Data Security Guide

March 31, 2026

This Guide describes the technical and organizational measures implemented by Faro Innovación y Estrategia SAS (FaroNova) to protect the information processed and stored within its Services. This document is an integral part of the Terms and Conditions of Use and the Early Adoption Agreement for FaroMonitor.

1. Scope and General Principles

This Guide applies to all information that Users enter, upload, or generate through FaroNova's Services, including FaroMonitor and FaroPlanning.

FaroNova distinguishes two categories of User information based on their treatment:

• Conversations with the Conversational Assistant: The content of queries and responses is processed in real time and deleted immediately after generating the response (Zero Data Retention). FaroNova does not store, access, or review this content.

• Stored files: Documents uploaded by the User to the platform are stored with AES-256 encryption on Amazon S3 (server-side, keys managed by AWS). Only the User, through their authenticated account, can access their content.

Additionally, FaroNova securely stores User account data (name, email, organization, authentication credentials) and usage statistics with irreversibly pseudonymized identifiers, as described in the Privacy Notice.

Processing roles: FaroNova acts as data controller with respect to registration, authentication, support, billing, contact, and website browsing data. With respect to personal data contained in files, queries, projects, or documents uploaded by corporate clients for their own use, the client acts as data controller and FaroNova acts as data processor, acting solely under the client's instructions and for the provision of the Service.

2. AI Data Processing

FaroNova's Services process User queries and instructions through artificial intelligence via two channels with Zero Data Retention policies: Anthropic (direct API) and Amazon Bedrock (Amazon Web Services' managed service). Both channels run Anthropic Claude models. Each Service feature uses one or both channels based on availability and processing type.

Processing flow:

1. The User submits a query or instruction through the Service interface.

2. The query is transmitted via encrypted connection (HTTPS/TLS) to the corresponding AI provider (Anthropic or Amazon Bedrock, depending on the Service and feature).

3. The provider processes the query and generates a response.

4. The response is delivered to the User.

5. The content of the query and response is immediately deleted from the provider's servers.

No server-side persistence on FaroNova's server:

FaroMonitor's Conversational Assistant server processes each query as an independent turn. Conversation history is kept exclusively in volatile process memory during the active session and is automatically deleted when the session ends, either due to inactivity (30 minutes) or process shutdown. No conversation content is persisted to any database, cache, or file system on the server. It is not possible to retrieve conversations from previous sessions.

AI Providers Zero Data Retention Policy:

Both Anthropic and Amazon Bedrock operate under Zero Data Retention policies. This means that:

• No conversation history or processed data is stored on any Anthropic or Amazon server.

• It is not possible to retrieve the content of previous queries once processed by the AI model.

• In the event of unauthorized access to the servers, there would be no conversation content that could be compromised.

Access to processed content:

• FaroNova: Does not access the content in the ordinary course of service provision. Any exceptional access would require a legal or contractual basis and documented internal controls.

• Amazon Web Services: Does not access content processed by Bedrock in the ordinary course of operations.

• Anthropic: Developer of the Claude model used both through its direct API and Amazon Bedrock. Operates under a Zero Data Retention policy on both channels. Does not retain queries or responses.

Use for model training:

Enterprise customer data processed through Anthropic and Amazon Bedrock is not used to train, improve, or develop artificial intelligence models. This prohibition is contractual with both providers.

3. AI Image Generation

The scenario planning module (FaroPlanning) allows Users to generate illustrative images for strategic scenarios using artificial intelligence. These images are generated through Google Vertex AI (Gemini model), Google Cloud Platform's artificial intelligence service.

Processing flow:

1. The User requests the generation of an image for a planning scenario.

2. FaroPlanning builds a descriptive text prompt derived from the scenario narratives (general context descriptions, not the User's direct personal data).

3. The prompt is transmitted via encrypted connection (HTTPS/TLS) to Google Vertex AI.

4. Google Vertex AI generates the image and returns it to FaroPlanning.

5. The generated image is stored with AES-256 encryption on Amazon S3, with the same protection measures applicable to other stored files.

Data handling by Google:

• Google Cloud Platform operates under enterprise terms establishing that customer data is not used to train, improve, or develop artificial intelligence models.

• Google does not retain generation prompts or produced images beyond the time strictly necessary to complete the request.

• Access credentials for Google Vertex AI are securely stored in AWS Secrets Manager, not in source code.

Nature of transmitted data:

The prompts sent to Google Vertex AI are textual descriptions of strategic planning scenarios. They do not contain personally identifiable User data, but rather general descriptions of contexts and narratives that the User has drafted as part of their planning exercise.

4. Processing of Stored Files

Documents uploaded by the User to the platform (PDFs, text files, and other supported formats) are stored persistently for later consultation and use.

Protection measures:

• Encryption in transit: All file transfers are conducted via HTTPS/TLS protocol.

