Download

Security Policy

EffectiveMay 28, 2026

Contents
  1. Audits and certifications
  2. Hosting location of Customer Data
  3. Encryption
  4. System and network security
  5. Administrative controls
  6. Vendors and sub-processors
  7. Physical data center controls
  8. Incident detection and response
  9. Audit logging
  10. Customer rights and shared responsibility
  11. Business continuity and disaster recovery
  12. Contact

This Security Policy (the "Security Addendum") describes how Moonage, Inc. ("Moonage", "we" or "us") protects your data when you use the Services. This Security Addendum forms part of your Agreement with Moonage, and capitalized terms used but not defined here have the meaning given in the Terms of Service. The computing services used to provide the Services are cloud-based and supplied to Moonage by one or more cloud service providers, which together represent our "Cloud Environment."

1. Audits and certifications

1.1 The information security management system used to provide the Services is intended to be assessed by independent third-party auditors ("Third-Party Audits") on no less than an annual basis. Moonage is working toward the following audits and certifications: SOC 2 Type II and ISO 27001.

1.2 Once available, Third-Party Audit reports are made available to you as described in Section 10.

1.3 If Moonage decides to discontinue a Third-Party Audit, Moonage will adopt an equivalent, industry-recognized framework.

2. Hosting location of Customer Data

2.1 Customer Data is stored and processed by Moonage and its vendors in data centers located in the geographic region(s) specified in the applicable Order Form or as otherwise agreed in writing. Moonage operates in both the European Union/European Economic Area (EU/EEA) and the United States.

2.2 You may request that your Customer Data be stored in a specific geographic region. Moonage will use commercially reasonable efforts to honor such requests where supported by our underlying cloud service provider(s) and consistent with applicable laws. Where Customer Data is processed outside the EU/EEA, Moonage applies the safeguards described in its Privacy Policy and the Data Processing Agreement.

3. Encryption

3.1 Moonage encrypts Customer Data at rest using AES 256-bit (or better) encryption, and uses Transport Layer Security 1.2 (or better) for Customer Data in transit over public or untrusted networks.

3.2 Moonage rotates encryption keys on a regular basis (at least annually) and uses hardware security modules to safeguard critical encryption keys. Encryption keys are logically separated from Customer Data.

4. System and network security

4.1 Access by Moonage personnel to the Cloud Environment uses a unique user ID and follows the principle of least privilege. Access requires a secure connection, multi-factor authentication, and passwords meeting or exceeding reasonable length and complexity requirements.

4.2 Moonage personnel will not access Customer Data except (i) to provide or support the Services or (ii) to comply with the law or a binding order of a governmental body.

4.3 When accessing the Cloud Environment, personnel use company-issued laptops with security controls including disk encryption and endpoint detection and response tools that monitor and alert for suspicious activity and malicious code, together with the vulnerability-management practices described in Section 4.7.

4.4 Moonage protects its Cloud Environment using at least industry-standard firewall and security practices, and leverages industry-standard threat-detection tools with regularly updated signatures to monitor and alert for suspicious activity, potential malware, viruses, and other malicious code (collectively, "Malicious Code"). Moonage does not have an obligation to monitor Customer Data or Input for Malicious Code.

4.5 Moonage uses automated tools to scan publicly available vulnerability databases (such as the National Vulnerability Database) for vulnerabilities in software it uses, and scores vulnerabilities using an internal rating system that considers the likelihood and potential impact of exploitation, similar to CVSS.

4.6 Moonage engages an independent third party to conduct penetration tests of the Services at least annually. Summary results can be made available to you as described in Section 10 on request, and include, at a minimum: (i) the name of the testing organization, (ii) the date(s) of the test, (iii) the scope, (iv) the testing approach, and (v) a brief summary of findings. Moonage also engages a third party to conduct web-application-level security assessments at least annually, covering relevant OWASP vulnerability classes such as cross-site request forgery, cross-site scripting, and SQL injection.

4.7 Vulnerabilities that meet defined risk criteria are promptly flagged and prioritized for remediation based on their potential impact on the Services. Upon discovery, Moonage uses commercially reasonable efforts to remediate critical vulnerabilities within 7 days, high-severity vulnerabilities within 30 days, and medium- and low-severity vulnerabilities within 90 days.

5. Administrative controls

5.1 Moonage maintains security awareness and training programs for its personnel, including at onboarding and at least annually thereafter, covering individual responsibilities for information security and data privacy, Moonage's security policies, protection against threats such as phishing, and the security of devices, credentials, and accounts.

5.2 Moonage trains its software developers on secure development practices appropriate to their role at least annually, with content adapted to the evolving threat landscape.

5.3 Moonage personnel are required to sign confidentiality agreements and to acknowledge responsibility for reporting security incidents involving Customer Data.

