Security and Compliance
We Protect Your Data and Your Users’ with the Highest Standards
We protect your data and your users’ with the highest standards.
At Cari AI, security is not an add-on, it is a pillar. Our platform is hosted on AWS cloud with advanced cybersecurity protocols, strict protection policies, and ISO 27001 and ISO 9001 certifications so you can operate with absolute confidence.
Cloud Security Architecture and Controls
🔐 Robust and secure cloud architecture
At CARI AI, your security and availability are key. We operate on AWS, a global cloud leader, leveraging its advanced technology and security; with certifications such as: ISO 27001, ISO 9001, SOC 1, 2 and 3, CSA STAR, NIST CSF, HIPAA, GDPR. We guarantee your security.
🌐Cari AI Certifications
We hold ISO 9001 and ISO 27001 certifications, validating our commitment to excellence in service quality and the highest security in managing your information.
🛡️ Continuity and Resilience
Our architecture, powered by AWS, ensures high availability, resilience, data security with advanced encryption, and horizontal scalability to adapt to your changing needs, guaranteeing a reliable service.
🔒 End-to-End Encryption
At CARI AI, your data is encrypted at rest and in transit using AES-256 for databases and logs, while on WhatsApp, Meta’s APIs ensure end-to-end encryption, protecting your communications with maximum security.
🏢 Secure Multi-Tenant Model
Our platform hosts multiple client companies in a single environment, ensuring full logical isolation of their data. Each client enjoys independent configurations, reports, users, and speakers, guaranteeing privacy and total control.
📊 Hardened Databases
Our databases, based on advanced technology like Aurora MySQL, offer replication, robust encryption, and secure isolation, ensuring the protection and availability of your data.
🔍 Continuous Auditing
At CARI AI, we implement continuous auditing with AWS, leveraging SOC reports and tools like CloudWatch and CloudTrail to monitor logs. We conduct regular internal audits, ensuring compliance and security, protecting your data with maximum transparency and trust.
🤖 Ethical and Transparent Use of Gen AI
At CARI AI, your trust is our priority. Our Generative AI has strict controls and human oversight, ensuring security, transparency, and accountability in every interaction. We innovate with integrity for you!
👥 Secure Authentication
The Cari AI platform offers RBAC authentication with OTP, protecting your data. You manage users (creation, modification, deletion). We define with you the ideal method, from standard to custom integrations, adapting without restrictions.
🛡️ Secure Development
At CARI AI, we apply secure development controls with methodologies like OWASP, preventing security breaches, as well as bias and exposure in LLMs.
We are committed to the security of your data and your clients’ data
- Global regulatory compliance (GDPR, HIPAA, LFPDPPP, Law 1581 of Colombia)
- Protection with military-grade AES-256 encryption and TLS 1.2+
- Ethical architecture with multi-tenant isolation
Legal and regulatory compliance
DEFYTEK SAS / DEFYTEK S.A. de C.V., operating under the registered trade name Cari AI (hereinafter referred to as “Cari AI”), is a legally constituted entity with Tax ID (NIT) 900.723.497-4, website https://www.qa-cf4c7c1b502f.cariai.com, and email datospersonales@qa-cf4c7c1b502f.cariai.com. Cari AI will act as the Data Controller and Processor for the custody and processing of personal data, and hereby states that:
The collection and processing of personal data by Cari AI is conducted responsibly and lawfully, upholding the right to privacy, habeas data, and personal data protection. This compliance adheres to the norms, procedures, and guidelines established by Cari AI, as well as applicable regulations.
Cari AI ensures proper management of personal data required for its services. To this end, it has defined the following policy, providing appropriate handling as mandated by law. This policy is available to all internal and external stakeholders.
For the purposes of this Personal Data Processing Policy and in accordance with the definitions under Colombian Law 1581 of 2012, the following terms shall be understood as:
Authorization: Prior, express, and informed consent from the Data Subject for the processing of personal data.
