Here at Tonic.ai, we utilize the principle of least privilege to protect data. Tonic.ai employees will never access your customer data—and the Tonic platform doesn’t store that data either.

Rest assured that we take security seriously.

Our security controls include the following.

Secure by design

When we connect to customers' environments, we use least privilege, with access scoped only to what is needed to satisfy the control.

Access management

To restrict employee access, Tonic.ai uses the principle of least privilege, to ensure that employees have access only to what they need to perform their specific roles.

External validation

Tonic.ai uses an independent auditor to maintain a SOC 2 report, to ensure adherence to industry standards for security and privacy.

3rd-party pen testing

Tonic.ai engages a qualified assessor to complete an annual third-party static code analysis and manual penetration tests.

Manual and automated testing

As part of every release, Tonic.ai uses a combination of:

• Manual testing

• Automatic unit and integration tests

• Security scanning

Monitoring

Tonic.ai uses multiple logging and monitoring tools to ensure that the software we build and deploy is:

• Free of defects

• Configured securely

Security and risk management team

Tonic.ai employs staff who have industry knowledge and experience in:

• Secure infrastructure

• Application management

• Risk

• Operations

Device management

Tonic.ai uses centrally managed endpoint management solutions to ensure that all employee and BYOD devices:

• Are configured securely

• Receive proper updates

• Remain compliant with Tonic.ai requirements while in use

Annual security training

Our annual security training covers:

• Security hygiene

• Phishing

• Data protection

• New threats that employees might encounter

• General best practices

Tonic AI Trust Documents provides access to:

• Tonic.ai policies

• SOC 2 reports

• Penetration tests

• HIPAA attestations

• Other security documentation

Tonic Cloud is Tonic's software-as-a-service (SaaS) offering that provides Tonic.ai's applications in secure deployments, which removes the need to manage infrastructure.

Tonic.ai understands how important it is to protect your information, which is why we've gone above and beyond to establish a robust security posture for our cloud-based products:

• Tonic Structural

• Tonic Ephemeral

• Tonic Textual

Meeting security standards and controls

Tonic.ai exceeds both the stringent controls mandated by the AICPA SOC 2, and the security and privacy controls of the US Health Insurance Portability and Accountability Act (HIPAA).

Security architecture and infrastructure

The cornerstone of our secure environment is a meticulously designed security architecture and infrastructure. This section delves into the core principles that guide our infrastructure design, including:

• Secure deployment practices

• Robust data encryption at rest and in transit

• Comprehensive backup strategies

• Rigorous operational procedures

This comprehensive approach ensures the confidentiality, integrity, and availability of your data throughout its lifecycle within our system.

Three-tier architecture model

We built our cloud-based products from scratch using a three-tier architecture model.

Three-tier architecture is a well-established software application architecture that organizes applications into the following tiers or layers:

• Presentation

• Application

• Data

Communication between tiers is strictly defined on a default-deny basis.

This makes it more difficult to reach the data layer, which creates a layered defense that significantly reduces the risk of successful attacks and data breaches.

Secure storage

We store our core application data in Amazon Relational Database Service (Amazon RDS) instances.

Amazon RDS uses an Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys. This industry-standard encryption method uses a unique key to scramble the data, which renders the data unreadable without authorization.

Encrypted backups

Regular backups are critical to any data protection strategy.

We use the same AES-256 encryption standard to encrypt our backups, which ensures additional peace of mind in case of unforeseen events.

We generate and rotate backups automatically to ensure that data is retained only as long as needed for disaster and business continuity.

Application-level encryption

An extra layer of security is applied through application-level encryption of files that are stored in the cloud. This adds another level of protection for sensitive documents and data that are stored in the application.

Tonic Structural and Textual encrypt any uploaded data before it is stored in the database.

With this extra layer of protection:

• Database administrators cannot view the data

• The data does not appear in other tools that might connect to the data

• The data cannot be used from manual backups

Next-generation anti-malware and behavioral analysis

Tonic.ai uses next-generation anti-malware software on all of its cloud servers. The software uses both:

• Signature-based scanning to identify known malware

• Behavioral analysis to detect unusual processes and zero-day exploits

Tonic.ai uses both regular scanning of instances and real-time protection to catch potential malware that might be hidden deep in inactive files or archives. It also uses real-time protection to monitor system activity and analyze files, programs, and network traffic.

