Privacy & security

“BLV Solutions”, "we", "us" or "our" means BLV Solutions Pty Ltd (ACN 649 371 700).

This Privacy Policy applies to all personal information that we collect, use, store, share and disclose when providing the websites, platforms, apps, products and services owned or operated by us, including in relation to the following:

• Robots as a Service – our subscription service for the automation, design, build, test, deployment, monitoring and maintenance of bots.  
• File Note by BLV Solutions – our file note solution (also known as filenote.ai, file note, BLV Solutions File Note) that creates documentation from recorded meetings.
• Our websites, social media and other platforms owned or operated by us such as email, telephone and/or chatbots.

(collectively and singularly, the BLV Solutions Platform).

In this Privacy Policy “you” or “your” means our customers and end-users who:

• access and/or use the BLV Solutions Platform;
• request to access and/or use the BLV Solutions Platform; and/or
• engage with us in any way.

Openness and Transparency

We are committed to protecting your privacy and respecting and upholding your rights under the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act).  We ensure that we will take all necessary and reasonable steps to comply with the APPs and to deal with inquiries or complaints from individuals about compliance with the APPs.

By providing Personal Information (as defined below) to us or using the BLV Solutions Platform, you agree to and consent to the collection, use, storage and disclosure of Personal Information by us as set out in this Privacy Policy.

Personal Information

In this Privacy Policy, “Personal Information” has the meaning defined and regulated under the Privacy Act, which can include a wide range of data, such as names, addresses, phone numbers, email addresses, photographs, financial information, medical records, employment details, and more. It covers both factual information and opinions.

The type of Personal Information we collect from you includes, without limitation, the following:

• your full name;
• address;
• email address;
• telephone number(s);
• date of birth;
• credit card information;
• your device ID, device type, geo-location information, computer and connection information, statistics on page views, traffic to and from the sites, ad data, IP address and standard web log information;
• details of the products and/or services we have provided to you or that you have enquired about, including any additional information necessary to deliver those products and/or services and respond to your enquiries;
• any additional information relating to you that you provide to us directly through our website or app or indirectly through your use of our website or app or online presence or through other websites or accounts from which you permit us to collect information;
• information you provide to us through customer surveys;
• billing information (including credit and bank details); or
• any other Personal Information that may be required in order to facilitate your dealings with us.

For the avoidance of doubt, “De-identified Information” is not Personal Information. Information is De-identified Information when it cannot be used to identify an individual and there is no reasonable likelihood of re-identification occurring.

The BLV Solutions Platform is not intended for minors. We acknowledge that the definition of a “minor” changes between jurisdictions, however for the avoidance of doubt, we do not knowingly seek or collect Personal Information from any user below the age of 18 years.

Collection

We will collect Personal Information only by lawful and fair means and not in an unreasonably intrusive way. Generally, we will collect Personal Information directly from you, and only to the extent necessary to provide the BLV Solutions Platform as requested or ordered by you and to carry out our administrative functions or as required by law. We will not collect sensitive information from you.

We may also collect Personal Information from you when you fill in an application form, communicate with us, visit our website, provide us with feedback or complete online surveys. We may collect Personal Information about you from our business partners or from third parties.

If you use a pseudonym when dealing with us or you do not provide identifiable information to us, we may not be able to provide you with any or all of the BLV Solutions Platform as requested. If you wish to remain anonymous when you use our website, do not sign into it or provide any information that might identify you.

We require individuals to provide accurate, up-to-date and complete Personal Information at the time it is collected.

What do we do with your personal information?

We use and disclose your Personal Information for the purposes for which the information is collected, or for a directly related purpose, including (but not limited to):

• providing the BLV Solutions Platform to you;
• administering, protecting, improving or optimising the BLV Solutions Platform (including performing data analytics, conducting research and for advertising and marketing purposes);
• billing you for purchasing or using the BLV Solutions Platform;
• informing you about our website, products, services, rewards, surveys, contests, or other promotional activities or events sponsored or managed by us or our business partners;
• responding to any inquiries or comments that you submit to us;
• verifying your identity;
• any other purpose you have consented to; and
• any use which is required or authorised by law.

