Security Addendum

1.1. Service Design

Overbase represents that the Service is designed as a "secure-by-design" automated question and answer system. The Service connects to Customer’s internal data sources (including structured sources, such as Salesforce, and unstructured sources, such as Gong) to process queries and generate answers.

1.2. No Permanent Storage of Source Data

Overbase does not maintain permanent storage of Customer Data derived from Customer’s internal data sources. Customer Data remains resident within Customer’s existing platforms and tools. Overbase accesses such data solely on a transient basis as required to generate answers.

1.3. Data Retention Periods

(a) Processing Data: Any Customer Data temporarily cached or stored during processing, including internal team communications regarding such data, is deleted within thirty (30) days of collection.

(b) Generated Answers: Questions submitted by Users and the answers generated by the Service are stored to facilitate the User experience. By default, such questions and answers are deleted thirty (30) days after generation, unless Customer configures the Service to retain them for a longer period.

2.1. Proprietary AI Models

Overbase warrants that Customer Data processed by Overbase’s proprietary AI models is never used to train said models. All Customer Data processed by proprietary models is deleted immediately following the completion of the processing task.

2.2. Third-Party AI Models

Overbase utilizes third-party AI models solely where such providers contractually agree that: (a) Customer Data will not be used to train their AI models; and (b) Customer Data will not be retained by the third-party provider after processing.

2.3. Human Review

Where Overbase personnel ("Reviewers") review analysis based on Customer Data to ensure quality, such work is performed exclusively within encrypted tools. All data history within these tools, including internal messenger history used for collaboration, is legally and technically mandated to be deleted every thirty (30) days.

3.1. Physical Storage (Air-Gapping)

Credentials, API keys, passwords, and logins provided by Customer ("Credentials") are stored exclusively on physical hard drives located within a locked safe in Overbase’s secure facility. These hard drives are not connected to the internet while in storage and are accessed only when operationally necessary.

3.2. Manual Injection of Credentials

Overbase maintains a strict "Human-in-the-Loop" protocol for system access. No Overbase automated system can access Customer systems without human intervention. A human operator must manually enter Customer Credentials each time the Service launches an agent requiring access to Customer systems.

3.3. Credential Destruction

Upon disposal or replacement, physical hard drives containing Customer Credentials are physically destroyed.

4.1. Restricted Personnel

With the exception of the Overbase CEO, all Overbase personnel with access to Customer Data or Credentials ("Secure Personnel") adhere to the protocols set forth in this Section 4.

4.2. The "Walled Garden" Protocol

(a) No External Collaboration: Secure Personnel are prohibited from collaborating with external partners, customers, or third parties.

(b) Communication Restrictions: Secure Personnel communicate and collaborate internally solely using encrypted services subject to the 30-day deletion policy described in Section 1.3. Secure Personnel are not issued Overbase email addresses and are not contactable by the public via corporate channels.

(c) Service Restrictions: Secure Personnel are prohibited from registering for third-party services other than approved encrypted services that are provisioned, monitored, and audited by Overbase.

4.3. Secure Facility and Hardware

(a) Location: Secure Personnel perform all duties in-person from a dedicated secure office facility monitored 24/7 by video surveillance.

(b) Device Restriction: Secure Personnel utilize desktop computers that cannot be removed from the secure facility.

(c) Mobile Device Ban: Personal electronic devices, including mobile phones, are strictly prohibited within the secure facility.

4.4. Workstation Monitoring

Workstations utilized by Secure Personnel are equipped with monitoring software that records screen activity and logs keystrokes to ensure strict compliance with security protocols.

5.1. Social Media Restrictions

To reduce surface area for social engineering, Secure Personnel are incentivized (via compensation structure) to refrain from using, updating, or logging into social media accounts.

5.2. Non-Disclosure Agreements (NDAs)

All Secure Personnel execute strict NDAs with Overbase prohibiting the disclosure of any Customer information.

5.3. Violations

Any violation of the security protocols outlined in this Addendum by Secure Personnel, including minor infractions such as the introduction of a mobile device into the secure facility, results in immediate termination of employment.

6.1. Credential Sharing

Users are prohibited from sharing login credentials. Overbase monitors usage for concurrent access or anomalies indicative of credential sharing. Overbase reserves the right to immediately suspend or terminate User access for confirmed violations of this policy.

7.1. Applicability

The provisions of this Section 7 apply solely to Customers subscribed to the Enterprise Tier.

7.2. Custom NDAs

Enterprise Tier Customers may elect to require Secure Personnel to execute direct, custom NDAs provided by the Customer.

7.3. Enhanced Social Media Ban

Notwithstanding Section 5.1, Secure Personnel authorized to access Enterprise Tier Customer Data are strictly prohibited from using social media, ensuring they cannot be easily identified or contacted by third parties.