1. Introduction

EmbassyOS, operated by Afronovation, Inc. ("we," "our," or "the Platform"), is committed to safeguarding the privacy and security of all personal data processed through our sovereign diplomatic services platform. This Privacy Policy describes how we collect, use, store, and protect information provided by diplomatic missions, government entities, consular staff, and citizens who interact with the Platform.

2. Data We Collect

We collect and process the following categories of personal data:

• Identity Data: Full name, nationality, date of birth, government-issued identification numbers, biometric identifiers (where applicable and legally permitted).
• Contact Data: Email address, phone number, physical address, embassy or consulate affiliation.
• Authentication Data: Encrypted credentials, session tokens, multi-factor authentication metadata.
• Service Data: Visa applications, passport renewal requests, appointment records, document submissions, service request history.
• Technical Data: IP address, browser type, device information, access timestamps, audit trail entries.

3. How We Use Your Data

Personal data is processed exclusively for the following purposes:

• Delivering consular and diplomatic services as requested by authorized government entities.
• Authenticating and authorizing users within the Platform's role-based access control system.
• Maintaining immutable audit trails for regulatory compliance and government accountability.
• Generating anonymized analytics to improve Platform performance and service delivery metrics.
• Communicating service updates, maintenance notifications, and security advisories to authorized personnel.

4. Data Sovereignty and Storage

Each nation's data is cryptographically isolated within its own sovereign tenant. Data is stored in geographically appropriate data centers as determined by the subscribing government entity. Cross-tenant data access is architecturally impossible. For on-premise deployments, all data remains within the sovereign infrastructure designated by the government entity. AES-256 encryption is applied at rest and TLS 1.3 in transit.

5. Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Government entities may configure retention policies through the Platform's administration interface. Upon termination of a government entity's subscription, all associated data is securely erased within 90 days, with cryptographic proof of deletion provided.

6. Your Rights

Subject to applicable law and government directives, individuals may have the right to:

• Access personal data held about them within the Platform.
• Request correction of inaccurate personal data.
• Request deletion of personal data (subject to legal retention requirements).
• Object to processing or request restriction of processing.
• Data portability in machine-readable format.

To exercise these rights, contact the relevant embassy or consulate, or reach us at privacy@embassyos.com.

7. Contact

For privacy-related inquiries, contact our Data Protection Officer at dpo@embassyos.com or write to Afronovation, Inc., Attention: Data Protection Officer.

1. Acceptance of Terms

By accessing or using the EmbassyOS platform ("Service"), you agree to be bound by these Terms of Service. The Service is provided exclusively to authorized government entities, diplomatic missions, consular offices, and their designated personnel. Unauthorized access to the Service is strictly prohibited and may be subject to civil and criminal penalties under applicable international and domestic law.

2. Service Description

EmbassyOS is a sovereign-grade software-as-a-service platform designed for diplomatic mission operations. The Service includes citizen service portals, consular workflow automation, secure diplomatic communications, analytics dashboards, and administrative management tools. The Service is provided on a multi-tenant architecture with cryptographic isolation between tenants.

3. Government Entity Obligations

• Designate authorized administrators responsible for user management and access control.
• Ensure all personnel accessing the Service have appropriate security clearances as required by their government.
• Maintain the confidentiality of all authentication credentials issued to their personnel.
• Comply with all applicable laws and regulations governing the processing of citizen and diplomatic data.
• Promptly report any suspected security incidents or unauthorized access to the Platform.

4. Intellectual Property

All intellectual property rights in the Service, including but not limited to software, documentation, user interfaces, and branding, are owned by Afronovation, Inc. Government entities retain full ownership of all data they upload to or generate within the Service. No rights in government data are transferred to Afronovation, Inc. through use of the Service.

5. Service Level Agreement

Afronovation, Inc. commits to 99.9% uptime availability for the Service, measured monthly. Scheduled maintenance windows are communicated at least 72 hours in advance through the Platform's notification system. Emergency security patches may be deployed without advance notice when necessary to protect the integrity of the Service.