Disclosure of personal information

We may disclose your Personal Information to:

• third-parties we ordinarily engage from time to time to perform functions on our behalf for the above purposes;
• any person or entity to whom you have consented to us disclosing your Personal Information to;
• our external business advisors, auditors, lawyers, insurers and financiers; and
• any person or entity to whom we are required or authorised to disclose your Personal Information to in accordance with the law.

Access and management

Subject to some exceptions provided by law, you may request access to your Personal Information in our customer account database, or seek correction of it, by contacting us (please see below section: Contact Information). Should we decline you access to your Personal Information, we will provide a written explanation setting out our reasons for doing so.

We may charge a reasonable fee that is not excessive to cover the charges of retrieving your Personal Information from our customer account database.  We will not charge you for making the request.

If you believe that we hold Personal Information about you that is not accurate, complete or up-to-date then you may request that your Personal Information be amended.  We will respond to your request to correct your Personal Information within a reasonable timeframe, and you will not be charged a fee for correcting your Personal Information.  

If we no longer need your Personal Information for any of the purposes set out in this Privacy Policy, or as otherwise required by law, we will take such steps as are reasonable in the circumstances to destroy your Personal Information or to de-identify it.

Direct marketing

Where we have your express or implied consent, or where we are otherwise permitted by law, we may use your Personal Information to send you information about products and services we believe are suited to you and your interests or we may invite you to attend special events.

At any time, you may opt out of receiving direct marketing communications from us. Unless you opt out, your consent to receive direct marketing communications from us and to the handling of your Personal Information as detailed above, will continue.  You can opt out by following the unsubscribe instructions included in the relevant marketing communication, or by contacting us in writing at hello@blvsolutions.com.

BLV Solutions platform

When transmitting Personal Information from your computer to the BLV Solutions Platform, you must keep in mind that the transmission of information over the Internet is not always completely secure or error-free. Other than liability that cannot lawfully be excluded, we will not be liable in any way in relation to any breach of security or any unintended loss or disclosure of that information.

We may use 'cookies' or other similar tracking technologies on the BLV Solutions Platform that help us track your usage and remember your preferences. Cookies are small files that store information on your computer, TV, mobile phone or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices and/or browsing sessions. You can disable cookies through your internet browser but if you do so, you may not be able to fully experience the interactive features of the BLV Solutions Platform.

Security

We may hold your Personal Information in either electronic or hard copy. We take reasonable steps to protect your Personal Information from misuse, interference and loss, as well as unauthorised access, modification or disclosure and we use a number of physical, administrative, personnel and technical measures to protect your Personal Information.

However, we cannot guarantee the security of any Personal Information transmitted over the internet and therefore you disclose information to us at your own risk. We will not be liable for any unauthorised access, modification or disclosure, or misuse of your Personal Information.

Complaints

If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your Personal Information, you should contact us. Our contact details are set out below in clause 12.

We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome of this investigation and any subsequent internal investigation.

If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au for guidance on alternative courses of action which may be available.

Contact information

If you require further information regarding our Privacy Policy or have any questions comments, requests or concerns, please contact us at hello@blvsolutions.com

Miscellaneous

We reserve the right to modify this Privacy Policy in whole or in part from time to time without notice and amendments will be effective immediately upon posting of the amended Privacy Policy on the BLV Solutions Platform.

You may obtain a copy of our current policy from our website or by contacting us at the contact details above.

Data Protection

Data Encryption

We utilise AES-256 encryption to safeguard data at rest, ensuring that stored information is accessible only to authorised users. For data in transit, we implement TLS protocols, providing robust encryption to secure data exchanges across our network. 

