Terms of Service

BrainBox AI Security Addendum
Last revised on March 9, 2026

 

This Security Addendum (“Security Addendum”) forms part of, and is incorporated into, the Service Subscription Agreement (the “Agreement”) and supplements Section 25 (Information Security) of the Agreement and applies to all Services provided under the Agreement. In the event of conflict between this Security Addendum and Section 25 (Information Security) this Security Addendum shall prevail with respect to security and data protection matters. BrainBox AI will implement and maintain an information security program appropriate for cloud-based building optimization and AI-enabled services. This Security Addendum describes the core security measures applicable to the Services.

  1. Definitions. Capitalized terms not defined here have the meaning given in the Agreement and in any applicable governing terms.
  2. Information Security Program. BrainBox AI will maintain an information security program that includes: (a) administrative, technical, and physical safeguards; (b) measures designed to protect the confidentiality, integrity, and availability of Customer Data; and (c) controls appropriate for cloud-based commercial systems and building-technology integrations. BrainBox AI’s program is aligned with generally accepted industry standards (e.g., SOC 2 security principles).
  3. Access to Customer’s Building Systems / Integrations. If the Customer grants BrainBox AI access to any interface, BMS, EMS, network segment, portal, API, or other system for the purpose of providing the Services:

    3.1 Authentication Controls. BrainBox AI personnel will access such systems only through individually assigned accounts and will maintain the confidentiality of authentication credentials.

    3.2 Secure Systems. Access will occur only through systems maintained by BrainBox AI that include: (a) firewalls; (b) antivirus / anti-malware; (c) current security patches; and (d) disk encryption on portable devices.

    3.3 Restrictions on Local Storage. Unless otherwise agreed in writing, BrainBox AI will not download or store Customer Data outside the secure cloud environment used to deliver the Services, except for transient storage necessary to provide technical support or diagnostics.

    3.4 Account Termination. BrainBox AI will disable access for personnel who no longer require access for Service delivery.

  4. Confidentiality of Customer Data. BrainBox AI will: (a) maintain confidentiality of Customer Data as required under the Agreement; (b) limit access to those employees or contractors with a legitimate need to know; and (c) use Customer Data solely to fulfill obligations under the Agreement.
  5. Compliance with Laws. BrainBox AI will comply with all laws applicable to its role in processing Customer Data in connection with the Services. For clarity, because the Services do not require personal data, laws governing the processing of personal information generally do not apply.
  6. Security Controls. BrainBox AI will maintain the following controls as part of its security program:

     

    6.1 Technical Safeguards. BrainBox AI will implement technical safeguards appropriate to the nature of the Services, which include: (a) network and perimeter security monitoring; (b) access controls based on the principle of least privilege; (c) multi-factor authentication for administrative access; and (d) encryption of Customer Data in transit and at rest, as applicable.

    6.2 Vulnerability and Patch Management. BrainBox AI will maintain a vulnerability and patch management process that includes: (a) regular vulnerability scanning of relevant systems; (b) timely application of critical security patches based on risk and severity; and (c) use of periodic third-party penetration testing or independent security assessments.

    6.3 Logging and Monitoring. BrainBox AI will maintain logging and monitoring capabilities that include: (a) recording of system activity and other security-relevant events; and (b) use of monitoring tools to detect unauthorized access attempts and anomalous activity.

    6.4 Business Continuity and Disaster Recovery. BrainBox AI will maintain business continuity and disaster recovery procedures appropriate to the Services, which include: (a) regular backups for critical systems supporting the Services; (b) a documented disaster recovery plan; and (c) annual testing of its disaster recovery capabilities 

  7. Security Incident Notification. If BrainBox AI confirms a Security Incident involving Customer Data, BrainBox AI will: (a) notify the Customer without undue delay; (b) provide information reasonably necessary to describe the nature and scope of the incident; and (c) take commercially reasonable steps to contain, mitigate, and remediate the incident. This Security Addendum does not require notification of unsuccessful attempts (e.g., failed login attempts, pings, port scans).
  8. Audit and Assurance. BrainBox AI maintains a SOC 2 Type II report covering controls relevant to the Services. Upon Customer’s written request and subject to a nondisclosure agreement, BrainBox AI will make its current SOC 2 report available for Customer review. The SOC 2 report satisfies any audit or inspection right relating to security or data protection. No additional audits of BrainBox AI or its Affiliate’s facilities, systems, or processes are permitted.
  9. Personnel Screening and Training. BrainBox AI will: (a) conduct background checks consistent with its internal policies for personnel with access to Customer Data or Building System environments; and (b) provide ongoing security and privacy training to employees.
  10. Secure Disposal. Upon termination or expiration of the Agreement, BrainBox AI will delete Customer Data from its systems in accordance with its standard data retention schedule, subject to any surviving obligations under the Agreement. Any retained archival or backup copies will remain subject to confidentiality obligations.
  11. Hosting Locations. Customer Data may be processed or stored in: (a) Canada; (b) the United States; and/or other jurisdictions where BrainBox AI or its cloud providers operate. All processing remains subject to this Security Addendum and Section 25 of the Agreement.