Communications and network security

A robust network infrastructure is the foundation of our secure communication architecture.

This section details the key components that safeguard data transmission, including:

• Firewalls for access control

• TLS encryption for data confidentiality

• Load balancing for optimal performance

• Comprehensive network monitoring for continuous vigilance

This combination ensures secure and reliable communication channels for all data transfers within our system.

Transport Layer Security

Our cloud applications use TLS 1.3 and 1.2 to enforce the encryption of ingress traffic. Tonic Structural uses AWS Application Load Balancing security policy ELBSecurityPolicy-TLS13-1-2-2021-06. For details about the supported ciphers, go to https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

By default, egress traffic from our cloud applications also uses TLS encryption to communicate between the application and customer resources.

To maintain compatibility with different database vendors and versions, our cloud offerings are more permissive on the protocols and ciphers that are allowed for egress traffic.

Firewalls

Our cloud applications use both stateful and stateless firewalls that are configured to default-deny all traffic other than traffic that is explicitly expected between different systems on specific ports.

These firewalls also track and monitor the state of active network connections. They analyze incoming traffic and look for potential traffic and data risks.

We use web application firewalls to block request patterns that are associated with discovery and exploitation of vulnerabilities. The firewalls also use up-to-date commercial threat intelligence to block sources that are associated with botnets or other known threat actors.

Load balancing

Our cloud applications use high-availability load balancers to balance traffic over multiple instances. This ensures that our service is available even if a single piece of hardware fails.

Intrusion detection

To continuously monitor our services, our cloud applications use intrusion detection software that incorporates:

• Anomaly detection

• Machine learning

• Behavioral modeling

• Commercial threat intelligence

Identity and access management

A robust Identity and Access Management (IAM) system lies at the core of our secure environment.

This section delves into the processes that govern how users are:

• Identified (authentication)

• Authorized to perform specific actions (authorization)

• Managed throughout their time with our system (user lifecycle)

• Monitored for activity (auditing)

These practices ensure that only authorized users have access to the appropriate resources, and that all actions are traceable for enhanced security and accountability.

Centrally-managed Identity

Tonic.ai uses a centrally managed Identity Provider to provision and manage authentication and authorization to cloud resources. This allows Tonic.ai to enforce authentication policies that include:

• Strong passwords

• Multi-factor authentication

• Geographic and risk-based access

To access administrative resources (user interfaces and dashboards) and network resources, Tonic.ai staff who have roles that grant them access to our cloud infrastructure must use our identity provider to authenticate.

Audit logging

Tonic.ai maintains detailed audit logs of our administrators’ access to cloud resources. This includes:

• Their sign-ins

• Type of access (for example, console or VPN)

• The type of device used

• The IP address of the connection

These logs are immediately transferred to a separate AWS account that only security and auditing staff can access.

Security assessment and testing

The security of your data is paramount.

This section dives into the comprehensive security assessments that we conduct throughout the development lifecycle and ongoing operation of our application. We use a multi-layered testing approach to identify and address vulnerabilities before they can be exploited.

Static application security testing

During the Tonic.ai software development lifecycle (SDLC), the pull request process includes static application security testing (SAST). This ensures that changes to our codebase do not introduce potential vulnerabilities.

Vulnerability and dependency scanning

As part of the Tonic.ai SDLC, we use commercial and open-source container scanning of our finished builds. This ensures that Tonic.ai does not release code with known exploits into our cloud environments.

Runtime scanning

Within our cloud environment, to identify suspicious network activity and prevent leaks of sensitive data, Tonic.ai uses:

• Network threat detection

• Next-generation anti-malware scanning

• Data loss prevention software

External testing

To proactively discover security weaknesses in our applications and networks, we leverage external manual penetration testing, where ethical hackers simulate real-world attacks to identify and remediate vulnerabilities.

Compliance and privacy

In our commitment to safeguard your data and to maintain the highest security standards, we undergo regular audits and adhere to recognized certifications.

This section details our compliance framework, outlining the independent assessments and certifications that verify the security and privacy controls that we use to protect your information.

