This Privacy Policy explains how SyloxIT Services Private Limited ("Sylox," "we," "us," or "our") handles personal data in connection with our website at www.syloxiris.com (the "Website"), our IRIS Data Security Posture Management platform (the "Service" or "IRIS"), and our sales, marketing, and support activities.

Sylox is a private company incorporated in India (CIN: U62091PN2026PTC253233), with its registered office at 6th Floor, Metropolis, Balewadi High Street, Balewadi, Pune - 411045, Maharashtra, India. We provide IRIS as a multi-tenant Software-as-a-Service hosted on Google Cloud Platform.

This Policy applies to:

• visitors to the Website;
• prospective customers, sales leads, and event or webinar attendees;
• representatives, administrators, and authorized users of our enterprise customers (collectively, "Authorized Users"), in connection with their account, billing, and support interactions with us;
• recipients of our marketing communications.

This Policy does not govern personal data that is contained inside a customer's data environment and that IRIS processes on the customer's behalf — for example, data that IRIS scans inside a customer's Snowflake, BigQuery, or HR system. For that data, the customer is the controller and our handling is governed by the Master Services Agreement ("MSA") and Data Processing Agreement ("DPA") signed with that customer. See Section 5 for how we draw this line.

We aim to comply with applicable data-protection laws, including India's Digital Personal Data Protection Act, 2023 (DPDP Act), the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).

By using the Website or the Service, you acknowledge the practices described in this Policy.

We collect the categories below. We do not collect more than we need.

• Identity and contact data: name, business email, phone number, job title, company name, country.
• Account and authentication data: username, password (stored hashed), single sign-on identifiers, multi-factor authentication tokens.
• Billing data: billing address, GST/VAT identifier, purchase order references, invoice records. We do not store full payment-card numbers; payments are handled by our payment processor.
• Support and communications data: the content of emails, support tickets, demo requests, chat transcripts, and other messages you send us.
• Marketing data: subscription status, event registrations, content downloads, preferences.

• Usage data: features and pages used, clicks, session duration, error logs, referring URLs.
• Device and technical data: IP address, browser type and version, operating system, device identifiers, language, time zone.
• Cookies and similar technologies: see Section 11 and our Cookie Notice.

• Lead-enrichment databases: we may enrich the contact information you provide (e.g., finding your company size or industry).
• Event organizers and joint marketing partners: if you register for a co-branded webinar.
• Single Sign-On (SSO) providers: if you log in using Google or Microsoft, we receive basic profile data.

Through the Service, IRIS processes data inside a customer's environment. This may include personal data of the customer's employees, contractors, or end users (for example, HR records or customer files), and the PII scan results and compliance reports that IRIS produces from them. We process this data as a Processor, on the documented instructions of the customer. Our handling is described in Section 5 and governed by the customer's MSA and DPA, not by this Policy.

We collect personal data from the following sources:

The table below summarizes why we process personal data and the legal basis we rely on under GDPR/UK GDPR and the DPDP Act.

We do not sell personal data, and we do not use personal data we collect as a Controller to train our artificial-intelligence or machine-learning models without an appropriate legal basis and notice.

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms. You can request a summary of any balancing test by contacting us.

Where we rely on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

This is the most important distinction in this Policy. Sylox plays two different roles depending on the data.

We act as a Controller — meaning we decide why and how the data is processed — for:

• Website visitor data (forms, cookies, analytics);
• account signup and Authorized User profile data;
• billing and invoicing data;
• support tickets and customer communications;
• marketing and sales contact data.

This Privacy Policy governs that data.

We act as a Processor — meaning we process data only on the customer's documented instructions — for:

• data inside the customer's environment that IRIS connects to and scans (e.g., customer-uploaded employee or HR data, files, database contents);
• the PII scan results and compliance reports that IRIS generates from that data;
• metadata, classifications, and findings stored on the customer's behalf.

For this data:

• the customer is the Controller and is responsible for the lawful basis, notices to individuals, and handling of data-subject rights;
• Sylox processes the data only under the MSA and DPA signed with that customer, which include EU Standard Contractual Clauses where required;
• if you are an individual whose data is inside a customer's IRIS environment (for example, you are an employee of a Sylox customer), please direct privacy requests to that customer. We will support the customer in responding to you.

This Privacy Policy does not govern Processor-role processing.

We share personal data only as described below, and only with parties bound by appropriate contractual and confidentiality obligations.

We engage third-party providers to help us deliver the Website and the Service. These include:

• Cloud and infrastructure — Google Cloud Platform (application hosting), Hostinger International Ltd. (Website hosting).
• Product analytics — Amplitude Inc.
• Customer support tooling — Zendesk Inc.
• AI / machine-learning providers — Anthropic (Anthropic PBC, USA) and/or Google Vertex AI (Google LLC), used to power IRIS classification and risk-prioritization features.
• Email and transactional messaging — Microsoft 365 (Microsoft Corporation); Instantly (outreach email).
• Lead-enrichment and sales outreach — Apollo.io (Apollo.io, Inc.); Instantly (outreach and CRM).
• Website security and bot protection — Cloudflare, Inc. and Amazon Web Services, Inc. (AWS WAF).
• Website analytics and advertising partners — Google Analytics, Google Ads (Google LLC), and LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company). These act as separate or independent Controllers in respect of cookie data they collect through the Website; details are in the Cookie Notice.

A current list of sub-processors is published at syloxiris.com/subprocessors and is updated when we add or replace a sub-processor.

When IRIS connects to systems such as Snowflake, BigQuery, SAP HANA, AWS, or HR systems, those systems are operated by or on behalf of the customer, not by Sylox. They are customer-controlled integrations (not Sylox sub-processors). Sylox accesses them only through credentials and permissions configured by the customer, and only to the extent necessary to provide the Service.

