Security Statement

1. Security Commitment

Oasis Auto Konnect LLC ("OAK") is committed to protecting the security, confidentiality, and integrity of customer data. We understand that our customers trust us with sensitive business and customer information, and we take that responsibility seriously.

This Security Statement describes the technical and organizational measures we employ to protect data within the OAK platform. Security is an ongoing process, and we continuously evaluate and improve our security practices in response to evolving threats and industry best practices.

2. Infrastructure Security

2.1 Cloud Hosting

The OAK platform is built on enterprise-grade cloud infrastructure provided by established technology partners. Our primary infrastructure providers include:

• Amazon Web Services (AWS): Core infrastructure and data storage
• GoHighLevel (GHL): CRM platform infrastructure (white-label partner)
• Twilio / LC Phone: SMS messaging infrastructure

2.2 Provider Certifications

Our infrastructure providers maintain industry-recognized security certifications including:

Note: These certifications are maintained by our infrastructure providers. OAK leverages these certified environments but does not independently hold these certifications at this time.

2.3 Geographic Location

All customer data is stored within the United States. Our primary data centers are located in AWS regions within the continental United States.

2.4 Redundancy and Availability

• Distributed infrastructure across multiple availability zones
• Automated failover capabilities
• Regular backup procedures
• Disaster recovery planning

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between users and the OAK platform is encrypted using Transport Layer Security (TLS):

• Minimum Version: TLS 1.2 (TLS 1.3 where supported)
• All API Communications: HTTPS required
• Web Application: HTTPS enforced with HSTS
• Mobile Applications: Certificate pinning implemented

3.2 Encryption at Rest

Data stored within our systems is encrypted using industry-standard encryption:

• Standard: AES-256 encryption
• Database Encryption: Transparent data encryption at the storage layer
• Backup Encryption: All backups are encrypted

3.3 Key Management

• Encryption keys are managed through our cloud providers' key management services
• Keys are rotated according to industry best practices
• Access to key management systems is strictly controlled

4. Access Controls

4.1 Role-Based Access Control (RBAC)

The OAK platform implements role-based access control to ensure users only have access to the features and data necessary for their roles:

• Defined permission levels for different user roles
• Granular access controls for sensitive functions
• Administrative controls for account owners

4.2 Authentication

• Password Requirements: Minimum complexity standards enforced
• Session Management: Automatic session timeout after inactivity
• Account Lockout: Protection against brute-force attacks

4.3 Administrative Access

Access to production systems by OAK personnel is strictly controlled:

• Principle of least privilege applied
• Multi-factor authentication (MFA) required for administrative access
• Unique user identification for all administrators
• Access logging and monitoring
• Regular access reviews

4.4 Access Logging

We maintain logs of access to sensitive systems and data, including:

• User login events
• Administrative actions
• Data access events
• System configuration changes

5. Network Security

5.1 Perimeter Security

• Firewalls: Network and application-level firewalls protect our infrastructure
• Web Application Firewall (WAF): Protection against common web attacks
• DDoS Protection: Distributed denial-of-service mitigation through cloud provider

5.2 Intrusion Detection and Prevention

• Intrusion detection systems (IDS) monitor for suspicious activity
• Automated alerting for potential security events
• Regular review of security alerts

5.3 Network Segmentation

• Production environments are isolated from development and testing
• Database servers are not directly accessible from the internet
• Internal network segmentation limits lateral movement

5.4 Vulnerability Management

• Regular vulnerability scanning of internet-facing systems
• Patch management procedures for security updates
• Dependency monitoring for known vulnerabilities

6. Application Security

6.1 Secure Development Practices

Our development process incorporates security at every stage:

• Security considerations in design and planning
• Code review practices
• Testing procedures before deployment
• Controlled deployment processes

6.2 Input Validation and Output Encoding

• Input validation to prevent injection attacks
• Output encoding to prevent cross-site scripting (XSS)
• Parameterized queries for database operations

6.3 Dependency Management

• Regular updates to third-party libraries and frameworks
• Monitoring for security advisories
• Timely patching of known vulnerabilities

7. AI Processing Security

The OAK platform incorporates artificial intelligence features ("Weaver AI") to assist with automated messaging and lead engagement. This section describes our security practices specific to AI processing.

7.1 AI Data Handling

• Data Isolation: Your data is processed separately from other customers' data within our AI systems
• No Training Use: Your customer data, lead information, and message content are not used to train AI models
• Processing Location: AI processing occurs within United States data centers
• Data Minimization: Only data necessary for generating responses is processed by AI systems

7.2 AI Provider Security

AI processing is performed using enterprise-grade AI providers who maintain:

• SOC 2 Type II certification
• Data encryption in transit and at rest
• Contractual commitments not to use customer data for training
• Enterprise security agreements and data processing terms

7.3 AI Input/Output Logging

• AI-generated messages are logged for quality assurance, troubleshooting, and compliance purposes
• Logs are retained in accordance with our data retention policies
• Access to AI logs is restricted to authorized personnel

7.4 AI Content Review

While Weaver AI is designed to generate appropriate, professional responses:

• AI outputs may be reviewed for quality assurance purposes
• Users can configure AI behavior through platform settings
• Users maintain ultimate responsibility for messages sent on their behalf

8. Data Protection

8.1 Data Classification

We classify data based on sensitivity to apply appropriate protection measures:

8.2 Data Retention

Data is retained in accordance with our Privacy Policy:

• Active account data retained while account is active
• Post-termination retention of up to 24 months for legal and compliance purposes
• User data export available for 30 days following cancellation
• Secure deletion procedures when retention period expires

8.3 Backup and Recovery

• Regular automated backups
• Backup encryption
• Periodic recovery testing
• Geographically distributed backup storage

9. Physical Security

Physical security for our data is managed by our cloud infrastructure providers:

• 24/7 physical security and surveillance at data centers
• Biometric access controls
• Environmental controls (fire suppression, climate control)
• Redundant power systems
• Physical access logging

Detailed information about physical security controls is available from our infrastructure providers (AWS, GoHighLevel).