SOC 2 Type II

Tonic.ai undergoes an annual SOC 2 audit that is performed through an independent auditing firm. The audit verifies our adherence to industry-standard security controls that safeguard customer data.

SOC 2 audits focus on a set of criteria that include security, availability, processing integrity, confidentiality, and privacy.

AWS Qualified Software

Our cloud infrastructure has gone through the AWS Foundational Technical Review to ensure that our solution:

• Is well-architected

• Follows industry best practices

• Follows Amazon’s guidance for using their cloud infrastructure securely

GDPR

Tonic.ai is committed to meeting and upholding the principles of the GDPR.

Our cloud applications use industry standard contractual and technical controls to meet GDPR's strict privacy requirements.

Tonic.ai monitors and ensures that our sub-processors meet the same legal and technical standards that we employ.

HIPAA

Structural uses industry-standard administrative and technical controls to meet HIPAA's strict security and privacy requirements.

Privacy

Identity and Access management

Security and Risk Management

Testing and assessment

Communications and Network Security

Security Architecture

Third-party vendors

Each Tonic.ai application has different core functionality and different security risks.

Because each application is developed independently, each application has different security features. The following documents cover the specific features for each application.

The Tonic Structural platform creates safe, realistic datasets to use in staging environments or for local development. Structural can be deployed either:

• Self-hosted by the customer

• In Tonic Cloud, which is a managed service that Tonic.ai provides

Documentation

For comprehensive Structural feature documentation, go to the Structural User Guide.

Audit logs

The Structural application saves log files that can be used to:

• Diagnose issues

• Troubleshoot bugs

• Help to identify when performance can be improved

• Generally improve Structural and its features

On-premise customers can aggregate these logs into their logging solution or SEIM for analysis and monitoring.

They can also share logs can also be shared with Tonic.ai so that our staff can help to handle errors.

How to share logs with Tonic.ai

Role-based access control (RBAC)

Structural supports a variety of user roles that allow customers to assign end-users the least privileges required.

Structural produces data products that might not require users to access the Tonic application at all.

How to grant access to Structural workspaces

Single sign-on (SSO)

Structural supports a variety of external identity providers that allow customers to:

• Centrally manage users

• Define authentication criteria to log in to Structural

Structural supports:

• AWS SSO

• Azure Active Directory

• Duo Security SSO

• Google Workspace SSO

• Keycloak

• Okta

• PingID

• Other SAML 2.0 compliant identity providers

Single sign-on (SSO) in Structural

Password encryption

The Structural application hashes all user passwords when stored.

Data encrypted at-rest

The Structural application encrypts datastore credentials using customer-provided encryption keys.

Tonic Textual provides a single tool to allow you to put your file-based data to work for you.

You can also use Textual to do simple redaction and synthesis of sensitive values, to produce files in the same format to use for development and training. Each original file becomes an output file in the same format, with the sensitive values replaced.

Textual can be deployed either:

• Self-hosted by the customer

• In Tonic Cloud, which is a managed service that Tonic.ai provides

Documentation

For comprehensive feature documentation for Textual, go to the Textual User Guide.

Audit logs

The Textual application saves log files that can be used to:

• Diagnose issues

• Troubleshoot bugs

• Help to identify when performance can be improved

• Generally improve Textual and its features

On-premise customers can aggregate these logs into their logging solution or SEIM for analysis and monitoring.

Customers can also share logs with Tonic.ai so that our staff can help to handle errors.

Single sign-on (SSO)

For self-hosted instances, Textual supports a variety of external identity providers that allow customers to:

• Centrally manage users

• Define authentication criteria to log in to Textual

Textual supports:

• Azure Active Directory

• Github

• Google Workspace SSO

• Okta

Single sign-on (SSO) for Textual

Password encryption

The Textual application hashes all stored user passwords.

Documentation

For comprehensive feature documentation for Ephemeral, go to the Ephemeral User Guide.

Audit logs

The Ephemeral application saves log files that can be used to:

• Diagnose issues

• Troubleshoot bugs

• Help to identify when performance can be improved

• Generally improve Ephemeral and its features

On-premise customers can aggregate these logs into their logging solution or SEIM for analysis and monitoring. Customers can also share logs with Tonic.ai so that our staff can help to handle errors.