• Encryption at rest: Files are stored with AES-256 encryption on Amazon S3, using server-side encryption with AWS-managed keys (SSE-S3).

• Access control: Only the User, properly authenticated through AWS Cognito, can access the content of their files.

Access to file content:

• FaroNova: Does not access the content of User files in the ordinary course of service provision. Any exceptional access would require a legal or contractual basis and documented internal controls.

• Amazon Web Services: Stores encrypted files. Does not access their content in the ordinary course of operations.

• Unauthorized third parties: Without the authentication credentials and encryption keys managed by AWS, files are unreadable.

Retention period:

• During service term: Files remain stored until the User voluntarily deletes them.

• Post-termination: Unless the applicable commercial agreement provides for a different period, the User's files will remain available for export for thirty (30) calendar days following termination. After that period, they will be permanently deleted from all systems, including files, projects, usage statistics, and authentication account. The exceptions are: (a) a minimal legal audit record that does not contain User content, email, or personally identifiable information, retained solely for legal compliance with a defined expiration period; and (b) encrypted backups of the authentication infrastructure, retained for a limited period in accordance with FaroNova's disaster recovery practices and automatically deleted upon expiration of their retention cycle.

5. Usage Statistics

FaroNova collects aggregated statistics on Service usage for the sole purpose of improving its products. These statistics may include:

• Platform usage frequency.

• Most consulted modules or sections.

• General query volume.

• General navigation patterns.

• Session times.

Before storing these statistics, user identifiers are irreversibly pseudonymized using a one-way cryptographic hash function (SHA-256 with fixed salt). This means it is not possible to recover the User's identity from the stored data. The statistics do not include or allow identification of the specific content of User queries, files, or conversations.

Administrative reports aggregate statistics at the company level, not at the individual user level. No personal identifiers are exposed in any dashboard or report.

The collection of usage statistics requires the User's prior consent. The User may revoke this consent at any time from the platform settings, which will immediately stop event capture and trigger the deletion of the User's associated historical events. Pseudonymized analytics events are retained while the User maintains an active account with active analytics consent. Each Service may apply shorter automatic cleanup cycles (for example, deletion of individual events after thirty (30) days and aggregated data after ninety (90) days). In all cases, all analytics data is deleted upon revocation of analytics consent or deletion of the User's account.

FaroNova does not have access to the content of conversations with the Conversational Assistant or the content of files stored by the User.

6. Frequently Asked Questions

ABOUT SECURITY

Is the data stored on the platform vulnerable to attacks?

Risk is mitigated through the following measures:

• Conversations with the Conversational Assistant: There is no stored information that could be compromised, as content is deleted immediately after processing.

• Files: In the event of unauthorized access to storage servers, files are encrypted with AES-256 and are unreadable without the encryption keys managed by AWS.

How can this information be verified?

The security practices described are publicly documented by Amazon Web Services. Reference links are provided in the Technical Documentation section at the end of this Guide.

ABOUT ARTIFICIAL INTELLIGENCE

Is User data used to train artificial intelligence models?

No. This prohibition is established contractually with infrastructure providers. It applies to both conversations with the Conversational Assistant and stored files.

Do the Services include content moderation mechanisms?

The artificial intelligence models used by the Services (Anthropic Claude) incorporate built-in safety mechanisms that reject the generation of potentially harmful, illegal, or inappropriate content. This moderation is performed directly by the AI provider as part of processing each request. FaroNova does not store either the rejected content or the detection details, as the detection occurs within the provider's infrastructure under their Zero Data Retention policy.

ABOUT PRIVACY

Can FaroNova access the content of User queries or files?

No. By technical design and contractual restriction, FaroNova does not have access to the content of conversations with the Conversational Assistant or the content of stored files. FaroNova can access aggregated and anonymized statistics on platform usage, but never the specific content of User queries, responses, or files.

Does FaroNova share User information with third parties?

FaroNova does not sell, share, or transfer the content of User conversations or files to third parties. The third parties involved in personal data processing are technology infrastructure providers: Amazon Web Services (processing, storage, and conversational artificial intelligence) and Google Cloud Platform (illustrative image generation in FaroPlanning). Both process data exclusively for service delivery and under contractual obligations of confidentiality and security. FaroNova may use additional operational service providers that process exclusively public information or operational Service data, without access to User personal data.

7. Data Subject Rights

In accordance with Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, the data subject has the following rights:

• Know: Know, update, and rectify their personal data, and request proof of the authorization granted for processing.

• Rectify: Request the correction of partial, inaccurate, incomplete, or fragmented data.

• Delete: Request the deletion of their data when it is no longer necessary for the purpose for which it was collected, or when the subject revokes the authorization.

• Revoke: Revoke the authorization granted for the processing of their personal data.

• Opposition: Object to the processing of their data in the cases provided by law.