10. Personnel Security

10.1 Background Verification

Where legally permitted and appropriate for the role, background verification may be conducted for personnel with access to sensitive systems or data.

10.2 Security Awareness

• Security awareness training for team members
• Regular updates on security threats and best practices
• Clear security policies and procedures

10.3 Confidentiality

• Confidentiality agreements for personnel
• Clear policies on data handling
• Need-to-know access principles

10.4 Access Termination

• Prompt access revocation upon role changes or termination
• Return of company equipment and credentials
• Exit procedures for personnel with system access

11. Incident Response

11.1 Monitoring and Detection

• Continuous monitoring of systems for security events
• Automated alerting for anomalous activity
• Log aggregation and analysis

11.2 Response Procedures

Our incident response process includes:

1. Detection: Identification of potential security incident
2. Analysis: Assessment of scope and impact
3. Containment: Steps to limit damage
4. Eradication: Removal of threat
5. Recovery: Restoration of normal operations
6. Lessons Learned: Post-incident review and improvement

11.3 Notification Commitments

In the event of a security incident affecting customer data:

• We will notify affected customers within 72 hours of confirming a data breach, or as required by applicable law
• We will cooperate with regulatory authorities as required
• We will provide information about the nature and scope of the incident
• We will describe steps taken to address the incident and prevent recurrence

For additional details on breach notification, see our Privacy Policy.

12. Vendor and Sub-Processor Security

12.1 Vendor Assessment

Before engaging vendors who will have access to customer data, we assess:

• Security practices and certifications
• Data handling procedures
• Compliance with applicable regulations

12.2 Contractual Requirements

Our agreements with sub-processors include:

• Data protection obligations
• Confidentiality requirements
• Security standards
• Breach notification requirements

12.3 Sub-Processor List

Our primary sub-processors are listed in our Data Processing Addendum.

13. Compliance

13.1 Regulatory Compliance

OAK's security practices are designed to support compliance with:

• CCPA/CPRA: California Consumer Privacy Act
• State Privacy Laws: Virginia, Colorado, Connecticut, and others
• TCPA: Telephone Consumer Protection Act (messaging compliance)
• CTIA Guidelines: Carrier messaging requirements

13.2 GDPR Foundations

While our current customer base is primarily within the United States, our security practices incorporate principles consistent with GDPR requirements, positioning us for international expansion.

13.3 Audit Information

For enterprise customers with specific audit requirements, we can provide:

• Security questionnaire responses
• Information about our security practices
• Sub-processor security certifications

Contact Billing Email for audit-related inquiries.

14. User Security Responsibilities

14.1 Account Security

You are responsible for maintaining the security of your OAK account:

• Password protection: Use a strong, unique password and do not share it with others
• Access control: Only provide account access to authorized personnel within your organization
• Session management: Log out of sessions when not in use, especially on shared devices
• Credential rotation: Change your password periodically and immediately if you suspect compromise

14.2 Data Handling

When using OAK, you are responsible for:

• Data quality: Ensuring the accuracy and appropriateness of data you upload
• Consent verification: Confirming you have proper consent before uploading contact information
• Export security: Protecting any data you export from the platform
• Device security: Securing devices you use to access OAK

14.3 AI Oversight

If you use Weaver AI features, you are responsible for:

• Configuration review: Reviewing and appropriately configuring AI settings
• Message monitoring: Periodically monitoring AI-generated messages for appropriateness
• Compliance verification: Ensuring AI messaging complies with applicable regulations and carrier requirements
• Prompt adjustment: Adjusting AI behavior when issues are identified

14.4 Reporting Obligations

You must promptly notify us if you:

• Suspect unauthorized access to your account
• Discover a potential security vulnerability
• Experience a data breach affecting data stored in OAK
• Believe your credentials have been compromised

Report security concerns to Billing Email.

14.5 Prohibited Activities

You agree not to:

• Attempt to bypass or circumvent security controls
• Test the platform for vulnerabilities without authorization
• Share access credentials with unauthorized parties
• Upload malicious content or code

15. Security Contact

15.1 Reporting Security Concerns

If you discover a potential security vulnerability or have security concerns, please report them to:

Email: Billing Email
Subject Line: Security Concern - [Brief Description]

15.2 Responsible Disclosure

We appreciate the security research community and encourage responsible disclosure of potential vulnerabilities. When reporting, please:

• Provide detailed information about the potential vulnerability
• Allow reasonable time for us to investigate and address the issue
• Avoid accessing or modifying data belonging to other users
• Avoid disrupting our services or degrading user experience

15.3 General Contact

Oasis Auto Konnect LLC
27524 Cashford Circle Suite 102
Wesley Chapel, Florida 33544

Legal Address:
30 N Gould Street Suite R
Sheridan, WY 82801

Email: Billing Email
Phone: (813) 515-3550

16. Disclaimer