Single sign-on (SSO)

For self-hosted instances, Ephemeral supports external identity providers that allow customers to:

• Centrally manage users

• Define authentication criteria to log in to Ephemeral

Ephemeral supports:

• Google Workspace SSO

• Okta

Single sign-on (SSO) on Ephemeral

Password encryption

The Ephemeral application hashes all stored user passwords.

How to report security findings

If you believe you’ve found something in a Tonic.ai product that has security implications, email your findings to security@tonic.ai.

To report security findings over a secure channel, use the following key to encrypt your message.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGapMYYBEADJGTfx7PtnGgWjCsQxAd75e0rq1RnFh6tyZGOZWO9PJ/c81O/Y
LmAemqZX3gnTuKFv0 4t4Ya6kBym  0WtHhan1aZL2rMhN31YjcUT4zg PMmtk0j
EA4q14kHO6K6mGBSIO5SmQyna1O DZw lEetejPxDSBcAHR6HyQRJjXBtKRYueTq
I3L/FrF1Xb9h1KBhl8j lTZcYTbK/LTJYzJ3KjCEoZat0b/7f4uHvedM9 BZmBqz
DDcbhqPYe knybDsE/jBjpKrL3N4RYhmDdcDQem7OVmVAZFyEhdd7kIhCWflwF6a
NnoBvEEz7V72mufNu45ZYQgWX13CzJv/9uzkZIBKgL39KoB8/WMTN4zOOF5ooyr
pMLMfVKuZlOi2WGXtuCCad7z3DFGtFy3q5/bqQr9UF7FgFfkjM9s059FhH99XJ/w
zG8UPwJdU2/72wC bvop9AnJtH6UaIrYAiR6KYm8iICNhvuWv2YPwU537Cethil9
KrvYCFawKpPSDtp0a4G0sw8yRUMw/e rC0c61yWS8TiF8gW 2Ut3ZEC5OvL0OIG7
ChPR8H2q57A2HlPB78HBUNOY LFnUpfO7VTACnGjH4i7MmcFrfS4qMcfPBpQk9jb
ce7cNLS4AZXUq4EQBbnfbZgUdYIXYGiS9snOV8wYHY0LhqYWzz8hmLcuuQARAQAB
tCJUb25pYyBTZWN1cml0eSA8c2VjdXJpdHlAdG9uaWMuYWk iQJUBBMBCAA FiEE
sIrZs/QhVnDSEaHuBNbs/Ac639UFAmapMYYCGwMFCQeGHzUFCwkIBwIGFQoJCAsC
BBYCAwECHgECF4AACgkQBNbs/Ac639XgchAAtBhcQZSID3yVJG0Qfg1T7UjMJDD9
P/EWHcHU4HlYO5Zm7t86uvzGBkk2/ZQ3xadkeJ0r/7VtSM/q2ysB4kXVuDLDiGDt
207ka6kjspVzxshbAxoewk1lX1fyNVyR/9lSL7sHg6mtDszYeSdHOb081s2d0B/M
/f6T6UdWqCTKXieMx465BS41HOtiK7LEC3OVDel7Yzu5fGC7F0/ajMjTccp72LH/
VyitvwTPwaQyFkG9EbSM1tjfV4zTvFdqQSpYqmEGgNuXR82r o ECnXPeRQOTj4Z
9tBeU9es1zDpoVuhDzdxI1DZAH40cD1Z2u2wClVaoP79NSLEo3tCgijv0rPWhOqg
