This Security Addendum is incorporated into and made a part of the written agreement between Ragnerock, Inc. (“Ragnerock”) and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.

Ragnerock utilizes Google Cloud Platform (“GCP”) as its infrastructure-as-a-service cloud provider (the “Cloud Provider”) and provides the Service to Customer using dedicated projects within the Cloud Provider’s infrastructure (the “Cloud Environment”).

Ragnerock maintains a documented security program based on the SOC 2 Trust Services Criteria (or industry recognized successor framework), under which Ragnerock implements and maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Service and Customer Data (the “Security Program”), including, but not limited to, as set forth below. Ragnerock regularly tests and evaluates its Security Program, and may review and update its Security Program as well as this Security Addendum, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.

1. Audits and Certifications

1.1. Third-Party Audits

Ragnerock is pursuing the following independent third-party audit(s) and certification(s) (“Third-Party Audits”):

SOC 2 Type II

Ragnerock will use commercially reasonable efforts to obtain SOC 2 Type II certification and, once obtained, will maintain such certification through annual assessments. Ragnerock may pursue additional certifications (such as ISO 27001 or other industry-recognized frameworks) as its security program matures.

1.2. Availability of Audit Reports

Third-Party Audits are made available to Customer as described in Section 9.2 (Customer Audit Rights).

1.3. Interim Security Evidence

Until such time as formal Third-Party Audits are available, Ragnerock shall provide, upon Customer’s written request, alternative evidence of its security controls, including completed industry-standard security questionnaires (such as a SIG or CAIQ), documentation of security policies and procedures, penetration test summaries (when available), and descriptions of the technical controls set forth in this Security Addendum.

1.4. Continuity of Audits

To the extent Ragnerock decides to discontinue a Third-Party Audit, Ragnerock will adopt or maintain an equivalent, industry-recognized framework.

2. Hosting Location of Customer Data

2.1. Hosting Location

The hosting location of Customer Data is the production Cloud Environment in the United States (GCP region us-central1). Where Customer elects to use Customer-Provided Services (such as BYO database or BYO storage, as described in the Agreement), Customer Data processed or stored through such services will be located wherever Customer has configured those services to host data. Customer is solely responsible for the hosting location of data within Customer-Provided Services.

2.2. Environment Separation

Ragnerock maintains logical separation between production and development environments using separate GCP projects. The production Cloud Environment is separate from Ragnerock’s development, staging, and corporate environments.

3. Encryption

3.1. Encryption of Customer Data

Ragnerock encrypts Customer Data at rest using AES 256-bit (or better) encryption via the Cloud Provider’s default encryption for Google Cloud Storage and Cloud SQL. Ragnerock uses Transport Layer Security (TLS) 1.2 (or better) for all Customer Data in transit, including connections to and from the Service over untrusted networks, and connections between the Service and AI Sub-processors.

3.2. Encryption Key Management

Ragnerock uses a combination of the Cloud Provider’s Key Management Service (GCP Cloud KMS) and Ragnerock-managed keys for encryption key management. Encryption keys are rotated on a defined schedule. Ragnerock logically separates encryption keys from Customer Data.

3.3. Customer-Provided Credential Security

Customer-provided credentials (such as API keys for BYO AI providers, database connection strings, or object storage credentials) are protected using envelope encryption. Each credential record is encrypted with a unique data encryption key (“DEK”), which is in turn encrypted with a key encryption key (“KEK”) managed in GCP Secret Manager. This architecture ensures that even if the underlying database were compromised, customer credentials would not be exfiltratable without separately compromising GCP Secret Manager. Access to DEKs and KEKs is restricted and logged as a security event.

4. System and Network Security

4.1. Access Controls

4.1.1. Personnel Access

All Ragnerock personnel access to the Cloud Environment is via unique user identifiers leveraging single sign-on (SSO) through Google and multi-factor authentication (MFA) via passkeys. Access privileges are based on the principle of least privilege, subject to operational requirements for team redundancy.