Privacy Notice: Verbal or written communication issued by the Controller to the Data Subject regarding the processing of their personal data. It informs about the applicable data processing policies, how to access them, and the intended purposes of processing.
Database: Organized set of personal data subject to processing.
Personal Data: Any information linked or linkable to one or more identified or identifiable natural persons.
General Data: Contact details such as full name, address, landline phone, mobile phone, email.
Specific Data: Varies by relationship type (e.g., income level, financial data, borrowing capacity, gross assets, dependents, family composition, hobbies, owned assets, employment information, marital status).
Public Data: Data considered public includes, but is not limited to, information related to marital status, profession, occupation, and status as a merchant or public servant.
Sensitive Data: Data affecting the Data Subject’s privacy or whose misuse could lead to discrimination. This includes data revealing racial/ethnic origin, political orientation, religious/philosophical beliefs, trade union membership, affiliation with social/human rights organizations, political party affiliation, health data, sexual life data, biometric data, and medical history. Sensitive data may only be collected, incorporated, and/or stored with the Data Subject’s prior authorization and when necessary for the execution of a contractual relationship, provided such access is permitted by law. Consequently, access, circulation, and processing of sensitive data are restricted and limited to the Data Subject’s authorization and current regulations.
Data Processor: Natural or legal person, public or private, that processes personal data on behalf of the Data Controller.
Data Controller: Natural or legal person, public or private, that alone or in association with others, determines the database and/or the processing of the data.
Data Subject: Natural person whose personal data is subject to processing.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
Transfer: Occurs when the Controller and/or Processor sends personal data or information to a recipient inside or outside the country.
Transmission: Processing of personal data involving its communication within or outside the territory of the Republic of Colombia when aimed at carrying out processing.
Furthermore, Cari AI has assessed the obligations arising from this legislation in the document titled “Cari AI – Obligations of Cari AI as Data Processor”.
Cari AI will comprehensively apply the following principles in accordance with Colombian Law 1581 of 2012:
Principle of Legality in Data Processing:
Data processing is a regulated activity that must comply with legal provisions and other implementing regulations.Principle of Purpose:
Processing must serve a legitimate purpose aligned with the Constitution and the law. This purpose must be disclosed to the Data Subject.Principle of Freedom (“Libertad”):
Processing may only be carried out with the prior, express, and informed consent of the Data Subject.Principle of Truthfulness or Quality:
Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable.Principle of Transparency:
Processing must guarantee the Data Subject’s right to obtain information from the Data Controller or Processor, at any time and without restriction, regarding the existence of data concerning them.Principle of Restricted Access and Circulation:
Processing is subject to limitations derived from the nature of the personal data. Consequently, processing may only be performed by individuals authorized by the Data Subject and/or by persons authorized by law.Principle of Security:
Information subject to processing by the Data Controller or Processor must be handled with the technical, human, and administrative measures necessary to ensure the security of records, preventing their tampering, loss, unauthorized or fraudulent consultation, use, or access.Principle of Confidentiality:
All persons involved in processing personal data that is not public in nature are obligated to guarantee the confidentiality of the information, even after their relationship with any processing-related activities has ended.
Cari AI will process user-authorized information as follows:
General Purposes (all users, students, employees, contractors, suppliers, clients):
Prospectively identify stakeholder needs to innovate service delivery.
Fulfill obligations from existing contractual relationships.
Ensure security of visitors, collaborators, and the general public on Cari AI premises.
Communicate with registered users (via systems/web/social media) about:
New services, news, events, academic opportunities, publications.
Business innovations, special programs, user education campaigns.
Commercial events and advertising aligned with company objectives.
Continuously assess registered users’ needs to strengthen relationships and foster innovation.
Develop social responsibility programs per internal statutes.
Share employee data with third parties for contractual/commercial purposes, unless expressly revoked.
Enable efficient communication about services and partnerships.
Support service/product evolution.
Conduct marketing/promotion of own or partnered services.
Analyze data for AI-related studies.
Measure satisfaction and service quality.
Perform statistical studies and market trend analysis.