X3Q/7iHeXSBadORISe/zWb8c8oqNdZEbwv3AzbBjkWhZPpGNdxRmzZKLOx1JW29u
Rb/dzbeUQCLh2GIfbsAYOXoWM3QCw1X2AMaNcJNfHiL/6eenf2 xEoAG3980TSBj
f3WtSfS/UzpgSI0ubwo3hbRXDdB3FWK0OxU2Gaxh03rw2Swt3Hxg8L40zFrM4cYY
Jsr4FFuz0yNeZ1YJuho Bm mxowdcuqDIogo1gBQvjjd293nS0LilUZRKs3fZOVZ
VUCTc 1Ev087Rgc4ny TZ7i/TyRYaqhW6/RgdefOkd1bzsI iF 6quE4JtOI4wqf
53wD6BRaKBTjw8C5Ag0EZqkxhgEQALGu1ssRleBAgBgehkSEofahY5yskh9ZBYYi
4JPuKmt8e mdoJW/24CyIY9y1F22W9P8XtUOQUhNWvhYuz8BMMXEVLuNfVsRAhqB
mCgJnN6Hgn1ZyK4PRTqJ728/vsEiNb/d4aKvrfJDNmazRyUTsv4j2S9amdrIDI0C
so0qZJK6/cP2NPw05kUsKA5tmm R8m5lsVtZfphw9ruZRN/rGA4FPtzmFbGNjvSD
dvMTlkXC4vm4OzOfDi2PooRWAC29ozxEF5o9GG47vFY63UhKmG3dYJxNNU2FCxr0
MTvwrXvaNyMDSHDcEPZ1rZccvEugo9sYlsOblC5OY6ky9SDff4uudPTP1rxuCP43
dbxqgvxPwpEtp6WsNVOYjeL7/l DWnYhFERVgx3s4NvF4eBz/kk1dqzHdWtyCX1r
vUJdIjBhY4sehmbu jBqvdu4XQsyuYPOZVJ6xYkIzUe0s4SrKma6cUKsxWaIRTGL
F3GuQQnUsBEf1gqUqKDJYquZk3ESY9CyzwmJHwppezKkdA7Sh3aPVo2D0kztHbcB
4wPsK3oEodt279FIUvRCF32mfgMXPwj4kxeXnvtvlBupuc7CEfGd46wpu9fRJ8uK
1sYQPMCLMgX49MMyHcqcyanRMmZLxVgU27cAr7bK EPQMsFJj93HaPW4hxmdhFXa
RoF0NHQRABEBAAGJAjwEGAEIACYWIQSwitmz9CFWcNIRoe4E1uz8Bzrf1QUCZqkx
hgIbDAUJB4YfNQAKCRAE1uz8Bzrf1UN1D/9jrn8KZaLP9SpNijGHckvr1cKo6n1D
7nlxDU4BJ79u7pLaBmqKrrBkPei0nOnNWFIxNiiwJzZee6LrY3Z84pH/DEwlIcO3
l7UlH/XMLtN4bhg0J7UfTOITBXjgSGHme0BHCOyPRxDzAvwyTg3sBrZzlsZsxpvv
wmTT7vZmMUiUVwvb OwxoJUBXHRkLYhm2E3AKFziqZhx PZQ kM7nzWvtkqXrB T
yA1cnOD13Ddap1A 6cbxGQUWP/UdA3FykcFHfrLz4XT/KVRbGSc5xDvCuP/7vve2
PP1vkfGDwQQx7e0EmUQQDv3oLq2kMJhzOLvchgMX6dSAqgS5yYB9g4L/Spt3UfEI
lGMdVtK8KHEcKOkpfQHifdYpbbYWEHbRFTW5W85Ubeb2PzfRAPfDUbA6kBn0IqUe
z8xYtXLfhpcTcIB3dhHAtrIpU7x0JwNtU9FCyxzDmMz9llXou8HZTGIeHyHa7TJ9
NsY3hnZQdAol7QL5IUCHEIMDvwKxrceNGP89q3VVLac2tc2c4Vkd6PubF4f/rdYo
rLkAqv35m3g3WpyTzEE0KYdCAzTx/9ksoA0f04IFUWZ etpU7sue9mEh1Z2JuCYF
YaAi6hSVSN1CQ6604sbwpRQezSatioxM2DNL2ZeOp58fOqlpk9O/FjGyv7WI NIU
OqkBovDnsQbfuw==
=1PP5
-----END PGP PUBLIC KEY BLOCK-----

