Unless expressly stated otherwise, the definitions and rules of interpretation set out in the Master Software as a Service (SaaS) Terms (the ‘Master SaaS Terms’) apply to this Information Security Addendum.
For the purpose of this Information Security Addendum, Upvio shall be the ‘Supplier’ and the ‘Customer’ is the entity or individual that enters into and is bound by our Agreement as the customer (including by completing an online sign-up process, ticking an acceptance box, or otherwise accessing or using the Services). ‘Agreement’ means the Master SaaS Terms together with all documents incorporated into them from time to time.
This Information Security Addendum applies to the Services generally, including any AI Services (including Vitals AI and, where enabled for the Customer, Empathic AI) and to any AI Input and AI Output processed or generated as part of the Services.
In this Information Security Addendum:
AI Security Incident means any actual or reasonably suspected unauthorised access to, acquisition of, disclosure of, or loss of control over (i) Customer Data, (ii) AI Input, (iii) AI Output, or (iv) any systems or environments used to provide the AI Services (including where such incident involves model theft, model tampering, data poisoning, adversarial manipulation, or compromise of AI pipelines), which results in (or is reasonably likely to result in) a material impact to the confidentiality, integrity or availability of the Services or Customer Data;
Camera Stream Data means any image frames, video stream, or similar sensor capture from an end user device camera that is processed as AI Input for camera‑based AI Services (including Vitals AI and/or Empathic AI);
Biometric Signal Data means physiological signal features and/or derived signal features extracted or inferred from Camera Stream Data (including where extracted using rPPG and/or rBCG techniques), and any intermediate signal representations generated as part of producing AI Output; and
Model Artefacts means model weights, parameters, feature extractors, pipelines, model cards/metadata, and related software components used to provide the AI Services.
SECURITY OF INFORMATION
The Supplier acknowledges that the Customer places great emphasis on confidentiality, integrity and availability of information and consequently on the security of premises and information, communication and technology systems of the Supplier. The Supplier shall ensure that it shall at all times during the term of the Agreement provide a level of security in compliance with the provisions of this Information Security Addendum. For transparency, we maintain an information security programme and controls designed to align with recognised security standards and assurance frameworks, including ISO/IEC 27001 and SOC 2 (Trust Services Criteria). We are working towards obtaining, and where obtained will maintain, ISO/IEC 27001 certification and a SOC 2 Type II independent audit/attestation (or a materially equivalent assurance). If you require confirmation of our current certification/attestation status, please contact us at [email protected].
The Customer shall ensure that any data transfer services used in the delivery of the Services are subject to regular annual and independent technical vulnerability assessment.
The Supplier shall ensure that all Supplier personnel with regular access to Customer information are vetted and subject to confidentiality obligations including the assurance that such personnel are vetted for criminal convictions and bound by contracts of confidentiality (usually by way of an employment or other legally binding contract).
The Supplier shall, promptly following request from the Customer, complete any security questionnaire requested by the Customer.
The Supplier shall promptly notify the Customer of any material cyber-attack, security breach, or AI security incident affecting the Services, Customer Data, AI Input, Biometric Signal Data or AI Output, and shall take reasonable steps to investigate, mitigate and remediate the relevant event.
MALICIOUS SOFTWARE
The Supplier shall, as an enduring obligation throughout the term of the Agreement, use the latest versions of anti-virus definitions and software available from an industry accepted anti-virus software vendor and minimise the impact of any malicious software should any try to access or otherwise compromise the security of the Services.
If malicious software is found, the parties shall co-operate to reduce the effect of the malicious software, particularly if malicious software causes loss of operational efficiency or loss or corruption of Customer information. The parties shall also take reasonable steps to assist each other to mitigate any losses and restore the Services to their desired operating efficiency.
TRAINING OF PERSONNEL
The Supplier shall ensure that its representatives, associates and delegates employed or engaged in the provision of the Services are aware of, and receive appropriate training in respect of the Service Provider’s obligations under the Agreement and this Information Security Addendum.
AI SYSTEMS AND RPPG/RBCG SECURITY
Risk Based Controls: Where the Supplier provides any AI Services (including Vitals AI and/or Empathic AI), the Supplier shall maintain reasonable technical and organisational measures designed to protect the confidentiality, integrity and availability of Customer Data, AI Input, AI Output, and Biometric Signal Data.
Data minimisation for camera-based AI: For camera-based AI Services, the Supplier’s standard configuration is designed to process Camera Stream Data transiently in real time to extract signal features and generate AI Output and not to store raw Camera Stream Data as part of the Services, except where:
required by applicable law; or
strictly necessary for security, fraud prevention, or troubleshooting with appropriate safeguards; or
the Customer separately instructs and authorises the Supplier in writing (and, where required, the Customer obtains all necessary end user consents.
The Supplier shall use industry-standard encryption in transit for communications between Customer Systems and the Services, including transmission of AI Input, and shall apply encryption at rest (or equivalent compensating controls) for stored Customer Data and stored AI Output where held in Supplier-managed environments.
Access control and least privilege. The Supplier shall restrict access to Biometric Signal Data, AI Input/Output, and any environments hosting Model Artefacts to authorised personnel only, based on least privilege and role-based access controls, and shall maintain access logging appropriate to the risk profile of the relevant systems.
Integrity and change control for AI Systems. The Supplier shall maintain controls designed to prevent unauthorised modification of Model Artefacts and AI pipelines, including maintaining version control, segregation of duties (where appropriate), and change management processes for deploying Updates and security patches impacting AI Services.
Detection and mitigation of misuse and adversarial inputs. The Supplier shall maintain reasonable measures designed to detect and reduce material misuse of AI Services and camera-based signal extraction, which may include rate limiting, anomaly detection, and controls intended to identify spoofing/replay or other adversarial manipulation, taking into account the intended non-clinical use of the AI Services and the nature of the Services.
Third party components used for rPPG/rBCG. To the extent the Supplier uses third-party providers to deliver components of the AI Services (including rPPG/rBCG and related analytics components), the Supplier shall:
undertake reasonable due diligence of such providers’ security measures; and
ensure such providers are subject to written confidentiality and security obligations that are no less protective than those set out in this Information Security Addendum, to the extent applicable to the services they provide.
Security testing and vulnerability management. The Supplier shall maintain a security testing and vulnerability management programme appropriate to the Services, which may include vulnerability scanning, dependency and supply-chain risk management, and remediation of identified vulnerabilities within a reasonable timeframe having regard to severity and exploitability.