Fraud and money laundering control/prevention.
Exchange information under international treaties.
Notify about changes to the Data Processing Policy.
Specific Purposes by Group:
Users/Clients:
Perform core business functions.
Marketing/promotional communications (as above).
Contractors/Suppliers:
Execute service contracts/civil-commercial relationships.
Monitor commercial behavior and verify suitability.
Facilitate awareness of Cari AI’s services.
Include in relevant commercial activities/campaigns.
Use corporate emails for:
Internal communications and employee contact.
Corporate event participation.
Legal compliance.
Data transfer: Only to entities requiring compliance (public/administrative bodies, regulators, or court order).
Employees (current/former/candidates):
Assess personnel objectively/subjectively.
Use corporate emails for internal communications/stakeholder contact.
Additional uses for collaborators:
Verify employment data (for credit/studies/security checks).
Conduct internal promotions, credential verification, training.
Administrative/financial management related to their role.
Offer employee wellness programs and plan corporate activities.
Data transfer: Same as contractors (legal compliance only).
3.1 Sensitive Data Processing
Sensitive/minors’ data requires explicit prior authorization. Processing permitted only if:
Data Subject gives explicit consent (unless exempt by law).
Necessary to safeguard the Data Subject’s vital interests (if physically/legally incapacitated).
Required to recognize/exercise/defend a right in judicial proceedings.
For historical/statistical/scientific purposes (with anonymization).
Children/adolescents’ data: Subject to the above policy.
3.2 Video Surveillance
Personal data processing includes operations like capturing, storing, or transmitting identifiable images.
Cari AI clarification:
“We do not use video surveillance for legitimate interest purposes. We lack physical infrastructure requiring video monitoring.”
3.3 Cases Exempt from Authorization
Per Article 10 of Law 1581 (2012), authorization is not required for:
a) Information demanded by public/administrative entities exercising legal functions or court order.
b) Public nature data.
c) Medical/sanitary emergencies.
d) Legally authorized historical/statistical/scientific processing.
e) Civil registry data.
Any entity accessing data without authorization must still comply with legal provisions.
Cari AI’s Commitment to Privacy
Cari AI prioritizes safeguarding users’ personal data collected via its website (https://www.qa-cf4c7c1b502f.cariai.com), committing to:
Collecting only voluntarily provided data for specific requests (complaints, transactions, interactive features).
Never sharing user data with third parties without explicit consent.
Automated data processing purposes:
(i) Managing website services;
(ii) Analyzing user visits/service usage;
(iii) Sending information about Cari AI projects/programs;
(iv) Processing online government services.
1.1 User Rights
Users may exercise these rights per Colombian Law 1581/2012 by emailing datospersonales@qa-cf4c7c1b502f.cariai.com or via Contact Form. Requests must include:
Full name
Contact details (physical/email address, phone)
Response method
Reason for request + specific right exercised (access, update, rectify, revoke consent, delete)
Signature (if applicable) and ID number
1.2 Cookies & Monitoring
Third-party cookies (e.g., Google Analytics) are used to enhance navigation. Users may block/delete cookies via browser settings (note: disabling may limit functionality).
Servers automatically log IP addresses and network names for statistical analysis (page views, visit counts).
Google Analytics data (including IPs) is stored on U.S. servers. Google may share this data per legal requirements.
1.3 Data Sharing
Cari AI will not share personal data without express consent, except when:
Required by administrative authorities or court order.
Data is used internally to fulfill contractual processes.
Cari AI implements security measures to prevent data loss/unauthorized access but assumes no liability for third-party breaches.
1.4 Policy Modifications
Cari AI may update Privacy Policies at any time. Continued website use implies acceptance of revised terms.
Annex: Terms of Use
Purpose
www.qa-cf4c7c1b502f.cariai.com provides information/services about Cari AI’s mission, policies, cybersecurity standards, events, and publications. No commercial profit is derived from content/links.
User Obligations
Do not alter/block website content or linked pages.
Do not use content for advertising.