Bug bounties

Tonic.ai currently does not pay bounties for unsolicited security findings.

Tonic.ai collects some analytic, account management, customer support, and debugging data from the each Tonic.ai application. Tonic.ai uses Amplitude, Sentry and Amazon Web Services to receive and process telemetry. Telemetry sharing is required.

For information about data that is collected by Tonic Structural, go to https://docs.tonic.ai/app/admin/tonic-monitoring-logging/tonic-data-collection

Scope

TonicAI, Inc., dba Tonic.ai (“Tonic,” “us,” “we,” or “our”) provides this privacy policy (the “Privacy Policy” or “Policy”) that describes how we collect, use, and disclose your information. This Policy applies our website www.tonic.ai and related subdomains, any other website operated by Tonic.ai that links to this Policy (together, “Websites”), and our data collection practices when you acquire, download, install, access, or use certain online services offered by Tonic.ai, including where this Policy is incorporated by reference (our “Online Services”). Specifically, this policy describes the information, including personal information, we may collect from you, about you, or that you may provide to us when you interact with us through our Online Services or with Tonic.ai in-person (i.e., “offline”) (collectively, the “Tonic Services”) and how we use, protect, and share such information.

Please note that the Tonic Services do include, and this Policy does apply to, services provided by Tonic.ai to you (or your organization) in your or your organization’s own online environment pursuant to a separate agreement between you and Tonic.ai.

Please read this document carefully. If you do not agree with this Policy, your choice is not to use Tonic Services. By accessing or using the Tonic Services, submitting information to Tonic, and or acknowledging your agreement to Tonic’s Terms and Conditions or Click-Through Terms of Use, you agree to this Policy. This Policy may change from time to time. We will post the updated policy at this address (or an address we later designate) and update the ”Last Updated” date on this document. Your continued use of Tonic Services after we make changes to this Policy is deemed to be your acceptance of any such changes, so please review this page periodically for updates.

Personal Information Collection: What we collect

The chart below lists the categories of personal information that we may collect from or about you through the Tonic Services:

‍Categories of personal information we collect and how we collect itIdentifiers. This may include a real name, alias, address, email address, phone number, online identifier, IP address, account username and password, job title, or other similar identifiers.

‍Internet and network information. This may include cookies, information about your interaction with a website, application, service or advertisement, such as browsing history and how you use your account.

‍Device information. This may include the operating system of your device, device identifier, the type of device you are using[, or your geolocation information.]

Order information. This may include information about what you order, shipping, delivery, returns, product complaints, or warranties.

‍Payment and credit information. This may include your credit or debit card information, banking information, information about your payment transaction, or other financial information you provide us.

‍Other information you submit to us. This may include requests or communications you submit to us, including emails, ratings, or customer service and sales call recording.

‍Research or survey information. This may include survey results, social media data, and other information about your participation in consumer research.

‍Inferences we draw about you. This may include information about your preferences, characteristics, predispositions, behavior, or other trends that help us identify which products you may be interested in.

We may also collect, use and share non-personal information. And, we may use or share information that we have collected that has been de-identified or anonymized so that it does not personally identify you.

Sources of information

We collect information from or about you through the following methods:

• When you provide information to us voluntarily, through the Online Services, including by filling out forms, registering for an account, purchasing our products or services, signing up for marketing communications, requesting information about our products or services, or any other data entry method in the Online Services;

• When you register for or attend a virtual or “offline” event;

• When you visit our offices, including to identify you as a visitor and allow you access to restricted areas;When you provide us information through a survey, contest, or promotion, or through other marketing research or initiatives;

• When you interact with us on social media, or with our advertisements online;

• When you communicate with us, including through email, chat, or other online or offline methods, including for customer service or providing feedback;

• In any other way we describe while providing the Tonic Services; and

• Automatically, when you interact with or visit the Tonic Services, through the use of cookies, web beacons, JavaScript, logging, and other automated data collection means. For more information, see the section entitled “Automated and Third Party Data Collection,” below.

We also collect information about you from the following sources:

• Our service providers;

• Publicly available and governmental records, including social media networks, websites, blogs, and forums;

• Other users of the Tonic Services; and

• Marketing partners and other third parties.

How we use your information

We use information that we collect from or about you in the following ways:

• To provide you with the Tonic Services, including to confirm, complete, and service any transactions with you;

• To interact with you, including through email, customer support, and contact requests, or to resolve problems and disputes;

• To send you marketing communications about our products, events, and promotions, including through newsletters, social media, and other channels

• To comply with or enforce our legal obligations or rights, including to comply with court orders, subpoenas, or other legal process or lawful requests

• To ensure the security and availability of Tonic Services, and to enforce our terms;

• To develop, improve, and measure the effectiveness of the Tonic Services and our marketing efforts;

• To improve our user experience;

• To provide certain advertisements and content, both on and off our Websites, in some cases based on your preferences or interests;

• To facilitate payments, including for Tonic Services;

• To fulfill any purpose for which you provided it;

• In any other way that we provide notice of or where you have provided your consent.