4.1.2. Customer Data Access Restrictions

Ragnerock personnel will not access Customer Data except (i) as reasonably necessary to provide the Ragnerock Offerings under the Agreement, (ii) to comply with the law or a binding order of a governmental body, or (iii) as directed in writing by an authorized representative of Customer.

4.2. Endpoint Controls

Ragnerock personnel use company-issued devices for access to the Cloud Environment. Ragnerock is formalizing its endpoint security controls, which will include, at a minimum: (i) disk encryption, (ii) endpoint detection and response (EDR) or equivalent monitoring tools, and (iii) vulnerability management in accordance with Section 4.6 (Vulnerability Detection and Management). Ragnerock will update this Security Addendum as endpoint controls are formalized.

4.3. Separation of Environments

4.4. Network Security

Ragnerock protects the Cloud Environment using the Cloud Provider’s firewall rules and security controls with deny-all default policies to prevent unauthorized egress and ingress network traffic. All external-facing endpoints use HTTPS.

4.5. Hardening

The Cloud Environment is hardened using industry-standard practices, including containerized deployments (Docker) with minimal base images, removal of unnecessary services and packages, and regular patching as described in this Security Addendum.

4.6. Vulnerability Detection and Management

4.6.1. Vulnerability Scanning

Ragnerock leverages automated vulnerability scanning through its container artifact registry to detect known vulnerabilities in containerized components. Ragnerock reviews and addresses identified vulnerabilities based on severity.

4.6.2. Penetration Testing

Ragnerock will engage one or more independent third parties to conduct penetration tests of the Service at least annually, once the Security Program has matured to support such testing. Until such time, Ragnerock will conduct internal security assessments and will make the results of such assessments available to Customer upon written request, subject to confidentiality restrictions.

4.6.3. Vulnerability Remediation

Vulnerabilities meeting defined risk criteria are prioritized for remediation based on their potential impact to the Service. Upon becoming aware of such vulnerabilities, Ragnerock will use commercially reasonable efforts to address critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days. To assess vulnerability severity, Ragnerock leverages the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS).

4.7. Monitoring and Logging

4.7.1. Infrastructure Logs

Ragnerock utilizes centralized logging via GCP to capture activities and changes within the Cloud Environment. These logs are monitored, analyzed for anomalies, and are securely stored to prevent tampering for at least one (1) year.

4.7.2. Security Event Logging

Access to encryption keys, customer-provided credentials, and other security-sensitive operations are logged as security events. Security events include, but are not limited to, access to data encryption keys (DEKs), key encryption keys (KEKs), and customer-provided credentials stored in GCP Secret Manager.

4.7.3. User Logs

As further described in the Documentation, Ragnerock captures logs of certain activities and changes within the Account and makes those logs available to Customer for Customer’s preservation and analysis.

5. Administrative Controls

5.1. Personnel Security

Ragnerock will require background screening on its personnel as part of its hiring process, to the extent permitted by applicable law, as the team scales. Ragnerock will update this Security Addendum to reflect the implementation of formal background screening procedures.

5.2. Personnel Training

Ragnerock maintains a security awareness program for its personnel, including onboarding and ongoing training on security best practices, data handling, and incident reporting. Ragnerock will formalize and document this program as the organization grows.

5.3. Personnel Agreements

Ragnerock personnel are required to sign confidentiality agreements. Ragnerock personnel are also required to acknowledge responsibility for reporting security incidents involving Customer Data.

5.4. Personnel Access Reviews and Separation

Ragnerock reviews the access privileges of its personnel to the Cloud Environment on a regular basis, and removes access on a timely basis for all separated personnel.

5.5. Risk Management

Ragnerock maintains a risk management process aligned with the SOC 2 Trust Services Criteria. Ragnerock’s leadership reviews material changes in the threat environment and identifies potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies.

5.6. Change Management

Ragnerock maintains a change management process for the Service, including code review, testing, and controlled deployment of changes to the production environment.