Additionally, as a contractual benefit, FaroNova offers:

• Portability: Request the delivery of their data in a structured, commonly used, and machine-readable format.

To exercise any of these rights, the data subject may contact FaroNova at privacidad@faronova.co or through the rights request form available on the Platform. Response times and detailed procedures are described in FaroNova's Privacy Notice.

8. Regulatory Framework and Certifications

FARONOVA REGULATORY COMPLIANCE

FaroNova complies with the following regulations in the processing of personal data:

• Political Constitution of Colombia, Article 15: Right to privacy, good name, and habeas data.

• Statutory Law 1581 of 2012: General Personal Data Protection Regime.

• Law 1266 of 2008: General provisions on habeas data, particularly financial, credit, commercial, and services data.

• Decree 1377 of 2013: Regulatory Decree of Law 1581 of 2012.

• Decree 1074 of 2015: Single Regulatory Decree for the Commerce, Industry, and Tourism Sector (Title 26, Chapter 25).

• GDPR: FaroNova adopts the standards of the European Union's General Data Protection Regulation as a reference for international best practices.

INFRASTRUCTURE CERTIFICATIONS

FaroNova operates on Amazon Web Services (AWS) infrastructure. AWS holds the following certifications granted by independent auditors, covering the computing, storage, and artificial intelligence services used to operate FaroNova's Services:

• SOC 2: Security standard for cloud services, verified through independent audit.

• ISO 27001: International information security management standard.

• ISO 27018: Code of practice for the protection of personal data in the cloud.

The SOC 2, ISO 27001, and ISO 27018 certifications correspond to Amazon Web Services, Inc., FaroNova's infrastructure provider. FaroNova does not hold these certifications independently as of the publication date of this Guide.

9. International Transfer and Data Location

Personal data collected by FaroNova is stored and processed on servers located in the United States of America, operated by the following infrastructure providers:

• Amazon Web Services, Inc.: Storage, processing, and conversational artificial intelligence (region us-east-1, Virginia).

• Google Cloud Platform (Google LLC): Illustrative image generation in FaroPlanning via Google Vertex AI (region us-central1, Iowa).

Data flows to FaroNova's infrastructure providers constitute international transmissions to data processors, conducted under Article 26, paragraph a) of Law 1581 of 2012 (express and unequivocal authorization of the data subject) and governed by transmission contracts pursuant to Article 2.2.2.25.5.2 of Decree 1074 of 2015. The United States of America is not included in the list of countries with an adequate level of data protection issued by the SIC, which is why the transmission is based on the express authorization of the data subject.

For more details on international data transmissions and data processors, please consult FaroNova's Privacy Notice.

10. Glossary

• AES-256: Advanced Encryption Standard with 256-bit key length. Encryption standard used by governments and financial institutions to protect classified information.

• Amazon Bedrock: Amazon Web Services' managed artificial intelligence service that runs language models. Operates under a Zero Data Retention policy for enterprise customers.

• Amazon S3: Amazon Web Services' object storage service used for encrypted file storage.

• Anthropic: Developer of Claude, the artificial intelligence model used by FaroNova through two channels: Anthropic direct API and Amazon Bedrock. Operates under a Zero Data Retention policy on both channels.

• Encryption at rest: Protection of stored data through cryptographic algorithms that render it unreadable without the corresponding decryption key.

• Encryption in transit: Protection of data during transmission between the User's device and the servers, via HTTPS/TLS protocols.

• Gemini: Artificial intelligence model developed by Google, used through Google Vertex AI for generating illustrative images in FaroPlanning.

• Google Vertex AI: Google Cloud's artificial intelligence platform used by FaroNova for generating illustrative images in the scenario planning module (FaroPlanning).

• SSE-S3: Server-Side Encryption with Amazon S3-managed keys. Encryption method used for stored files.

• Zero Data Retention: Policy of Anthropic and Amazon Bedrock applicable to enterprise customers that guarantees the immediate deletion of query and response content after processing.

11. Technical Reference Documentation

The information contained in this Guide may be verified in the public documentation of the infrastructure providers:

AMAZON WEB SERVICES

• Data protection in Amazon Bedrock: docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html

• Amazon Bedrock security and compliance: aws.amazon.com/bedrock/security-compliance/

• Encryption in Amazon S3: docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html

• AWS data privacy policy: aws.amazon.com/compliance/data-privacy-faq/

• AWS compliance programs: aws.amazon.com/compliance/programs/

GOOGLE CLOUD PLATFORM

• Data governance in Vertex AI: cloud.google.com/vertex-ai/docs/generative-ai/data-governance

• Google Cloud privacy commitments: cloud.google.com/privacy

• Google Cloud compliance certifications: cloud.google.com/compliance

For inquiries related to data security, contact FaroNova at privacidad@faronova.co.