Who we share your information with

We may share information about you with the following categories of individuals and entities or in the following scenarios:

• With our service providers and subcontractors, who perform services on our behalf to operate our business and the Tonic Services, including service providers that help us to run our Websites and Online Services, process payments, communicate or market to or with you, secure the Tonic Services, and analyze the Tonic Services;

• With a buyer, successor in interest, or any other party involved in a merger, acquisition or other sale or transfer of all or some of the Company’s assets, equity or business or any similar transaction, or as part of a bankruptcy, liquidation, dissolution or similar proceeding, as well as advisors, lawyers, accountants and other third parties that may assist in the negotiation, review, and consummation of any such transaction or proceeding;

• When we believe it is necessary to enforce or apply this Policy or any other agreement with you, and to protect the rights, property, or safety of Tonic or its employees, users, or others;

• When the information has been aggregated, anonymized, or de-identified. In these situations, we do not disclose any information that could be used to personally identify you;

• When you direct us to share your information with a third party, or otherwise provide your consent to share your information;

• For any other reason that we have properly notified you about at the time we collect the information; and

• Where we are required to do so by law, including as the result of a court order, legal process, subpoena, or other lawful request, or where we otherwise have a legal obligation to do so.

When we provide personal information to our service providers, we use reasonable efforts to ensure they comply with applicable privacy laws.

Automated Data Collection

Like most technology companies, we (and our service providers and certain third parties) collect information about you automatically, including when you interact with Tonic Services. We collect this information through a variety of technologies, which we explain below:

• Cookies - A cookie is a small text file that is sent to your browser when you access a website. There are two types of cookies, session cookies and persistent cookies. A session cookie is available and exists only during the course of the browser session. Closing the browser or logging off will invalidate the session cookie. Persistent cookies, similar to their name, last for a longer period of time, from hours, days, or weeks, and remain on your hard drive (or other storage medium) and record or disclose information about you and your interactions with websites and services. For example, cookies are used to retrieve information that you have previously entered (to allow you not to have to re-enter it), analyze the usage of a website, or track users across websites or services. You can often decide whether and what types of cookies you are willing to accept through your browser’s settings or through third party products that may manage, disclose, or block cookies, like browser plugin-ins or other software.

• Web beacons (also known as pixels, internet tags, or clear gifs) – These are tiny graphics on a web page (or in an email) that are used to track pages, viewed, messages opened, or other information. They can provide certain information, including IP address and browser type, or other information about interactions with a website or service.

• Embedded Scripts – These are also bits of code on a website or service that measure how a user interacts with a website, application, or service; the scripts are often in JavaScript, a common programming language.

Tonic also collects information automatically about you through logging that is standard on websites. Typically, website logs include your IP address, device type, browser type, access time, and the URL where you came from or where you are going.

Service Provider and Third Party Data Collection and Opt-Outs

Certain service providers and third parties collect information about you when you are interacting with the Tonic Services, including through the automated methods described above. We also use other third parties or service providers to assist us in operating our business and they may receive or store your personal information. Because we value your privacy, we want to be transparent about this data collection, provide you further information, and in some cases provide you methods to opt-out of or control this data collection.

Social Media and Ads

Tonic’s Websites and Online Services include functionality, cookies and other automated data collection from Facebook and LinkedIn. The cookies and other data collection by LinkedIn and Facebook allow us to place ads on certain social media websites, measure your engagement with those ads, tailor ads to you, measure your ad conversion, and provide us information about your interactions with us on social media. There is information in the table below, if you wish to opt-out of data collection by LinkedIn and Facebook. The following list includes the service providers and third parties currently used by Tonic as of the date of this Policy. The list is subject to change at any time.

In addition to the listed service providers above, all sub-processors listed in our Data Processing Agreement may process personal information as bound by that agreement.