5.4 Moonage removes access to critical systems (including systems containing Customer Data) for separated personnel within 1 day and removes access to all systems within 3 days. Moonage reviews personnel access privileges to its Cloud Environment, and all highly privileged (administrator or root) accounts in systems that contain or can access Customer Data, at least quarterly, reducing access where it is no longer needed.

5.5 To the extent permitted by applicable law, Moonage conducts background screening checks for personnel with access to Customer Data, which may include identity verification, right-to-work checks, and criminal-history checks.

6. Vendors and sub-processors

6.1 Moonage ensures that any of its vendors that process Input or Customer Data maintain security measures consistent with our obligations under this Security Addendum.

6.2 Moonage maintains a current list of sub-processors and makes it available as described in the Data Processing Agreement.

7. Physical data center controls

7.1 The Cloud Environment is maintained by one or more cloud service providers, including Cloudflare. Moonage relies on these providers' own third-party audits and certifications to confirm that their data centers maintain appropriate physical and environmental controls. Where a provider operates traditional data-center facilities, such controls typically include:

  • physical access to facilities controlled at building ingress points;
  • visitors required to present identification and sign in;
  • physical access to servers managed by access-control devices, with privileges reviewed regularly;
  • monitoring, alarm-response procedures, and CCTV;
  • fire detection and protection systems;
  • backup and redundancy systems; and
  • appropriate climate-control systems.

7.2 Moonage does not maintain physical offices other than for limited corporate and executive purposes. Under no circumstances is Customer Data stored or hosted at such offices.

8. Incident detection and response

8.1 If Moonage becomes aware of a breach of security leading to the destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Data (a "Security Incident"), Moonage will notify you without undue delay and in any case within 72 hours after becoming aware. You will be notified at the security-notice email address indicated on your currently operative Order Form, or as otherwise determined appropriate by Moonage.

8.2 In the event of a Security Incident, Moonage will promptly take reasonable steps to contain, investigate, and mitigate it, and will preserve any logs relevant to the Security Incident for at least one (1) year.

8.3 Moonage will provide you with timely information about the Security Incident, including its nature and consequences, the status of the investigation, the measures taken or proposed to mitigate or contain it, and a contact point for further information. Because Moonage personnel may not have visibility into the content of Customer Data, Moonage may be unable to provide a detailed analysis of the specific Customer Data impacted. Communications about a Security Incident are not an acknowledgment by Moonage of any fault or liability.

9. Audit logging

9.1 Moonage creates, protects, and retains information-system audit records to the extent needed to maintain integrity and to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity. Actions of human system users can be uniquely traced to those users.

9.2 Audit logs are retained for a minimum of one (1) year and may be retained up to a maximum of ten (10) years, and are protected against tampering.

10. Customer rights and shared responsibility

10.1 On request, and at no additional cost to you, Moonage will provide you and/or your appropriately qualified third-party representative (collectively, the "Auditor") with access to reasonably requested documentation evidencing our compliance with this Security Addendum, in the form of, as applicable, our SOC 2 Type II report, ISO 27001 certificate and statement of applicability, summaries of our most recent penetration tests, and data flow diagrams for the Services (collectively with Third-Party Audits, "Audit Reports"). Where an Auditor is a third party, it must execute a confidentiality agreement with Moonage before any audit, penetration test, or review, and Moonage may object in writing if, in its reasonable opinion, the third party is not suitably qualified, in which case you will appoint another third party. Moonage is not responsible for any expenses incurred by an Auditor.

10.2 Once a year, you may submit a reasonable security questionnaire (not to exceed 100 questions in total) and requests for updated security documentation, and Moonage will provide responses in a timely fashion at its own cost.

10.3 In the event of a Security Incident involving your Customer Data, Moonage will, at its own cost, engage an independent forensic specialist or similar firm and, to the extent your Customer Data is impacted, provide you with the results of that report in a timely fashion.

10.4 You are responsible for ensuring that you are authorized to use any Input or Customer Data with the Services and that your usage complies with relevant legal and regulatory obligations.

10.5 You are responsible for managing and securing your methods of accessing the Services (for example, passwords, SSO connections, and email inboxes used for authentication codes). Credentials must be kept confidential, may not be shared with unauthorized parties, and a single account may not be shared among multiple people. You must promptly report any suspicious activity related to your account, such as when you believe credentials have been compromised.

10.6 You are responsible for keeping your relevant IT systems (such as the browser you use to access the Services) up to date and appropriately patched.

11. Business continuity and disaster recovery

11.1 Moonage maintains business continuity and disaster recovery plans describing how operations will be maintained during an unplanned disruption, including contingencies for business processes, assets, personnel, and key systems and services. These plans are approved by senior management and reviewed and tested at least annually.

12. Contact

If you have any questions about this Security Policy or any security-related issue, please contact us at security@moonage.ai.