Data Sharing & Protection

Scope and Purpose

This Policy applies to all client data, including personal data, business data, and system data, that GMAV accesses or processes while performing services under any Statement of Work, retainer agreement, or ongoing service arrangement. It covers data provided directly by the Client, data generated during service delivery on the Client's behalf, and data accessed via credentials or integrations supplied by the Client.

GMAV acts as a data processor with respect to any personal data belonging to the Client's end users, and as an independent controller only for data relating to Client contacts for account management and invoicing purposes. GMAV does not sell, rent, or commercially exploit Client data in any form.

Client Data We Handle

In the course of delivering services, GMAV may handle the following categories of Client data:

• Business and operational data: Internal documents, process workflows, business logic, configuration files, and operational data shared for the purpose of project scoping or delivery.
• Technical data: Source code repositories, database schemas, API credentials, infrastructure configurations, and environment variables shared under access controls for development or security engagements.
• End-user personal data: Data belonging to the Client's customers or employees that GMAV may access when building, auditing, or integrating systems, including but not limited to names, email addresses, usage records, and transaction data.
• Analytics and performance data: Website traffic, conversion metrics, advertising performance data, and CRM records accessed for growth or marketing engagements.
• Security and audit data: Logs, vulnerability reports, penetration test results, and system access records generated or reviewed during AISec engagements.

GMAV will only request access to data that is strictly necessary for the delivery of the agreed services. Requests for data access beyond what is specified in the relevant Statement of Work require Client authorisation in writing.

Access Controls and Internal Data Governance

GMAV enforces a need-to-know principle for all Client data. Access is restricted to personnel directly assigned to a Client engagement. The following controls are maintained:

• Role-based access: Client data and credentials are compartmentalised per engagement. Team members are granted only the level of access required to perform their assigned tasks.
• Credential management: Shared credentials and API keys are stored in encrypted vaults (such as 1Password Teams or equivalent). Plain-text credentials are not transmitted over unencrypted channels and are not stored in code repositories.
• Offboarding: Upon conclusion of a project or departure of a team member, access to Client systems, repositories, and credentials is revoked promptly, within five (5) business days of the trigger event.
• Logging: Access to Client systems via GMAV-managed tooling is logged. Logs are retained for a minimum of 90 days and made available to the Client upon request.
• Device security: Personnel accessing Client data use devices with full-disk encryption, up-to-date operating systems, and screen-lock policies enforced.

Approved Sub-processors

GMAV may engage third-party tools and platforms ("Sub-processors") in the delivery of services. Sub-processors are selected on the basis of security standards, data residency commitments, and compliance certifications. GMAV maintains contractual data processing terms with all Sub-processors that impose obligations no less protective than those GMAV accepts from Clients.

Current categories of Sub-processors used in service delivery include:

• Cloud infrastructure providers (e.g., AWS, Google Cloud, Microsoft Azure), for hosting, compute, and storage where GMAV manages Client environments.
• Development and collaboration tools (e.g., GitHub, Figma, Notion, Linear), for code management, design, and project coordination.
• Communication platforms (e.g., Google Workspace, Slack), for internal team communication related to engagements.
• AI and productivity tools, for code assistance and documentation, subject to data minimisation protocols. Sensitive Client data is not submitted to AI tools without explicit Client consent.

GMAV will notify the Client of any material change to Sub-processors that may affect the processing of the Client's personal data, providing a minimum of 14 days' notice where practicable. Clients may object to new Sub-processors in writing within that notice period; if the objection cannot be resolved, the Client may terminate the relevant engagement without penalty.

Data Processing Agreements

Where GMAV processes personal data on behalf of a Client as a data processor under applicable data protection law, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or India's Digital Personal Data Protection Act (DPDPA), GMAV will enter into a Data Processing Agreement ("DPA") with the Client upon written request.

The DPA will set out the subject matter and duration of processing, the nature and purpose of processing, the type of personal data involved, and the obligations and rights of both parties. GMAV's standard DPA is available upon request from legal@gmavtech.com. Execution of a DPA does not require a separate fee.

For enterprise engagements where the Client's volume of personal data processing is significant, GMAV may recommend that a DPA be executed as a condition of commencing the engagement. In such cases, GMAV will communicate this requirement during the scoping phase.

Cross-Border Data Transfers

GMAV operates across multiple jurisdictions, with team members and infrastructure in India, the United States, and South Africa. Client data may be processed by personnel or systems located outside the Client's home jurisdiction. GMAV takes the following measures to ensure lawful cross-border transfers:

• Standard Contractual Clauses (SCCs): For transfers of personal data from the European Economic Area (EEA) or United Kingdom to countries without an adequacy decision, GMAV relies on the European Commission's Standard Contractual Clauses or the UK's International Data Transfer Agreement, as applicable.
• Transfer impact assessments: Where required, GMAV conducts transfer impact assessments and implements supplementary measures (such as encryption in transit and at rest) to address risks identified.
• Data localisation: Where a Client requires that data remain within a specific jurisdiction, GMAV will accommodate this requirement by restricting processing to infrastructure located in that jurisdiction, subject to technical feasibility and any incremental cost adjustment agreed in the SOW.

