Jungle Tech policy library

Information We Collect

• Account details: name, email, and contact information created during sign-up.
• Payment information: processed securely via Stripe or PayPal. Full card details are not stored on Jungle Tech servers.
• Communications: emails, support requests, and phone numbers provided for informational requests.
• Phone numbers: collected only when a user initiates contact and explicitly requests information via text.
• Consent logs: records of verbal or digital "opt-in" to receive SMS.
• Device data: IP address, browser type, and operating system.
• Usage data: collected through cookies and analytics such as Google Analytics.
• Limited third-party data from trusted partners including Microsoft Azure for hosting/authentication and Unity Technologies for VR functionality.

How We Use Information

• Provide, maintain, and improve software and VR services.
• Process transactions and deliver purchased products.
• Send requested informational SMS messages such as follow-up details or requested links.
• Monitor usage, troubleshoot issues, and ensure hybrid SaaS platform security.
• Comply with legal obligations and prevent fraud.

Sharing and Disclosure

Information is shared only with service providers such as hosting, analytics, and payment partners under strict confidentiality obligations.

• No sale of data: Jungle Tech does not sell or rent personal data to third parties.
• SMS privacy commitment: no mobile information is shared with third parties or affiliates for marketing or promotional purposes. Text messaging originator data and consent are not shared with any third parties.

SMS Program Terms

• Consent: messages are sent only after a user explicitly asks for information via text. Jungle Tech does not send unsolicited marketing or promotional SMS.
• Opt-out: reply STOP at any time to unsubscribe.
• Support: reply HELP or contact support@junglet.com.
• Rates: message and data rates may apply depending on carrier.

Data Security

• Encryption at rest using AES-256.
• Encryption in transit using TLS 1.2+.
• Systems hosted on Microsoft Azure with automated security guardrails and multi-factor authentication.

Retention, Transfers, and Rights

• Data is retained only as long as necessary for the stated purposes or as required by law.
• Data may be processed in the United States or other regions where partners operate, with transfers handled in compliance with applicable laws such as GDPR.
• Depending on region, users may access, correct, delete, copy, port, or request limits on processing of their personal data, including SMS consent withdrawal.
• Users may opt out of analytics or marketing communications.
• Requests can be sent to privacy@junglet.com.

Children's Privacy and Contact

• Services are not intended for children under 13, or 16 in the EU, and Jungle Tech does not knowingly collect data from minors.
• Questions about the policy can be sent to support@junglet.com.
• Location: Nevada, USA.

Related Policy Library

• AI Ethics & Governance Policy
• Terms of Service
• Human Resources Security Policy
• Employee Security Best Practices Policy
• Access Control & Password Policy
• Cryptographic Control Policy
• Clear Desk & Clear Screen Policy
• Information Security Policy
• Supplier Security Policy

Purpose and Framework Alignment

Jungle Tech states that its AI systems are developed in alignment with the NIST AI Risk Management Framework to identify, assess, and manage risks related to individuals, organizations, and society.

Human Oversight and Transparency

• Human-in-the-loop review is applied to material aspects of AI systems to ensure accuracy, safety, and contextual relevance.
• Systems are designed for sufficient transparency, with documentation that helps enterprise customers understand and explain how the AI functions.

Data Integrity and Legal Compliance

• Compliance with applicable data protection laws including GDPR and CCPA for personal, user, or device-identifiable information.
• Maintenance of all necessary consents, licenses, and permissions for training data use.
• Open source usage must not force disclosure or restrictive licensing of customer intellectual property.

Technical Safeguards and Accountability

• A "circuit-breaker" mechanism in Azure supports immediate interruption of AI operations on valid customer instruction or critical anomaly detection.
• Automatic logging provides traceability, auditability, and accountability throughout the operational lifecycle.

Testing, Warranties, and Governance Roles

• Ongoing QA and anti-bias testing is used to maintain technical robustness, reduce discriminatory outputs, and validate legal and industry alignment.
• Jungle Tech can provide compliance evidence such as test logs, bias audits, and NIST alignment documentation upon reasonable request.
• Jungle Tech will assist customers with legal and regulatory obligations related to the AI systems it provides.
• Executive accountability sits with the CEO, and technical enforcement is maintained by the Lead DevOps & Security Engineer.

Acceptance, Eligibility, and Accounts

• Using Jungle Tech services means accepting the Terms of Service.
• Users must be at least 18 years old and legally able to enter a binding agreement.
• Users must provide accurate account information and protect their credentials.
• Jungle Tech may suspend or terminate accounts that violate the terms.