Do not upload obscene, defamatory, discriminatory, or illegal material.
Forum/chat participants must refrain from harassment, spam, or viruses.
Intellectual Property
All content (texts, graphics, logos) is owned by Cari AI or licensed third parties.
Commercial use prohibited without prior authorization. Moral rights of user-generated content remain with creators.
IP violation claims: Email datospersonales@qa-cf4c7c1b502f.cariai.com (content will be removed pending resolution).
Jurisdiction
Governed by Colombian law (Bogotá courts).
If any clause is void, others remain binding.
Participation Rules
Cari AI reserves the right to:
Deny registrations without cause.
Remove content deemed illegal/offensive.
Exclude users violating terms.
User-generated forum content is solely the participant’s responsibility.
Cari AI Cookie Policy
Effective: May 27, 2022
Website: https://site.qa-cf4c7c1b502f.cariai.com | qa-cf4c7c1b502f.cariai.com
By browsing this website, you consent to cookie usage as described below.
1. What Are Cookies?
Cookies are files downloaded to your device (computer, tablet, smartphone) when visiting websites. They:
Store/retrieve browsing habits.
Recognize users (without personally identifying them).
Do not damage devices; instead, they help identify/resolve errors.
2. Cookie Classification
By Managing Entity:
| Type | Description |
|---|---|
| First-Party | Set by Cari AI’s domain. |
| Third-Party | Set by external domains (e.g., Google, Facebook). |
By Duration:
| Type | Description |
|---|---|
| Session | Deleted after closing the browser. |
| Persistent | Remain for a defined period (minutes to years). |
By Purpose:
| Type | Function |
|---|---|
| Technical | Enable navigation, security, and basic functions. |
| Preferences | Remember language/browser settings. |
| Analytics | Track behavior to improve services. |
| Advertising | Manage ad spaces (not used by Cari AI). |
| Behavioral Ads | Target ads based on browsing (not used by Cari AI). |
3. Cookies Used on This Website
Cari AI uses first-party and third-party analytics cookies (no advertising cookies):
Google Analytics Cookies:
| Cookie | Duration | Purpose | Level |
|---|---|---|---|
_ga | 2 years | Distinguishes anonymous users. | 2 |
_gat | 10 min | Limits request rate. | 2 |
__utma | 2 years | Tracks visits, first/last visit times. | 2 |
__utmb | 30 min | Measures session duration. | 2 |
__utmc | Session | Ends session when browser closes. | 2 |
__utmz | 6 months | Identifies traffic source (e.g., search engine). | 2 |
__utmli | 2 years | Generates anonymous user ID. | 2 |
Google Services (Maps, YouTube, Login):
| Cookie | Duration | Purpose | Level |
|---|---|---|---|
PREF, NID | 2 years | Stores Google account preferences. | 2 |
SNID, khcookie | Session | Enables Google Maps functionality. | 2 |
YSC, LOGIN_INFO | Session | Tracks embedded YouTube views. | 2 |
VISITOR_INFO1_LIVE | 8 months | Estimates bandwidth for YouTube. | 2 |
APISID, HSID, SID | 2 years | Secures logged-in Google sessions. | 2 |
4. Social Media & Third-Party Plugins
Cookies from these plugins enable content sharing:
Twitter: For “Share on Twitter” functionality.
LinkedIn: Tracks pages visited (
__qca,bcookie).Facebook: For “Share on Facebook” functionality.
These cookies are governed by their respective policies.
5. Intrusion Levels
| Level | Description | Example |
|---|---|---|
| 1 | Essential for site functionality. | Login sessions. |
| 2 | Anonymous/internal or third-party services requested by user. | Google Maps, YouTube. |
| 3 | Third-party tracking not explicitly requested. | Behavioral ads (not used here). |
6. Managing Cookies
Configure your browser to:
7. Key Notes
🛡️ No personal data (e.g., name, address) is collected via cookies.
🔒 Third-party data (e.g., Google) is managed under their policies:
Google’s Privacy Policy | How Google Uses Cookies.🔄 This policy may be updated; check periodically for changes.