Auditors, lawyers, accountants, insurers, and other advisors, all under duties of confidentiality.

We may disclose personal data when required by law, court order, or a valid governmental request, or where reasonably necessary to investigate fraud, enforce our agreements, or protect the rights, property, or safety of Sylox, our customers, or others.

In a merger, acquisition, financing, reorganization, or sale of all or part of our business, personal data may be transferred to the relevant counterparty under appropriate confidentiality and data-protection terms.

We do not sell personal data, and we do not "share" personal data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

Sylox is headquartered in India. The Service is hosted on Google Cloud Platform (asia-south1, Mumbai, India). Personal data we collect may be transferred to and processed in India, the United States, the European Union, and other jurisdictions where we or our sub-processors operate.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including:

• the EU Standard Contractual Clauses (Commission Decision 2021/914);
• the UK International Data Transfer Addendum to the EU SCCs;
• the Swiss Federal Data Protection and Information Commissioner's recognised SCCs;

together with technical and organisational measures (encryption, access controls, logging, contractual restrictions on government-access requests). A copy of the SCCs we use is available on request.

For transfers from India, we comply with applicable cross-border transfer rules under the DPDP Act.

We collect personal data from the following sources:

Customer-environment data (Processor role). Personal data processed in the IRIS platform on a customer's behalf is retained for the duration of the customer's subscription. On termination, the customer has a 30-day export window to retrieve its data, after which Sylox deletes or returns the data within a further 30 days (i.e., within 60 days of termination in total), all in accordance with the DPA, unless retention is required by law. Backup copies are removed in the ordinary course of Sylox's backup-rotation schedule.

When data is no longer needed, we delete or anonymize it using methods designed to make it irrecoverable.

We use a combination of administrative, technical, and physical safeguards designed to protect personal data, including:

• Encryption in transit using TLS 1.2 or higher.
• Encryption at rest for production data stores.
• Role-based access control (RBAC) with least-privilege principles, enforced at the application and database layer.
• Multi-tenant isolation so each customer's data is logically segregated.
• Comprehensive audit logging of administrative actions and access events.
• Secure software development, code review, dependency scanning, and vulnerability management.
• A documented incident-response plan, regularly tested.
• Vendor and sub-processor risk reviews before engagement and on a recurring basis.
• Workforce training on privacy and security, with role-based access reviews.
• Background checks for personnel with access to production systems, where permitted by law.

Compliance roadmap. We are currently working towards SOC 2 Type II attestation, with a target completion in Q3 2026. ISO/IEC 27001 certification is on our security roadmap. We do not currently claim any certification we have not yet attained.

Incident notification. If a personal-data breach affects data we hold as a Controller, we will notify affected individuals and regulators where required by law. As a Processor, we will notify the affected customer without undue delay, and in any event within 48 hours of becoming aware of a confirmed Personal Data Incident, in accordance with our DPA. Broader operational security incidents not involving Personal Data are notified within 72 hours under our Master Services Agreement.

No method of transmission or storage is fully secure. While we use commercially reasonable measures, we cannot guarantee absolute security.

Subject to applicable law, you may have the following rights with respect to personal data we hold about you as a Controller:

• Access — confirmation of, and a copy of, the personal data we process about you;
• Correction / Rectification — correction of inaccurate or incomplete data;
• Erasure / Deletion — deletion in defined circumstances;
• Restriction — restriction of processing in defined circumstances;
• Objection — objection to processing based on legitimate interests, including direct marketing (which you can stop at any time);
• Portability — a copy in a structured, commonly used, machine-readable format;
• Withdraw consent — where processing is based on consent, withdraw at any time;
• Nominate a representative under the DPDP Act — to exercise rights in the event of death or incapacity;
• Lodge a complaint with a supervisory authority (the Data Protection Board of India, your local EU supervisory authority, or the UK ICO).

California residents (CCPA/CPRA) have additional rights to know, delete, correct, and limit use of sensitive personal information, and the right to non-discrimination for exercising rights. We do not sell or share personal data for cross-context behavioral advertising.

We may need to verify your identity before responding. We respond within timelines required by applicable law (generally 30 days under GDPR/UK GDPR; statutory timelines under the DPDP Act once notified). Where a request is complex or numerous, we may extend by up to two further months and will tell you why.

If your data is in a customer's IRIS environment (Processor role), please make your request directly to that customer. We will help the customer respond.

We use cookies, pixels, and similar technologies on the Website for strictly necessary, functional, analytics, and marketing purposes. Where required by law, we obtain consent through a cookie banner before setting non-essential cookies, and you can change your choices at any time through the cookie preferences link on the Website.

For full details — categories, providers, durations, and how to manage your choices — see our Cookie Notice.

Children. Our Website and Service are intended for business use by adults. We do not knowingly collect personal data from children under 18. If you believe a child has provided personal data to us, please email privacy@syloxlabs.com and we will delete it.

Sensitive personal data. We do not solicit and ask that you do not submit special categories of personal data — such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation — through Website forms, marketing channels, or support tickets. If sensitive data is provided to us as a Controller in error, we will delete it unless we are required to retain it by law.

When sensitive data is processed inside a customer's environment through IRIS (Processor role), the customer is responsible for the lawful basis and any required protections under applicable law, and our handling is governed by the DPA.

For DPDP Act, 2023 grievances, you may also contact the Data Protection Board of India through the channel it publishes for that purpose.

EU / UK contact. IRIS is an enterprise B2B service and is not directed at consumers in the European Economic Area or the United Kingdom. Where Article 27 GDPR / UK GDPR may apply in respect of any limited Controller-role processing of EEA or UK personal data, our representative is pending appointment. For regulatory communications and data-subject requests in the meantime, please contact privacy@syloxlabs.com.