Decision Site – Privacy Policy

Last Updated: 6/01/2025

1. Introduction

This Privacy Policy ("Policy") describes how Augment AI Corp. and its subsidiaries and affiliates (collectively, "Decision Site," "Augment," "**we," "our," or "us") collect, use, store, share, and secure Personal Data (defined below) in connection with the Decision Site platform, related mobile and desktop applications, browser extensions, websites, APIs, professional services, and any other products or services that reference or link to this Policy (collectively, the "Services").

Decision Site maintains a SOC 2 Type II–audited Information Security Management Program and aligns its controls with ISO 27001, NIST 800‑53, and CSA STAR best practices. This Policy supplements our standard Privacy Policy and is intended for prospective and existing enterprise customers who require deeper visibility into our data handling and governance practices.

2. Definitions

"Customer" means the legal entity that has executed an agreement with Decision Site for the provision of the Services.

"Customer Data" means data, including Personal Data, that (i) Customer or its Authorized Users submit or transfer to the Services, or (ii) Decision Site processes on behalf of Customer pursuant to an executed subscription agreement or data processing addendum ("DPA").

"Personal Data" (or "personal information") means any information relating to an identified or identifiable natural person as defined by applicable privacy laws, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and similar legislation.

"Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means.

"Sub‑processor" means any third party engaged by Decision Site that Processes Customer Data on Decision Site’s behalf.

3. Roles and Responsibilities

  • Decision Site as Data Processor. For Customer Data, Decision Site acts as a Data Processor (or service provider) and Processes such data solely on documented instructions from Customer, as set forth in the relevant agreement and DPA.
  • Decision Site as Data Controller. For certain limited Operational Data (e.g., account details, billing information, usage telemetry, marketing leads), Decision Site acts as an independent Data Controller and Processes such data in accordance with this Policy and our legitimate business interests, subject to applicable law.

4. Categories of Personal Data Processed

Depending on the specific configuration and use of the Services, Decision Site may Process the following categories of Personal Data:

  1. Account & Contact Data – name, business email, phone number, employer, job title, authentication credentials.
  2. Transactional & Billing Data – payment method, billing address, tax IDs, transaction history.
  3. Content Data – meeting agendas and recordings, documents, comments, messages, files, task lists, metadata, and any other information Customer or its Authorized Users upload, generate, or otherwise submit to the Services.
  4. Usage Data & Telemetry – log files, event metadata, feature interaction metrics, access timestamps, IP addresses, user agent strings, session duration, error reports.
  5. Device & Connection Data – device identifiers (e.g., MAC address, UDID), browser type and version, operating system, screen resolution, language settings.
  6. Geolocation Data – city‑level location inferred from IP address (no precise GPS data).
  7. Inferences & Derived Data – analytics‑generated insights such as adoption trends, productivity patterns, and predictive recommendations.

5. Purposes and Legal Bases

Decision Site Processes Personal Data for the following purposes and under the lawful bases permitted by applicable legislation:

  • Provision of the Services – to create, authenticate, operate, maintain, and secure Customer accounts; Legal bases:performance of contract; legitimate interests.
  • Support and Communication – to respond to inquiries, resolve issues, and provide technical or customer support; Legal bases: performance of contract; legitimate interests.
  • Security and Integrity – to prevent, detect, investigate, and remediate security incidents, fraud, abuse, or violations of our terms; Legal bases: legitimate interests; legal obligation.
  • Service Improvement and R&D – to analyze usage patterns, test features, train Decision Site AI models (on de‑identified data unless expressly agreed otherwise), and enhance the performance and reliability of the Services; Legal bases: legitimate interests.
  • Billing and Account Management – to invoice customers, process payments, and manage subscriptions; Legal bases: performance of contract; legal obligation.
  • Legal Compliance – to comply with applicable laws, regulations, and lawful requests from public authorities; Legal bases: legal obligation; legitimate interests.
  • Marketing (Controller Data only) – to send product updates, security notices, and promotional materials (opt‑out available); Legal bases: consent (where required); legitimate interests.

Decision Site does not sell Personal Data, nor do we use Customer Data for targeted advertising.

6. Collection Methods

Personal Data is collected through: (i) information you voluntarily provide via the Services; (ii) automated means such as server logs, cookies, SDKs, and similar technologies; (iii) integrations and third‑party services you authorize (e.g., calendar, CRM); and (iv) publicly available or commercially obtained sources where permitted.

7. Sub‑processors

Decision Site employs carefully vetted Sub‑processors that provide hosting, storage, email delivery, analytics, payment, and customer‑support capabilities. Each Sub‑processor is bound by written contractual obligations that are no less protective than those in our DPA, including confidentiality, data‑protection, and audit‑cooperation requirements. A current list of Sub‑processors, their locations, and processing purposes is maintained at https://decisionsite.com/subprocessors. Customers may subscribe to receive advance notice of changes at least 30 days before a new Sub‑processor is engaged.