Intellectual Property and Acceptable Use

• All content, code, software, VR assets, logos, and trademarks are owned by Jungle Tech or its licensors.
• Users receive a personal, non-exclusive, non-transferable license to use the services for intended purposes.
• Users may not decompile, reverse engineer, extract source code, violate law, send malware, interfere with systems, or harass others in VR or digital environments.

Liability, Disputes, and SMS Terms

• Services are provided "as is" and "as available," and Jungle Tech limits liability for indirect, incidental, or consequential damages to the fullest extent permitted by law.
• Disputes are governed by USA law and resolved through binding arbitration in Las Vegas, Nevada.
• The informational SMS program is opt-in only, does not send marketing/promotional messages, and supports STOP for opt-out and HELP for support.
• Mobile information is not shared with third parties or affiliates for marketing or promotional purposes.

Updates and Contact

• Jungle Tech may update the terms and will notify users of significant changes by posting updates on the website.
• Questions can be sent to support@junglet.com.

Scope and Pre-Employment Screening

• Applies to full-time employees, part-time employees, contractors, and founding members.
• Mandatory background screening includes identity verification, criminal background checks, employment history verification, educational verification, drug testing, and reference checks before access is granted.
• Current founding staff have been internally vetted to meet these standards.

Onboarding and Ongoing Training

• Security is a condition of employment.
• Personnel must review and sign security policies and acceptable use requirements.
• Initial training covers phishing, credential hygiene in Microsoft Entra ID, and client data protection.
• Employees must sign an NDA and IP assignment agreement.
• Annual refreshers and periodic threat briefings keep staff aligned with GDPR and NIST-related expectations.

Discipline and Offboarding

• Security violations may lead to retraining, temporary suspension of access, or termination of employment.
• At termination, access to Azure, email, GitHub, Slack, and other systems is revoked within 24 hours, or immediately for involuntary terminations.
• Company-owned hardware must be returned, and post-employment confidentiality obligations remain in force.

Core Principles

• Security is everyone's responsibility.
• Microsoft Authenticator-based MFA is mandatory for all system logins.
• A zero-trust mindset is required for all networks, including home, cafe, and client environments.
• Lost devices, suspicious emails, or unauthorized visitors must be reported immediately to support@junglet.com.

Customer Information and Asset Handling

• Customer data is treated as Restricted and must not be stored on personal devices, local desktops, or unencrypted USB drives.
• Personal cloud storage for customer data is prohibited.
• Customer project details are shared strictly on a need-to-know basis.
• Client data transfers should use secure Azure-hosted sharing portals rather than email attachments.
• Workstations must remain encrypted and security agents such as Microsoft Defender must not be disabled.

Email, Software, and Compliance

• Employees must verify senders, avoid suspicious attachments, and treat email as a major attack vector.
• Only approved software may be used.
• Third-party plugins, AI tools, and 3D assets must be vetted before installation.
• Pirated software is prohibited.
• Browser extensions should be kept to an absolute minimum.
• Compliance is monitored via Microsoft Defender and Azure logs and violations may lead to disciplinary action.

Identity and Access Management

• Every user must have a unique account and credential sharing is prohibited.
• Role-based access control is used to align permissions with job function.
• Just-in-time access should be used for privileged access where possible.

Password and MFA Standards

• Passwords must be at least 14 characters and include uppercase, lowercase, numbers, and symbols.
• New passwords cannot match the previous 10 passwords.
• Passwords must not contain the user's name, username, or "JungleTech."
• MFA is mandatory across corporate systems including email, Azure, GitHub, and Slack.
• Authenticator apps or hardware keys are preferred, while SMS-based MFA is discouraged.

Protection, Sessions, and Termination

• Approved password managers such as Bitwarden or 1Password must be used.
• Passwords may not be written down, stored in spreadsheets, or sent over Slack or email.
• Application passwords must be salted and hashed using standards such as Argon2 or bcrypt.
• Accounts lock after 5 failed login attempts in 15 minutes.
• Administrative sessions time out after 60 minutes of inactivity, and device screens must lock after 5 minutes.
• Access is revoked immediately upon involuntary termination and by end of day on voluntary departure.

Approved Algorithms

• Data at rest: AES with 256-bit keys.
• Data in transit: TLS 1.2 or 1.3.
• Digital signatures: RSA or ECDSA with 3072-bit RSA or 256-bit ECC minimums.
• Password hashing: Argon2, bcrypt, or PBKDF2 with high iteration counts and salting.
• Data integrity hashing: SHA-2 or SHA-3 with SHA-256 or stronger.