Data Security Standards

GMAV implements technical and organisational security measures appropriate to the risk profile of the data being processed. Core security controls include:

• Encryption in transit: All data transmitted between GMAV systems, Client systems, and Sub-processors is encrypted using TLS 1.2 or higher. Unencrypted transmission of Client data is not permitted.
• Encryption at rest: Persistent storage of Client data on GMAV-managed systems uses AES-256 encryption or equivalent. Encryption keys are managed separately from the encrypted data.
• Authentication: Multi-factor authentication (MFA) is required for all GMAV personnel accessing Client systems, cloud consoles, and credential vaults. Single-factor access to production environments is not authorised.
• Vulnerability management: GMAV conducts periodic security reviews of its internal tooling and development environments. Critical vulnerabilities are remediated within 72 hours of identification.
• Secure development practices: Code produced by GMAV undergoes peer review, and security-sensitive changes are subject to additional review. Secrets scanning is integrated into GMAV's repository workflows to prevent credential leakage.
• Physical security: GMAV personnel work in environments with physical access controls. GMAV does not operate shared or public-access workspaces for tasks involving Client data classified as sensitive.

Incident Response and Breach Notification

GMAV maintains an incident response procedure for data security events. In the event of a confirmed or suspected data breach involving Client data, GMAV will:

• Notify the Client's designated contact without undue delay and, where the breach involves personal data subject to GDPR, within 72 hours of GMAV becoming aware of the breach to the extent practicable.
• Provide an initial notification containing: the nature of the breach, the categories and approximate volume of data affected, the likely consequences, and the measures taken or proposed to address the breach.
• Cooperate fully with the Client's investigation and any regulatory authority, and provide supplementary information as it becomes available.
• Take immediate containment measures and, where applicable, restore from clean backups or implement compensating controls.

GMAV will not notify regulatory authorities or third parties on behalf of the Client unless expressly authorised to do so in writing. Regulatory notification obligations in respect of personal data breaches remain with the Client as data controller.

Client Data Isolation

GMAV maintains logical separation between Client data across all engagements. Client data is not commingled with data belonging to other Clients, and is not used for the benefit of any third party. Specifically:

• Source code, assets, databases, and documentation belonging to one Client are stored in repositories and environments accessible only to personnel assigned to that Client.
• GMAV does not use Client data, including anonymised or aggregated derivatives, to train internal AI models, develop products, or benchmark against other Clients without the Client's explicit prior written consent.
• Where GMAV maintains shared infrastructure (e.g., a shared CI/CD platform), Client workloads are segregated at the project or environment level, with separate credentials and access policies.

Data Retention and Deletion

GMAV retains Client data only for as long as necessary to fulfil the purposes set out in this Policy and in the applicable engagement agreement. Default retention periods are as follows:

• Active engagement data (code, assets, credentials): Retained for the duration of the engagement and for a period of 90 days following engagement closure, to allow for handover and dispute resolution.
• Correspondence and project records: Retained for 3 years following the end of the engagement for legal and audit purposes.
• Financial and invoicing records: Retained for 7 years in compliance with applicable tax and accounting regulations.
• Security and access logs: Retained for a minimum of 90 days and a maximum of 12 months unless a longer period is required by law or agreed with the Client.

Upon written request by the Client following the end of an engagement, GMAV will securely delete or return all Client data in its possession within 30 days, except where retention is required by applicable law. GMAV will provide written confirmation of deletion upon completion.

Audit Rights

Clients have the right to verify GMAV's compliance with this Policy. Upon reasonable written notice of not less than 10 business days, GMAV will:

• Provide documentation demonstrating the security measures, access controls, and Sub-processor agreements described in this Policy.
• Make available relevant personnel for interview or written enquiry in connection with a compliance review.
• Respond in writing to reasonable questionnaires, security assessments, or due diligence requests submitted by the Client or the Client's appointed auditor.

On-site audits at GMAV's premises are subject to mutual agreement on timing, scope, and logistics. GMAV may decline to provide information that would disclose confidential details of other Clients or proprietary internal systems, and may require the Client's auditor to execute a non-disclosure agreement prior to commencing any review. Audit activities are conducted at the Client's expense unless the audit reveals a material breach of this Policy, in which case GMAV will bear its own reasonable costs of cooperation.

Contact Information