[ Cybersecurity Policy ]

Cybersecurity Policy

The measures Naïve maintains to protect the confidentiality, integrity, and availability of customer data.

Last updated: June 18, 2026

Naïve is a cloud-hosted platform that operates on established third-party infrastructure. This policy summarizes our security program and the shared-responsibility model under which we protect customer data, including credentials and access tokens for connected third-party services. It is provided for informational purposes and does not modify any agreement between you and Naïve.

1

Scope, Governance, and Responsibility

This Cybersecurity Policy describes the administrative, technical, and organizational measures Naïve ("we," "us," "our") maintains to protect the confidentiality, integrity, and availability of customer data processed through our platform at naive.ai and web.usenaive.ai (the "Service").

1.1 Shared Responsibility

Naïve is a cloud-hosted platform that operates on established third-party infrastructure providers and inherits the physical, network, and environmental controls of those providers. We are responsible for the security of the application, data, access, and configuration layers described in this policy.

1.2 Ownership and Review

A designated member of leadership owns our security program. This policy is reviewed and approved by management at least annually and upon material changes to our systems or risk profile. Controls are applied on a commercially reasonable, risk-based basis.

1.3 Role in Connected Financial Services

Where customers connect third-party brokerage or financial accounts (for example, via OAuth), Naïve acts only at the customer's direction. Naïve is not a broker-dealer, does not custody customer funds or securities, and does not hold end-user banking credentials. We facilitate access through provider-issued, revocable OAuth tokens scoped to the customer's own account.

2

Data Classification and Handling

We classify data based on sensitivity to determine appropriate handling and protection. Customer content and credentials receive the highest level of protection.

2.1 Classification Tiers

  • Confidential: Customer content, agent memory, authentication credentials, and third-party API keys and OAuth access tokens — including tokens that authorize access to connected brokerage or financial accounts.
  • Internal: Operational data such as usage metrics, logs, and billing records.
  • Public: Marketing materials, documentation, and other information intended for public release.

2.2 Handling

Confidential data is encrypted in transit and at rest, access is restricted on a least-privilege basis, and customer workspaces are logically isolated from one another so data is not accessible across organizations. We do not use customer proprietary data, prompts, or agent memory to train foundational models. Data retention and deletion are governed by our Privacy Policy.

3

Access Control and Privileged Access Management

  • Access to production systems and customer data is granted on a least-privilege, need-to-know basis and removed promptly upon role change or offboarding.
  • Administrative and privileged access requires individual, named accounts and multi-factor authentication (MFA).
  • Customers control in-product access through role-based access controls (RBAC) and configurable agent approval guardrails that can require explicit human approval for sensitive actions (such as placing trades, moving money, or publishing).
  • Third-party API keys and OAuth tokens are encrypted, scoped to specific workflows, never exposed in plaintext in logs or interfaces, and can be revoked by the customer or by Naïve.

3.1 Logging and Monitoring

We maintain application and infrastructure logging to support monitoring, troubleshooting, and investigation of security events. Logs are restricted to authorized personnel and do not contain plaintext secrets or access tokens.

3.2 Personnel Security

Personnel with access to systems or customer data are bound by confidentiality obligations and receive security awareness guidance appropriate to their role. Access is provisioned based on job function and revoked upon offboarding.

4

Encryption of Data at Rest and in Transit

Data transmitted to and from the Service, and to connected providers, is encrypted in transit using TLS 1.2 or higher. Customer data is encrypted at rest by our infrastructure and database providers using industry-standard algorithms (e.g., AES-256). Sensitive secrets and third-party OAuth access tokens are additionally encrypted at the application layer using authenticated encryption (AES-256-GCM) before storage, with key material held separately from the data and managed via our key-management configuration. Encryption keys are not stored alongside the data they protect.

5

Vulnerability Management and Patch Management

  • We monitor dependencies and infrastructure for known vulnerabilities and remediate based on severity and risk.
  • Application changes pass through code review and automated checks before deployment as part of a secure development lifecycle.
  • Operating systems and platform components are kept current through our managed infrastructure providers, which apply security patches to the underlying environment.
  • We periodically review our security posture and address findings on a risk-prioritized basis.
6

Incident Response and Disaster Recovery

  • We maintain an incident response process to detect, contain, investigate, and remediate security incidents, with defined internal roles and escalation paths.
  • Where a confirmed incident materially affects customer data, we notify affected customers — and impacted partners or providers where contractually or legally required — without undue delay and no later than 72 hours after confirmation.
  • If a connected account or token is suspected of compromise, affected OAuth tokens can be revoked to terminate access.
  • Customer data is backed up through our managed database providers, and we rely on the redundancy and recovery capabilities of our cloud infrastructure to restore the Service following a disruption.
7

Physical Security

Naïve does not operate its own data centers. All production systems and customer data are hosted with established cloud infrastructure providers whose facilities maintain physical and environmental security controls (e.g., restricted access, monitoring, and redundancy) under recognized industry attestations such as SOC 2 or ISO 27001. Physical security of these facilities is the responsibility of those providers. Naïve enforces device and access security for personnel who connect to its systems.

8

Vendor Risk Management

We engage reputable subprocessors and infrastructure providers that maintain industry security and privacy standards. We evaluate the security posture of providers that handle customer data before onboarding and limit the data shared with each provider to what is necessary for their function. A current list of subprocessors and provider attestations is available upon request at support@usenaive.ai.

9

Contact and Reporting

To report a security concern, request our subprocessor list or provider attestations, or ask questions about this policy, contact us at support@usenaive.ai. We may update this policy from time to time; the "Last updated" date below reflects the most recent revision.