.
END USER LICENSE AGREEMENT
1. Aceptación del Acuerdo
Este End User License Agreement (“EULA”) es un acuerdo legal entre usted (el
“Usuario”) y Defytek, SAS y Defytek, S.A. de C.V. (“Proveedor”) para el uso del
software de la suite Cari AI proporcionado como servicio (el “Software”). Al usar el
Software, usted acepta estar sujeto a los términos de este EULA.
2. Componentes de la Suite
La suite está compuesta por varios componentes, el asistente virtual para
construcción de Chatbots, Voicebot, Mailbot; Janus como módulo de agentes; ION
que permite extraer información desde documentos, Gik que usa AI generativa para
contrucción de copilotos o asistentes virtuales y Falcon como herramienta de gestión
de la fuerza laboral. Defytek puede añadir nuevos componentes o modificar su
oferta.
3. Licencia
El Proveedor le otorga al Usuario una licencia no exclusiva, no transferible y
revocable para usar el Software de acuerdo con los términos de este EULA. Esta
licencia es válida únicamente mientras el usuario tenga una suscripción activa al
Software y se encuentre al corriente de sus obligaciones contractuales.
4. Restricciones
El Usuario no puede:
a. Modificar, traducir, adaptar o crear trabajos derivados del Software
b. Descompilar, realizar ingeniería inversa, desmontar o intentar derivar el código
fuente del Software.
c. Alquilar, arrendar, prestar, vender, sublicenciar, distribuir o transferir el Software a
terceros.
d. Usar el Software de manera que viole cualquier ley, regulación o derecho de
terceros.
5. Propiedad Intelectual
El Software es propiedad del Proveedor y está protegido por leyes de derechos de
autor y tratados internacionales. Todos los derechos no otorgados expresamente en
este EULA están reservados por el Proveedor.
End User License Agreement (EULA) Cari AI –
Enero 2024
6. Actualizaciones y Soporte
El Proveedor puede proporcionar actualizaciones, mejoras o soporte para el
Software a su discreción. Cualquier actualización o mejora proporcionada al Usuario
se considerará parte del Software y estará sujeta a los términos de este EULA. El
Soporte se debe realizar de acuerdo al SLA y usando los canales y la formalidad que
el SLA establece.
7. Garantía Limitada
El Software se proporciona “tal cual” y el Proveedor no garantiza que el Software
estará libre de errores o que funcionará sin interrupciones. El Proveedor no asume
ninguna responsabilidad por cualquier daño resultante del uso del Software.
8. Limitación de Responsabilidad
En la máxima medida permitida por la ley aplicable, el Proveedor no será
responsable de ningún daño indirecto, incidental, especial, consecuente o punitivo,
ni de cualquier pérdida de beneficios o ingresos, ya sea incurrido directa o
indirectamente, ni de ninguna pérdida de datos, uso, fondo de comercio u otras
pérdidas intangibles, resultantes del uso o la incapacidad de usar el Software.
9. Confidencialidad
Usted acepta mantener confidencial toda la información confidencial del Proveedor
que obtenga en relación con el uso del Software.
10. Terminación
Este EULA estará vigente hasta que sea terminado. El Proveedor puede terminar
este EULA en cualquier momento si el Usuario viola cualquiera de sus términos. Al
terminar este EULA, el Usuario debe dejar de usar el Software y destruir todas las
copias del Software en su posesión.
11. Ley Aplicable
Este EULA se regirá e interpretará de acuerdo con las leyes del país donde Defytek
tenga establecido su domicilio. Pudiendo ser Colombia o México.
