
• Continuous monitoring of security intelligence sources, vendor advisories, and public vulnerability databases (including the NIST National Vulnerability Database (NVD) and CVE feeds);
• Internal security research and threat intelligence activities; and
• Externally reported vulnerabilities submitted through Uonyx's responsible disclosure programme.

8.2 Vulnerability Severity and Remediation Timelines

Identified vulnerabilities are assessed and classified by severity using an industry-standard severity rating methodology. Remediation timelines are determined based on severity:

8.3 Security Patching

Uonyx applies security patches to operating systems, application frameworks, third-party libraries, and infrastructure components in accordance with the remediation timelines described in Section 8.2. Critical and high-severity patches are deployed on an expedited basis through Uonyx's change management process. Patch deployment is tracked and verified, and exceptions are documented and subject to compensating control review.

8.4 Responsible Disclosure Programme

Uonyx welcomes the responsible disclosure of security vulnerabilities by external researchers, customers, and members of the security community. Uonyx's responsible disclosure programme provides a channel for reporting potential security issues in a manner that allows Uonyx to investigate and address them before they can be exploited.

To report a potential security vulnerability, please contact:

Security Email: security@uonyx.com Subject line: "Vulnerability Disclosure — [Brief Description]"

Uonyx commits to the following under its responsible disclosure programme:

• Acknowledging receipt of vulnerability reports within forty-eight (48) hours;
• Providing an initial assessment within seven (7) Business Days of receipt;
• Working in good faith to investigate and remediate confirmed vulnerabilities in a timely manner; and
• Refraining from pursuing legal action against researchers who report vulnerabilities responsibly, in good faith, and in compliance with these guidelines.

Uonyx requests that security researchers refrain from: (a) accessing, modifying, or exfiltrating customer data beyond what is necessary to demonstrate the vulnerability; (b) performing Denial of Service (DoS) testing; (c) publicly disclosing the vulnerability before Uonyx has had a reasonable opportunity to investigate and remediate it; and (d) conducting social engineering attacks against Uonyx employees or customers.

9. SUB-PROCESSORS AND THIRD-PARTY VENDORS

Uonyx engages a limited number of carefully selected third-party service providers ("Sub-Processors") to support the operation and delivery of the Services. Sub-Processors perform specific, limited processing activities on behalf of Uonyx and may handle customer data in the course of providing their services to Uonyx.

9.1 Vendor Selection and Due Diligence

Prior to engaging any Sub-Processor that will access or process customer data, Uonyx conducts a vendor security assessment covering:

• Review of the vendor's information security policies and practices;
• Assessment of the vendor's relevant security certifications and audit reports (such as SOC 2 Type II or ISO 27001, where applicable);
• Review of the vendor's data protection commitments and sub-processing terms;
• Assessment of data residency and cross-border transfer implications; and
• Ongoing monitoring of vendor security posture and compliance status.

9.2 Contractual Security Obligations

All Sub-Processors engaged by Uonyx to process customer data are required to enter into written data processing agreements imposing data protection and security obligations that are materially equivalent to those accepted by Uonyx under its Data Processing Agreement with customers. Sub-Processors are contractually prohibited from using customer data for their own commercial purposes, marketing activities, or product development without prior written consent.

9.3 Sub-Processor List

Uonyx maintains a publicly accessible and up-to-date list of Sub-Processors at:

Sub-Processor List: https://uonyx.com/legal/subprocessors

This list is updated when Sub-Processors are added, modified, or removed. Enterprise customers who have executed a Data Processing Agreement with Uonyx may subscribe to notifications of changes to the Sub-Processor list at the URL above or by contacting privacy@uonyx.com.

9.4 AI Sub-Processors

Where Uonyx engages AI service providers to power AI-powered features within the platform, such providers are engaged as Sub-Processors and are bound by the same contractual security and data protection obligations described in this Section 9. Customer data submitted to AI features is processed only for the purpose of delivering the requested output and is not used to train shared or third-party AI models without explicit Customer consent, as described in the Uonyx Data Processing Agreement.

10. CUSTOMER RESPONSIBILITIES

Uonyx's security programme is designed to provide a secure and reliable platform. However, the overall security of a customer's use of the Services depends on a partnership between Uonyx and the Customer. Customers play a critical role in maintaining the security of their accounts, their Authorised Users, and the data they upload to the Services.