6. Limitation of Liability

To the maximum extent permitted by applicable law, Afronovation, Inc.'s total liability arising from or related to the Service shall not exceed the amounts paid by the government entity during the twelve (12) months preceding the event giving rise to liability. In no event shall Afronovation, Inc. be liable for indirect, incidental, consequential, special, or punitive damages.

7. Termination

Either party may terminate the Service agreement with ninety (90) days written notice. Upon termination, all government data will be made available for export in standard formats for a period of thirty (30) days, after which it will be securely and irreversibly deleted with cryptographic proof of deletion provided.

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the service agreement between Afronovation, Inc. ("Processor") and the subscribing government entity ("Controller"). It governs the processing of personal data by the Processor on behalf of the Controller in connection with the EmbassyOS platform. This DPA is designed to comply with the European Union General Data Protection Regulation (GDPR), the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), and applicable national data protection legislation.

2. Processing Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization. The Processor shall immediately inform the Controller if an instruction infringes applicable data protection law.

3. Security Measures

The Processor implements the following technical and organizational security measures:

• AES-256 encryption for data at rest; TLS 1.3 for data in transit.
• Row-Level Security (RLS) enforcing tenant isolation at the database layer.
• Multi-factor authentication for all administrative access.
• Immutable audit logging of all data access and modification events.
• Regular penetration testing and vulnerability assessments by independent third parties.
• Incident response procedures with notification to the Controller within 72 hours of a confirmed breach.

4. Sub-Processors

The Processor shall not engage any sub-processor without prior written authorization from the Controller. A current list of authorized sub-processors is maintained and made available upon request. The Processor shall impose equivalent data protection obligations on all sub-processors through binding contractual agreements.

5. International Data Transfers

Where personal data is transferred outside the territory of the Controller, the Processor ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by relevant data protection authorities, or deployment within sovereign infrastructure designated by the Controller.

6. Audit Rights

The Controller has the right to conduct audits, including inspections, of the Processor's data processing activities. The Processor shall make available all information necessary to demonstrate compliance with this DPA and shall contribute to audits conducted by the Controller or an auditor mandated by the Controller.

1. What Are Cookies

Cookies are small text files stored on your device when you access the EmbassyOS platform. They are essential for providing secure authentication, maintaining session state, and ensuring the proper functioning of the Platform. EmbassyOS is designed with privacy-first principles and minimizes cookie usage to what is strictly necessary for Platform operation.

2. Types of Cookies We Use

3. No Third-Party Tracking

EmbassyOS does not use third-party advertising cookies, social media tracking pixels, or analytics services that share data with external parties. All analytics are processed internally within the Platform's sovereign infrastructure. No personal data is shared with advertising networks or data brokers under any circumstances.

4. Managing Your Preferences

You can manage your cookie preferences through the consent banner displayed on your first visit to the Platform. Essential cookies cannot be disabled as they are required for the Platform to function securely. You may also configure your browser to block or delete cookies, though this may impact your ability to use certain features of the Platform.

1. Regulatory Framework

EmbassyOS is designed and operated in compliance with the following regulatory frameworks and international standards:

• GDPR (EU): Full compliance with the European Union General Data Protection Regulation, including data minimization, purpose limitation, and data subject rights.
• Malabo Convention (AU): Alignment with the African Union Convention on Cyber Security and Personal Data Protection.
• ISO 27001: Information security management system architecture following ISO 27001:2022 controls.
• SOC 2 Type II: Trust services criteria for security, availability, processing integrity, confidentiality, and privacy.
• Vienna Convention: Respect for diplomatic immunity and privileges in the digital processing of consular data.

2. Security Certifications

3. Incident Response

Afronovation, Inc. maintains a comprehensive incident response plan that includes:

• 24/7 security monitoring and automated threat detection.
• Notification to affected government entities within 72 hours of a confirmed security incident.
• Root cause analysis and remediation report provided within 30 days of incident resolution.
• Annual tabletop exercises simulating security incidents to test response procedures.

4. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in the EmbassyOS platform, please report it to security@embassyos.com. We commit to acknowledging receipt within 24 hours and providing an initial assessment within 5 business days. We do not pursue legal action against individuals who report vulnerabilities in good faith.