Other Methods to Opt-Out

To learn more about or opt out of third party data collection on the Internet, generally, Tonic recommends you visit the following websites. ‍Digital Advertising Alliance Consumer Choice Tool. Visit https://optout.aboutads.info/ to opt-out of ads from companies that participate in the DAA. ‍Network Advertising Initiative. Visit https://optout.networkadvertising.org to opt-out of certain interest based advertising from participating NAI members. Please note that when you opt-out at the websites above, and in general, the opt-out is effective only for the device that you use to opt-out. It will not prevent data collection or targeted ads for other devices that you use – you will need to opt-out on each device. Additionally, certain opt-outs require that a cookie be placed on your device to record your preference. At this time, we do not support “Do Not Track” preferences that may be available in your browser.

NO SELLING

Certain privacy laws, including those in Nevada and California, require that we disclose whether we sell your personal information to any third parties. These laws may differ in the definition of what constitutes “selling” personal information. Nevertheless, Tonic is happy to disclose that:

• Tonic does not sell your personal information to any third party for monetary consideration.

Your rights and choices

Depending on your location and applicable law, you may have certain rights regarding your personal information. These rights may include the right to access personal information that Tonic has about you, the right to request that Tonic delete personal information about you, and the right to correct any errors in any personal information Tonic maintains about you. If you wish to exercise these rights, please contact us using the methods described below. If you do not wish to receive further non-transactional, marketing emails from us, you may opt-out by clicking the “unsubscribe” link in any such emails or contacting us using the methods described below. You may correct or update information that we collect about you by contacting us. If you make a request as described above (except with respect to e-mail opt-outs), we will verify your identity before honoring any such request, which may involve asking you to provide or confirm certain information about you. We engage in verification where required by law, or where we believe it is necessary to protect your privacy and prevent fraud or impersonation. In certain circumstances, you may also be able to make a request through your agent; any such request may also involve a verification process. You can opt-out of or control certain data collection through the Tonic Services, including automated data collection, as described above in the section titled “Automated and Third Party Data Collection.” You can also control what data is collected about you by limiting the information that you provide to Tonic, taking advantage of settings within your web browser or device that relate to privacy, or using software or other services or websites that help to protect your privacy or inform you about data collection practices.

Important information

Tonic Services are offered and available to users who are 18 years of age or older. Tonic Services are not directed to children under 13. If you learn that your minor child has provided us with personal data without your consent, contact us. ‍This Privacy Policy does not apply to any data collection that occurs on any services or websites that are not Tonic Services, including websites that you may reach by clicking on a link through the Tonic Services. We encourage you to read the privacy policy of all websites that you visit. ‍The privacy, safety and security of your information also depends on you. You are responsible for keeping any password to the Tonic Services confidential and secure, and we encourage you to always use good cybersecurity and privacy hygiene. To help protect the privacy of data we collect through the Tonic Services, we employ measures designed to protect your personal information. However, you should keep in mind that the Services are run on software, hardware and networks, any component of which may, from time to time, require maintenance or experience problems, or be attacked by third parties. Although we do our best to protect your personal information, we cannot guarantee the security of personal information transmitted to or through the Tonic Services. We retain your data as long as we are providing Tonic Services to you. Even after we stop providing Tonic Services directly or indirectly to you, we may keep your data in order to comply with our legal and regulatory obligations, as well as our tax, accounting, and financial reporting obligations. In all cases where we keep data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law. Tonic is based in the United States. To provide the Tonic Services, we or our service providers may process personal information in the United States, or in other locales across the globe. If you are not a resident of the U.S., you hereby consent and agree that we (and our service providers) may collect, process, use, transfer, and store your information, as discussed in this policy, outside your resident jurisdiction. Please be aware that United States law and the laws of other countries where we may store and process your information may offer different levels of protection for information than may be available in your country, and some of these locales may have been deemed to offer inadequate protection under certain laws.

How to contact us

Please contact us with any questions or concerns about your privacy, or to exercise any of rights identified above, where applicable. If you have a disability and need to receive this privacy policy in a different format, please let us know.

Our contact information

E-mail: privacy@tonic.ai Mail: Tonic AI, Inc. 325 9th St. San Francisco, CA 94103 Telephone: +1 415-340-0330 Please note: you also have the right to make a complaint directly to the applicable data protection or other regulatory agency if you believe your privacy rights have not been respected.