Uonyx recommends and, in some cases, requires that Customers implement the following security practices:

10.1 Account Credentials and Authentication

• Use strong, unique passwords for all platform accounts and avoid reusing passwords across services;
• Enable multi-factor authentication (MFA) for all Authorised User accounts, and enforce MFA as a mandatory policy for all users within the organisation where supported by the platform;
• Configure SSO integration with a trusted identity provider where the Customer's security policy requires centralised identity management; and
• Promptly revoke access for former employees, contractors, and any individual who is no longer authorised to use the Services.

10.2 User Access Management

• Assign the minimum permissions and access rights necessary for each Authorised User to perform their job functions;
• Regularly review user access permissions and role assignments to ensure they remain appropriate and current;
• Segment access to sensitive modules (such as HR and Payroll, Accounting, Healthcare, and Lending) to only those users with a genuine business need; and
• Monitor user access logs through the platform's audit log functionality to identify unusual or suspicious access patterns.

10.3 Integration and API Security

• Protect API keys, tokens, and integration credentials as carefully as account passwords — do not embed them in publicly accessible code repositories;
• Rotate API keys periodically and immediately upon suspected compromise;
• Review and limit the scope of API permissions granted to third-party integrations; and
• Promptly disable or remove integrations with third-party applications that are no longer actively used or maintained.

10.4 Data Security Practices

• Ensure that sensitive data uploaded to the platform (including HR data, financial records, and healthcare data) is handled in accordance with applicable data protection laws and the Customer's own security policies;
• Use Uonyx's data classification and access control features to appropriately restrict access to sensitive data within the platform;
• Regularly review and apply Uonyx's recommended security configuration settings for each module; and
• Report any suspected data loss, unauthorised access, or security anomaly promptly to security@uonyx.com.

10.5 Reporting Security Concerns

Customers who identify or suspect a security issue — including a potential vulnerability in the platform, suspicious activity on their account, or a suspected data exposure — are encouraged to report it promptly to security@uonyx.com. Prompt reporting enables Uonyx to investigate and respond more effectively and protects the Customer and other customers from potential harm.

11. SECURITY REPORTING

Uonyx encourages customers, security researchers, and members of the public to report security concerns, potential vulnerabilities, and suspected incidents through the appropriate channels. All reports are reviewed and investigated in good faith.

11.1 Contact Directory

11.2 What to Include in a Report

When submitting a security report, please include the following information where available:

• A clear description of the suspected vulnerability or security issue;
• The affected platform module, API endpoint, or system component;
• Steps to reproduce the issue (for vulnerability reports);
• Any supporting evidence such as screenshots, request/response payloads, or logs; and
• Your contact information so that Uonyx can follow up for additional information if required.

11.3 Response Commitments

Uonyx commits to the following response timelines for security reports:

• Acknowledgement of receipt of the security report within forty-eight (48) hours;
• Initial assessment and severity classification within seven (7) Business Days; and
• Regular updates on the investigation and remediation progress for confirmed issues.

12. POLICY UPDATES

Uonyx reviews and updates this Security and Data Protection Policy on a periodic basis to reflect changes to the Services, the threat landscape, security best practices, applicable legal and regulatory requirements, and organisational security improvements.

12.1 How Updates Are Communicated

When Uonyx makes material changes to this Policy, we will:

• Publish the updated Policy at https://uonyx.com/legal/security with a revised 'Last Updated' date;
• Post a notice on the Uonyx website or platform; and
• Where a change materially affects customer data protection commitments, provide notice to customers as required by applicable law or the Agreement.

We encourage customers, enterprise procurement teams, and security reviewers to periodically review this Policy to stay informed of Uonyx's security practices and commitments.

12.2 Relationship to Other Policies

This Policy should be read in conjunction with the following Uonyx legal and compliance documents, all of which are available at https://uonyx.com/legal:

• Data Processing Agreement (DPA): The legal agreement governing Uonyx's obligations as a data processor, including GDPR Article 28 compliance.
• Privacy Policy: Describes how Uonyx collects and uses personal data in its capacity as a data controller.
• Acceptable Use Policy: Defines the permitted and prohibited uses of the Uonyx Services.
• Sub-Processor List: Current list of sub-processors engaged by Uonyx (https://uonyx.com/legal/subprocessors).
• Service Level Agreement: Defines Uonyx's uptime commitments and support response standards.