8. International Data Transfers

Decision Site stores Customer Data primarily in data centers located in the United States. Where Customer Data originates from jurisdictions with cross‑border transfer restrictions, Decision Site relies on one or more of the following transfer mechanisms, as appropriate:

  • Standard Contractual Clauses ("SCCs") adopted by the European Commission (including Module 2 & Module 3) and the UK International Data Transfer Addendum;
  • Adequacy decisions issued by relevant supervisory authorities;
  • Data Privacy Framework certifications (upon approval);
  • Customer‑approved derogations under Article 49 GDPR.

9. Security Measures

Decision Site implements and maintains industry‑leading technical and organizational measures ("TOMs") designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Key controls include, but are not limited to:

  • Encryption – TLS 1.2+ in transit; AES‑256 at rest.
  • Identity & Access Management – least‑privilege role‑based access, SSO/SAML 2.0, MFA for privileged accounts.
  • Network Security – segmented VPCs, WAF, DDoS protection, principle of zero trust.
  • Endpoint Security – EDR coverage, full‑disk encryption, automated patch management.
  • Vulnerability & Penetration Testing – continuous vulnerability scans, annual independent penetration tests with summary results available under NDA.
  • Logging & Monitoring – centralized log aggregation, security event correlation (SIEM), 30‑day hot storage and 12‑month cold storage retention.
  • Backup & Disaster Recovery – encrypted backups with at least daily frequency, geographically separate region, quarterly restore tests, RPO ≤ 4 hours, RTO ≤ 24 hours.
  • Secure Development Lifecycle (SDLC) – threat modeling, static/dynamic code analysis, peer review, signed commits, CI/CD security gates.
  • Change Management – documented approval workflow, tracked via ticketing system.
  • Third‑Party Risk Management – annual risk assessments, contractual security obligations, SOC 2/ISO 27001 evidence reviews.

Further details are provided in our SOC 2 Type II report, which we share with enterprise customers under NDA.

10. Data Retention and Deletion

  • Customer Data is retained for the term of the underlying agreement. Within 30 days of termination or at Customer’s written request, Decision Site will either delete or return Customer Data in a mutually agreed‑upon format. Standard backups are securely purged on a 35‑day rolling basis.
  • Operational Data is retained for as long as necessary to fulfill the purposes outlined in this Policy, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods are reviewed at least annually.

Deletion processes are logged and verified. Where full deletion is not technically feasible (e.g., data stored in immutable backup archives), Decision Site ensures equivalent protections and isolates the data from any further processing.

11. Data Subject Rights

Where Decision Site acts as a Data Processor, we will, upon Customer’s request and to the extent feasible, assist Customer in fulfilling its obligations to respond to Data Subject requests under GDPR Articles 12–23, CCPA §§ 1798.100–1798.199, or other applicable law. Requests should be directed to Customer in the first instance; if Decision Site receives a request directly, we will promptly notify and forward it to the relevant Customer, unless prohibited by law.

For Operational Data processed as a Controller, individuals may exercise the following rights (subject to verification and legal limitations) by emailing privacy@decisionsite.com:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction
  • Right to data portability
  • Right to object / opt‑out (including marketing opt‑out and "Do Not Sell or Share" under the CCPA/CPRA)
  • Right not to be subject to automated decision‑making producing legal or similarly significant effects

12. Incident Response & Breach Notification

Decision Site maintains a documented Incident Response Plan that includes 24 × 7 monitoring, severity classification, root‑cause analysis, customer communication procedures, and post‑mortem reviews. In the event of a Personal Data Breach involving Customer Data, Decision Site will notify affected Customers without undue delay and in any event within 72 hours of becoming aware, providing information as required by Article 33 GDPR or equivalent laws.

13. Audits and Certifications

  • SOC 2 Type II (annual, independent) – covering Security, Availability, and Confidentiality Trust Service Criteria.
  • ISO 27001 alignment (internal) – certification roadmap underway.
  • PCI‑DSS SAQ A (for payment processing via third‑party processor).
  • GDPR readiness assessment performed by external counsel.

Enterprise Customers may (i) receive executive summaries of audit reports under NDA, and (ii) exercise onsite or remote audit rights as set forth in the DPA, subject to reasonable prior notice and frequency limitations.

14. Children’s Privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect Personal Data from children. If you become aware that a child has provided us with Personal Data, please contact us and we will take appropriate steps to delete such information.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in legal requirements, industry standards, or our practices. Material changes will be communicated to Customers via email or the Administrator console at least 30 days before the effective date, unless a shorter period is required by law.

16. Contact Information

Enterprise customers with questions about this Policy or our privacy practices may contact our Data Protection Officer ("DPO"):

Data Protection Officer
Augment AI Corp.
161 Bowery, Suite 5
New York, NY 10013, USA
Email: privacy@decisionsite.com
Phone: +1 (917) 555‑0180 (business hours 09:00–18:00 ET)

For EU and UK data subjects, our appointed GDPR representative is:

VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P, Ireland
Email: eu‑privacy@decisionsite.com

By using the Services or signing an agreement with Decision Site, Customer acknowledges that it has read and understood this Enterprise Privacy Policy and agrees to its terms.