5.7. Vendor Risk Management

Ragnerock maintains a vendor risk management process for vendors that process Customer Data, including reviewing the certifications and security posture of all Sub-processors. Ragnerock reviews available SOC 2 reports, ISO certifications, or equivalent security documentation from its Sub-processors to ensure each maintains security measures consistent with Ragnerock’s obligations in this Security Addendum.

6. Physical and Environmental Controls

6.1. Cloud Environment Data Centers

To ensure the Cloud Provider has appropriate physical and environmental controls for its data centers hosting the Cloud Environment, Ragnerock regularly reviews those controls as audited under the Cloud Provider’s third-party audits and certifications. The Cloud Provider (Google Cloud Platform) maintains SOC 2 Type II annual audits and ISO 27001 certification. Such controls include, but are not limited to:

Physical access to the facilities controlled at building ingress points;
Visitors required to present identification and sign in;
Physical access to servers managed by access control devices;
Physical access privileges reviewed regularly;
Facilities utilizing monitoring and alarm response procedures;
Use of CCTV;
Fire detection and protection systems;
Power back-up and redundancy systems; and
Climate control systems.

6.2. Ragnerock Office

Customer Data is not hosted at Ragnerock’s corporate office. Ragnerock maintains reasonable physical security controls for its office space, including controlled access and visitor management. Ragnerock will enhance physical security controls as appropriate to the size and nature of its operations.

7. Incident Detection and Response

7.1. Incident Response Plan

Ragnerock maintains a documented incident response plan that defines roles, responsibilities, and procedures for identifying, containing, investigating, and remediating Security Incidents.

7.2. Security Incident Reporting

If Ragnerock becomes aware of a breach of Ragnerock’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident”), Ragnerock shall notify Customer without undue delay, and in any case, where feasible, notify Customer within seventy-two (72) hours after becoming aware. Notification shall be sent to the email address of Customer’s account administrator(s) registered within the Service. Where no valid account administrator email address is registered, Customer acknowledges that the means of notification shall be at Ragnerock’s reasonable discretion and Ragnerock’s ability to timely notify shall be negatively impacted.

7.3. Investigation

In the event of a Security Incident, Ragnerock shall promptly take reasonable steps to contain, investigate, and mitigate the Security Incident. Any logs determined by Ragnerock to be relevant to a Security Incident shall be preserved for at least one (1) year.

7.4. Communication and Cooperation

Ragnerock shall provide Customer timely information about the Security Incident to the extent known to Ragnerock, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Ragnerock to mitigate or contain the Security Incident, the status of Ragnerock’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Ragnerock personnel may not have visibility to the content of Customer Data, it may be unlikely that Ragnerock can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of Ragnerock with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Ragnerock of any fault or liability with respect to the Security Incident.

8. Deletion of Customer Data

8.1. By Customer

The Service provides Customer controls for the deletion of Customer Data, as further described in the Documentation.

8.2. By Ragnerock

Subject to applicable provisions of the Agreement, upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination retrieval period set forth in the Agreement, Ragnerock shall promptly delete any remaining Customer Data, including from backups within a commercially reasonable timeframe.

9. AI Sub-processor Security

9.1. Data Transmission to AI Sub-processors

When Customer Data is transmitted to AI Sub-processors for processing, such transmission is encrypted in transit using TLS 1.2 or better. All interactions with AI Sub-processors are conducted via authenticated HTTPS API endpoints.

9.2. Ephemeral Processing

Customer Data transmitted to AI Sub-processors is processed ephemerally. AI Sub-processors do not retain Customer Data beyond what is necessary to complete the processing request. Ragnerock’s agreements with AI Sub-processors prohibit such Sub-processors from retaining Customer Data beyond the duration of the processing request and from using Customer Data to train, improve, or fine-tune any AI or machine learning models.