Access Control

Our access control policy is stringent. We employ multi-factor authentication (MFA) and robust password policies to verify user identities. Access rights are assigned based on the principle of least privilege, ensuring individuals have only the access necessary for their job functions. Regular reviews and audits of access levels are conducted to prevent privilege creep and ensure compliance with our stringent internal policies. 

Data Minimisation and Retention 

We adhere to data minimisation principles, collecting only what is necessary for the intended purpose and retaining data only for as long as it serves its legitimate business need or complies with legal requirements. Data disposal procedures are in place to ensure that obsolete data is securely and irreversibly destroyed. 

Regular Audits and Compliance Checks

To ensure ongoing compliance with the Australian Privacy Act and to identify any potential vulnerabilities, we conduct regular audits of our data protection practices. These audits are complemented by external third party evaluations to ensure objectivity and adherence to industry standards. 

Data Breach Detection and Monitoring 

We have implemented advanced monitoring systems to detect unauthorised access or anomalous activities within our network promptly. These systems are supplemented by regular security assessments and testing to identify and remediate potential vulnerabilities.

Vendor Risk Management 

Recognising that our data security is also dependent on third-party vendors, we conduct thorough security assessments of all partners and vendors.

Data Security & Retention

What happens to the video recording? 

No video is downloaded or kept by us. Our solution uses the Microsoft App Registration or Zoom App to create a temporary access link (valid for 60 min) to your recording for transcription purposes. The link is accessed within the temporary run time environment to transcribe your meeting and the entire environment is destroyed as soon as the file note is completed. 

Do you train the AI on my data? 

We NEVER train AI on your data. We recognise the importance of data ownership and privacy. We designed the solution specifically to not keep our client data so that your data is not exposed to inherent platform risks. Therefore, we don’t have your data to train the AI. 

How do you improve your AI if you don’t train on my data? 

We take regular feedback from our clients to ensure the output continues to add value for their business. We improve the AI output using the leading-edge advanced techniques. We have a deep history of deploying enterprise grade production AI systems and are pioneers in this space. 

Where are your servers based? 

There are two parts to our infrastructure; the Control Room and Runtime Environment. Control Room is responsible for maintaining the schedule and triggers the run time environment – it does not process client information. 

Our control room infrastructure is by default based in EU to ensure strict compliance to GDPR is met. Our run time environment are on-demand containers. For each file note, a fresh Australian run time is spun up for the purpose of that file note and it is destroyed at the completion of each file note

Data Access

How do you access our data? 

We deploy filenote.ai as a server-to-sever backend integration. 

Microsoft Teams

As a Microsoft Partner, we have the ability to deploy a multi-tenant Microsoft App Registration into your Microsoft tenant. This App Registration is created in our Azure tenant and with your IT’s admin consent, it gets deployed onto your Microsoft tenant as an Enterprise Application. App Registration specifies the scope of access required and is commonly understood by IT, supported by Microsoft’s extensive documentation. 

Zoom

We provide you with instruction to setup a single instance Server-to-Server app with the required permission. The instruction specifies the required permission. Based on the app registrations created above, filenote.ai integrates into your environment via a short-lived Oauth 2.0 token issued by Microsoft or Zoom respectively. 

What level of access is required? 

Filenote.ai strives to request the minimum level of access for the solution to function. We do not request access to your email or calendar and relies on meeting history to determine when a meeting has happened and commence file note creation. Please refer to Microsoft Teams and Zoom setup guides for detailed access requested. 

What is “Server-to-Server” backend integration and why is it more secure? 

“Server-to-Server“ is an IT terminology describing how data is exchanged between two systems. It is a standard design pattern for secure communication between systems. This is different to user based apps as ”Server-to-Server” integration does not have a user interface/portal for user to interact with. The server-to-server approach is more secure as it has less attacking surface for potential hackers, as data is transferred more securely between the two systems without ”weak password” and other typical vulnerabilities typically. 

