Information Security Policy

Last updated: April 27, 2026

This Information Security Policy summarizes Bolt Foundry's current information
security principles and baseline controls for Kelly, an AI-assisted transaction
workflow tool for real estate professionals.

This document is intended as a high-level external statement of our current
security practices. It does not describe every internal safeguard or procedure.

1. Security Objectives

Bolt Foundry's security objectives are to protect the confidentiality,
integrity, and availability of customer data and connected systems used by
Kelly.

We design our security program to:

• limit unauthorized access to systems and data
• reduce the risk of accidental or malicious data loss or exposure
• preserve the integrity of transaction workflow records
• support reliable, reviewable operations for customer workflows
• detect, respond to, and recover from security events

2. Governance

We maintain administrative, technical, and operational safeguards appropriate to
our size, stage, and service profile. Security responsibilities are assigned
internally, and security practices are reviewed periodically as the product and
threat environment evolve.

3. Access Control

We follow least-privilege principles where practical.

Our controls are designed to include:

• unique user identities for internal access where appropriate
• role-based or scoped access to systems and data
• authentication controls for sensitive systems
• restricted access to production systems and customer data
• prompt removal or update of access when no longer needed

4. Credential and Secret Handling

We take reasonable steps to protect credentials, tokens, secrets, and other
authentication material used to operate Kelly and connect authorized
third-party systems.

Controls may include:

• secure storage of secrets
• restricted access to secrets
• avoiding unnecessary plaintext exposure
• credential rotation or replacement when risk or compromise is suspected

5. Data Protection

We use reasonable safeguards designed to protect customer data in transit and
at rest, as appropriate to the systems involved.

We seek to minimize unnecessary data collection and retention and to limit data
processing to what is needed to operate Kelly and support approved workflows.

6. Logging and Monitoring

We maintain operational logging and monitoring designed to support:

• troubleshooting
• service reliability
• security investigation
• detection of suspicious or unauthorized activity

Log access is limited where practical and retained according to operational and
legal needs.

7. Change Management

We use reasonable development and deployment practices intended to reduce the
risk of introducing security-impacting changes into production environments.

Where appropriate, this may include peer review, environment separation,
configuration controls, and staged rollout practices.

8. Incident Response

We maintain a process for identifying, evaluating, containing, remediating, and
learning from suspected security incidents.

If we determine that a security incident has affected customer data, we will
take steps we consider appropriate under the circumstances, including notifying
affected customers or partners where required by law or contract.

9. Vendor and Subprocessor Risk

We may rely on third-party infrastructure and service providers to operate
Kelly. We seek to use reputable providers and evaluate them in a manner
appropriate to the service they perform and the sensitivity of the data
involved.

10. Business Continuity and Recovery

We take reasonable steps to support continuity of service and data recovery,
taking into account the size and current stage of the product. Specific backup,
recovery, and continuity measures may evolve over time.

11. Employee and Contractor Responsibilities

Personnel with access to sensitive systems or data are expected to follow
security and confidentiality obligations appropriate to their role. Access is
limited to business need, and misuse of systems or data is prohibited.

12. Security Testing and Improvement

We periodically review and improve our security practices based on product
changes, operational learning, incident response, vendor updates, and evolving
risk.

13. Shared Responsibility

Security is a shared responsibility. Customers are responsible for maintaining
the security of their own devices, email accounts, connected third-party
systems, and user credentials, and for appropriately supervising the workflows
they authorize Kelly to perform.

14. Contact

Security-related questions may be sent to:

Bolt Foundry
228 Park Ave S
New York, NY 10003
support@boltfoundry.com