Encryption Requirements

• Azure Blob Storage and Managed Disks must have Azure Storage Service Encryption enabled.
• Azure SQL and Postgres databases must use Transparent Data Encryption.
• Company laptops must use full-disk encryption such as BitLocker or FileVault.
• Public traffic must use HTTPS over TLS 1.2+ and older SSL/TLS versions are disabled.
• Internal service traffic and remote administrative access must use encrypted channels.

Key Management and Compliance

• Azure Key Vault is used as the centralized key management system.
• Production key administration is separated from application development duties.
• Keys should be generated within KMS with HSM support where needed.
• Production keys must rotate at least annually or immediately upon suspected compromise.
• Keys must be backed up to a geo-redundant vault.
• Secrets and tokens must never be hardcoded or committed to source control.
• Azure Policy is used to block resources that do not meet encryption standards.
• Systems using deprecated algorithms such as MD5, SHA-1, or DES must be upgraded or removed within 30 days of discovery.

Clear Screen Requirements

• Computers must auto-lock with password-protected screen savers after a maximum of 5 minutes of inactivity.
• Employees must manually lock screens whenever leaving a workstation.
• Monitors should not be visible to unauthorized people and privacy filters must be used in public settings.
• At the end of meetings, shared screens must be closed and whiteboards with sensitive material erased.

Clear Desk, Disposal, and Hardware Security

• Sensitive paperwork must be stored in locked drawers or cabinets when workstations are unattended.
• Passwords, PINs, and MFA codes must never be left on sticky notes or visible surfaces.
• USB drives, external hard drives, and encrypted VR hardware prototypes must be locked away at the end of the business day.
• Paper records containing sensitive information must be shredded securely.
• Faulty or retired storage media must be handed to the Security Lead for secure destruction.
• Laptops must never be left unattended in shared or public spaces and should be secured overnight.
• Keys for secure storage must not be left in locks or unsecured drawers.

Compliance and Monitoring

• The Security Lead may conduct periodic spot checks.
• Repeated non-compliance can result in coaching and formal disciplinary action.

Governance and Risk Management

• Annual security risk assessments identify threats to cloud infrastructure and Unity applications.
• Jungle Tech maintains alignment with industry-standard frameworks such as SOC 2 and NIST and complies with contractual security obligations.

Access, Data Protection, and SDLC

• Least privilege access is enforced.
• MFA is mandatory for corporate email, Azure, and source code repositories.
• User access rights are reviewed quarterly.
• Sensitive data is encrypted at rest using AES-256 and in transit using TLS 1.2+.
• Information is classified as Public, Internal, Confidential, or Restricted, with controls applied by category.
• All code changes require peer review before production merge.
• Static application security testing is used during builds.
• Development, staging, and production are logically separated in Azure.

Assets, Continuity, and Violations

• Jungle Tech keeps an up-to-date inventory of hardware and software assets.
• Remote devices must be encrypted, password-protected, and managed through MDM software.
• An incident response plan is maintained for identifying, containing, and eradicating threats.
• Confirmed partner-related breaches are reported within contractually required timeframes.
• Critical data is backed up daily in a geo-redundant manner.
• Security awareness training is required on hire and annually thereafter.
• Violations may lead to disciplinary action up to and including termination.

Scope and Responsibilities

• Applies to any external entity that accesses Jungle Tech systems, processes Jungle Tech data, or provides critical infrastructure.
• The CEO approves high-level supplier contracts and budgets.
• The Lead DevOps & Security Engineer performs technical risk assessments and monitors supplier access to Azure.

Selection, Infrastructure, and Contractors

• New suppliers must pass a security review covering compliance certifications, financial stability, and audit rights.
• Preferred tier-1 providers include Microsoft Azure for cloud hosting, Microsoft Entra ID for identity, and Stripe or PayPal for payments.
• Individual contractors must sign NDAs and IP assignment agreements, use approved MFA, and follow the acceptable use policy.

Monitoring and Offboarding

• Quarterly reviews are conducted for third-party access accounts in Microsoft Entra ID.
• Suppliers must notify Jungle Tech within 24 hours of any security breach affecting Jungle Tech data.
• Upon termination, logical access such as API keys and user accounts is revoked immediately.
• Certificates of data destruction may be requested where sensitive data was hosted.
• Supplier removal from Azure VNet and firewall allowlists is verified during offboarding.