How are you securing the environment? 

The underlying infrastructures of filenote.ai are SOC2 Type II and HIPAA compliant. Integration points and the overall architecture are designed by certified GIAC penetration testing specialist. The run time environment is designed to not retain data post-processing. Control room log-data is retained up to 90 days for debugging and billing verification purposes.

Our Incident Response Plan (IRP) is structured to manage and mitigate potential cybersecurity incidents effectively. 

Incident Response Plan

The plan is divided into several key phases, each encompassing specific steps and procedures: 

Preparation: This foundational phase ensures that all response team members are trained, resources are available, and communication channels are established. We conduct regular training sessions and simulations to prepare our team for various incident scenarios.

Identification: Upon detecting a potential security incident, our systems and team swiftly move to identify the scope and scale of the issue. This involves monitoring tools, logs, and anomaly detection systems to quickly ascertain the nature and extent of the incident.

‍Containment: Once an incident is identified, immediate action is taken to contain it. Short-term containment involves isolating the affected system or network segment to prevent further spread. Long-term containment strategies are then implemented to ensure system integrity while remediation efforts are underway.

‍Eradication: With the threat contained, we move to eradicate the cause of the incident. This may involve removing malware, closing security gaps, or updating systems to eliminate vulnerabilities. Our team ensures that all traces of the threat are removed to prevent recurrence.

‍Recovery: After eradication, systems are restored and returned to normal operations carefully. Data recovery procedures are enacted if necessary, and systems are monitored for any signs of lingering issues or recurrence of the threat.

‍Lessons Learned: Post-incident, a thorough review is conducted to glean lessons from the incident. This review involves analysing the incident’s handling, identifying what was done well and what could be improved. Findings are then integrated into the IRP to enhance future response efforts.

‍Communication: Throughout all phases, effective communication is maintained. This includes internal communication within the response team and external communication with stakeholders, regulatory bodies, and, if necessary, the public. In compliance with the NDB scheme, we ensure timely and transparent communication regarding breaches that meet the reporting threshold.

‍Documentation: Comprehensive documentation is maintained at each step of the incident response process. This documentation aids in the post-incident review and serves as a record for regulatory compliance and future reference. Our IRP is designed to be dynamic, evolving with the cybersecurity landscape and incorporating learnings from past incidents and industry best practices.

Employee Security Training Programs

Our commitment to cybersecurity is exemplified by our Employee Security Training Programs. These programs are designed to equip our employees with the knowledge and tools they need to protect our organisation’s and our clients’ data effectively. Here’s a detailed breakdown of our training initiatives: 

Foundational Training: All new hires undergo mandatory cybersecurity training as part of their onboarding process. This training covers basic principles of information security, including password hygiene, phishing awareness, and safe internet practices.

Role-Specific Training: Depending on their role, employees receive additional, tailored training that covers specific security protocols relevant to their job functions. 

‍ASD Essential Eight Maturity Model Alignment: Our training programs are aligned with the Australian Signals Directorate’s (ASD) Essential Eight Maturity Model. This alignment ensures that our training covers areas critical to mitigating cyber threats, such as application whitelisting, patching applications, and configuring Microsoft Office macro settings.

‍Ongoing Education and Awareness: Cybersecurity is a rapidly evolving field, and continuous education is vital. Our employees receive regular updates on the latest cybersecurity threats and trends, and we conduct periodic refresher courses to ensure that their knowledge remains current.

‍Assessment and Feedback: To gauge the effectiveness of our training programs, we conduct regular assessments and solicit employee feedback. This approach helps us refine our training content, methods, and frequency to maximise learning outcomes.

‍Encouraging a Security-minded Culture: Beyond formal training programs, we foster a culture where cybersecurity is a shared responsibility. Through internal communications, workshops, and team discussions, we encourage employees to stay vigilant and to share any concerns or suggestions related to cybersecurity