12. Políticas de uso aceptable
Para que los Servicios funcionen de forma segura y sin problemas, necesitamos que
nuestros usuarios/clientes se comprometen a no hacer un mal uso de ellos. En
concreto, el cliente se compromete a no sondear, escanear o probar la vulnerabilidad
de cualquier sistema o red utilizada con los Servicios; manipular, realizar ingeniería
inversa o piratear los Servicios, eludir cualquier medida de seguridad o autenticación
de los Servicios o intentar obtener acceso no autorizado a los Servicios (o a
cualquier parte de los mismos) o a los sistemas, redes o datos relacionados;
modificar o desactivar los Servicios o utilizarlos de cualquier manera que interfiera o
interrumpa la integridad o el rendimiento de los Servicios o de los sistemas, redes o
datos relacionados; acceder o buscar en los Servicios por cualquier medio que no
sean nuestras interfaces de apoyo público, o copiar, distribuir o revelar cualquier
parte del Servicio en cualquier medio, incluyendo sin limitación cualquier “scraping”
automatizado o no automatizado sobrecargar o intentar sobrecargar nuestra
infraestructura imponiendo una carga irrazonable a los Servicios que consuma
recursos extraordinarios, como por ejemplo (i) utilizar “robots”, “arañas”, “lectores
offline” u otros sistemas automatizados para enviar más mensajes de solicitud a
nuestros servidores de los que un humano podría enviar razonablemente en el
mismo periodo de tiempo utilizando un navegador normal; o (ii) ir mucho más allá de
End User License Agreement (EULA) Cari AI –
Enero 2024
los parámetros de uso de cualquier Servicio determinado, tal y como se describe en
su documentación correspondiente
13. Herramientas de terceros
Si los Servicios operan o se integran con cualquier herramienta de terceros (a)
Defytek/CariAi puede compartir datos de mensajería con el proveedor externo para
la interoperabilidad del producto; (b) Defytek/CariAi no es responsable de actos,
omisiones, servicios, aplicaciones, tecnología, políticas o procedimientos de
terceros, incluidos, entre otros, aquellos relacionados con el proveedor externo o su
herramienta; y (c) el tercero proveedor puede modificar o discontinuar su
herramienta en cualquier momento.
14. Términos de AI Generativa
Defytek/CariAi puede usar LLM (large language models) de terceros que permiten
incluir AI Generativa pudiendo utilizar entornos de nube pública, API y centros de
datos para procesar datos de la Compañía. Cada tercero es responsable de todos
los asuntos relacionados con sus propios servicios. Estas tecnologías pueden
generar alucinaciones. Defytek/CariAi implementará mecanismos que puedan
minimizar estas alucinaciones.
15. Disposiciones Generales
Si alguna disposición de este EULA se considera inválida o inaplicable, las
disposiciones restantes continuarán en pleno vigor y efecto. Este EULA constituye el
acuerdo completo entre el Usuario y el Proveedor con respecto al uso del Software y
reemplaza todos los acuerdos o entendimientos anteriores, ya sean escritos u
orales.
Cari AI Acceptable Use Policy
Effective: December 2, 2020
Applies to:
(a) All Cari AI services (including successor URLs, mobile/localized versions, and related domains/subdomains)
(b) Communication and messaging products/services
(Collectively, “Services”)
To ensure secure and uninterrupted operation of our Services, users/clients must agree not to misuse them. Specifically, you agree not to:
Probe, scan, or test vulnerabilities in any system/network used with the Services.
Tamper with, reverse engineer, or hack the Services; bypass security/authentication measures; or attempt unauthorized access to:
The Services (or any component)
Related systems, networks, or data.
Modify, disable, or disrupt the Services’ integrity/performance through interference.
Access/search the Services through means other than our publicly supported interfaces, including:
Copying, distributing, or disclosing any part of the Service
Automated/non-automated “scraping”.
Overload infrastructure by imposing unreasonable burdens that consume extraordinary resources, such as:
(i) Using “robots,” “spiders,” or “offline readers” to send excessive requests beyond human capability
(ii) Exceeding documented usage parameters for any Service.
Security Testing Exception
If you wish to evaluate the security of our products/services, Cari AI may—by mutual agreement—provide a dedicated test instance aligned with your project. This allows:
Vulnerability analysis
Penetration testing
All such activities require formal pre-approval.