9.3. Customer-Provided AI Services

When Customer elects to use a Customer-Provided AI service (BYO AI), Customer Data is transmitted to Customer’s designated AI provider in lieu of Ragnerock’s default AI Sub-processor. Such transmissions are encrypted in transit. Ragnerock has no control over, and shall have no responsibility for, the security practices, data retention policies, or data handling of Customer-Provided AI services. Customer is solely responsible for evaluating the security posture of any Customer-Provided AI service.

10. Customer Rights and Shared Security Responsibilities

10.1. Customer Audit Rights

10.1.1. Audit Reports

Upon written request and at no additional cost to Customer, Ragnerock shall provide Customer, and/or its appropriately qualified third-party representative (collectively, the “Auditor”), access to reasonably requested documentation evidencing Ragnerock’s compliance with its obligations under this Security Addendum, including: (i) SOC 2 Type II audit reports (when available); (ii) other third-party certifications (when available); (iii) Ragnerock’s most recently completed industry-standard security questionnaire, such as a SIG or CAIQ; (iv) documentation of security policies and procedures; and (v) descriptions of technical controls (collectively, “Audit Reports”).

10.1.2. Audits

Customer may also send a written request for an audit of Ragnerock’s applicable controls, including inspection of its facilities. Following receipt by Ragnerock of such request, Ragnerock and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. Ragnerock may charge a fee (rates shall be reasonable, taking into account the resources expended by Ragnerock) for any such audit. Audit Reports, any audit, and any information arising therefrom shall be considered Ragnerock’s Confidential Information.

10.1.3. Third-Party Auditors

Where the Auditor is a third party, such third party may be required to execute a separate confidentiality agreement with Ragnerock prior to any audit or review of Audit Reports, and Ragnerock may object in writing to such third party if in Ragnerock’s reasonable opinion the third party is not suitably qualified or is a direct competitor of Ragnerock. Any such objection by Ragnerock will require Customer to appoint another third party or conduct the audit itself. Any expenses incurred by an Auditor in connection with any review of Audit Reports or an audit shall be borne exclusively by the Customer.

10.2. Shared Security Responsibilities

Without diminishing Ragnerock’s commitments in this Security Addendum, Customer agrees:

10.2.1. Content and Legality of Customer Data

Ragnerock has no obligation to assess the content, accuracy or legality of Customer Data, including to identify information subject to any specific legal, regulatory or other requirement. Customer is responsible for making appropriate use of the Service to ensure a level of security appropriate to the particular content of Customer Data.

10.2.2. Credential and Access Management

Customer is responsible for managing and protecting its User roles and credentials, including but not limited to: (i) ensuring that all Users keep credentials confidential and do not share such information with unauthorized parties; (ii) promptly reporting to Ragnerock any suspicious activities related to Customer’s Account (e.g., a user credential has been compromised); (iii) appropriately configuring role-based access controls, including scope and duration of User access, taking into account the nature of its Customer Data; (iv) maintaining appropriate password uniqueness, length, and complexity; and (v) monitoring for potentially anomalous user activity.

10.2.3. Customer-Configurable Security Controls

Customer is responsible for utilizing the security controls available within the Service, including role-based access controls and API key management. Ragnerock may make additional customer-configurable security controls available from time to time (such as multi-factor authentication, SSO integration, and IP allowlisting), and Customer shall be responsible for evaluating and implementing such controls as appropriate for its use of the Service.

10.2.4. Customer-Provided Services Security

Customer is solely responsible for the security of Customer-Provided Services (BYO AI, BYO database, BYO storage), including: (i) ensuring that Customer-Provided Services implement appropriate security controls; (ii) managing and protecting any credentials, API keys, or connection strings used in connection with Customer-Provided Services; (iii) evaluating the security posture and data handling practices of providers of Customer-Provided Services; and (iv) ensuring that the use of Customer-Provided Services in connection with the Service complies with Customer’s security and compliance requirements.

10.2.5. API Key Management

Customer is responsible for the secure generation, storage, rotation, and revocation of API keys used to access the Service. Ragnerock recommends that Customer rotate API keys on a regular basis and promptly revoke any keys that may have been compromised.