Capitalized terms not defined in this document have the meanings given in the DPA or Master Services Agreement.

This Security Measures Schedule ("Security Measures"), forms part of, and is subject to, the Dust Master Services Agreement between Dust ("Dust") and Customer (the “Agreement”), and is effective on the Effective Date of the Agreement.

1. Roles of the Parties

Dust maintains an information security program designed to safeguard its systems, data, Dust's Services and Customer Data (including Customer Personal Data). Dust commits to implementing reasonable and appropriate organizational and technical security measures to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of data submitted by Customer. This Addendum describes the information security program and security standards that Dust maintains with respect to the Services and handling of Customer Data and Customer Personal Data.

Customer is responsible for reviewing the information made available by Dust in this addendum and for making an independent determination as to whether the Security Measures meet Customer’s requirements and legal obligations under Data Protection Laws.

2. Updates to Security Measures

Customer acknowledges that the Security Measures are subject to technical progress and evolution and that Dust may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

3. Security Measures description

A. Data Security

• Dust is SOC 2 Type II compliant. For detailed information on the controls and processes that were evaluated, you may access SOC 2 Type II report on our Trust Center.
• Data Hosting. Customer Data is hosted by Google Cloud Platform (”GCP”), which is SOC2, ISO 27001 and ISO 27018 compliant.
• Data Backups. Automated backups of all Customer Data and system data is enabled, and data is backed up daily at minimum. The backups are encrypted in the same way as live production data, and are monitored and alerted.
• Dust’s Security Certification. As of now, our company does not hold any official certifications regarding the security of its information system or the Services.
• Encryption at rest. Customer Data is encrypted at rest using AES-256. Customer Data is encrypted when at rest in cloud storage and databases, and in backups.
• Encryption in transit. Data sent in-transit is encrypted using TLS 1.2 or greater.
• Data erasure. Dust customers are Controllers of their data. Each customer is responsible for the information they create, use, store, process and destroy. Dust customers have the ability to request data deletion, when data is not subject to regulatory or legal retention periodicity requirements. Please refer to our Data Processing Agreement (”DPA”) for more details.
• Physical security. Dust leverages GCP to host our application, and defers all data center physical security controls to GCP which you can read more about here.
• Data Ingestion. Dust provides granular control over which data sources get ingested. When adding a managed connection, admins can specifically select which spaces, channels, or folders Dust will access.
• Data Segregation. Dust applies a strict logical segregation of data across workspace, all data being directly related to a unique workspace identifier.

B. Application security