BEAR COGNITION, INC –

DATA GOVERNANCE AND CLASSIFICATION POLICY

Date: May 2021

I.Introduction

 

A. Purpose

 

  1. The objective of this policy is to establish a Data Governance and Classification program to protect the confidentiality, integrity, and availability of data collected by or held by BEAR COGNITION, INC (hereinafter “the Company”).  The data held by the Company, whether in Information Systems or otherwise, is a valuable asset of the business and the Company has implemented information security policies to protect it.  However, different types of data have different degrees of sensitivity and confidentiality and should therefore be treated differently.  The ultimate goal of this policy is to, where possible, limit access to data to only those persons who require access in order to perform necessary and authorized job functions, in accordance with the information security principle of least privilege, and manage data collection, processing, transfer, and storage compliant with state, federal, and international laws and regulations where applicable.    The policies stated herein have been adopted based on a risk assessment of the Company, identifying its critical assets, potential threats, and developing mitigation strategies based on a cost/benefit analysis.  It is the goal of the Company to educate and train its employees on the elements of this policy in order to establish an appropriate security posture.

 

B. Goals

 

  1. The Data Governance Policy addresses data governance structure, including but not limited to data access, data usage, and data integrity and integration.  By adoption of this policy, the Company intends to:

    1. Establish appropriate responsibility for the management of data held by the Company as a Company asset.

    2. Improve ease of access and ensure that once data is located, users are able to interpret the data correctly and consistently.

    3. Improve the Company's data security, including confidentiality and protection from loss.

    4. Improve the integrity of Company data, resulting in greater accuracy, timeliness and quality of information for decision-making.

    5. Establish standard definitions for critical Company data to promote data integrity and consistency.

    6. Define Company policies relating to how data should be managed with respect to data subject requests for inspection, portability, or erasure.

 

C. Definitions

 

  1. Director of Technology (DoT) – The DoT is responsible for overseeing all Company activities related to the development, implementation, maintenance, and adherence to the organization’s policies and procedures affecting the privacy of, and access to, information belonging to or in the possession of the Company.  The DoT is charged to provide development guidance and assist in the identification, implementation, and maintenance of Company information privacy policies and procedures in coordination with the Systems Administrator (SysAdmin), Operations Engineer, and Company legal counsel.  The DoT is also tasked with monitoring the Company’s compliance with the policy statements set forth herein, advising and training the Company’s employees on applicable privacy and data governance practices, responding to regulatory inquires regarding the Company’s privacy and data governance practices, and performing Privacy Impact Assessments as appropriate.
     

  2. Custodian – The Custodian of information is generally responsible for the processing and storage of the information. The Custodian is responsible for the administration of controls as specified by the Information Owner. Responsibilities may include:

    1. Providing and/or recommending physical safeguards.

    2. Providing and/or recommending procedural safeguards.

    3. Administering access to information.

    4. Releasing information as authorized by the Information Owner, the DoT, and/or the SysAdmin for use and disclosure in a manner consistent with Company policies and using procedures designed to protect the privacy of the information.

    5. Evaluating the cost effectiveness of controls.

    6. Maintaining information security policies, procedures and standards as appropriate and in consultation with the SysAdmin.

    7. Promoting employee education and awareness by utilizing programs approved by the SysAdmin, where appropriate.

    8. Reporting promptly to the SysAdmin the loss or misuse of Company information.

    9. Identifying and responding to security incidents and initiating appropriate actions when problems are identified.
       

  3. Data Subject – As referenced herein, a “Data Subject” is defined as any identified or identifiable person regarding whom Public Information or Nonpublic Information is collected, processed, shared, or stored, including but not limited to customers and employees of the Company.
     

  4. Systems Administrator (SysAdmin) – The SysAdmin is responsible for implementing the Company’s security and privacy controls and ensuring that the Company complies with applicable security and privacy laws, policies, and regulations as directed by management.  The SysAdmin reports to the DoT on these issues and is delegated authority from the DoT to perform the tasks necessary to meet all applicable obligations.  The SysAdmin must: (i) possess professional qualifications and certifications, including training and work experience, required to administer the cybersecurity functions; (ii) manage the Company’s security professionals, including the hiring and training of qualified security personnel; and (iii) assure that resources allocated to meeting security and privacy obligations are utilized in an efficient and productive manner. The SysAdmin may delegate implementation and execution of tasks referred to the SysAdmin herein to the Operations Engineer, but shall not delegate policy- or decision-making authority assigned herein.
     

  5. Information Owner – The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual within the Company. The Information Owner has the responsibility for:

    1. Knowing the type of information for which they are responsible.

    2. Determining a data retention period for the information, relying on advice from the DoT, senior management, and legal counsel.

    3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the organizational unit.

    4. Authorizing access and assigning custodianship.

    5. Specifying controls and communicating the control requirements to the custodian and users of the information.

    6. Reporting promptly to the SysAdmin the loss or misuse of Company information.

    7. Initiating corrective actions when problems are identified.

    8. Promoting employee education and awareness by utilizing programs approved by the DoT or SysAdmin, where appropriate.

    9. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any information system to manage information.
       

  6. Information System - Information Systems means all network-related systems, including but not limited to computer equipment, servers, routers, switches, handheld devices, copiers, printers, software, operating systems, storage media, network accounts providing electronic mail, web services, video and instant messaging, WWW browsing, share files and FTP, whether maintained on-premises or through cloud services, that are licensed by the Company or are the property of the Company. These systems are to be used for business purposes in serving the interests of the Company and its customers in the course of normal operations.An Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
     

  7. Multi-Factor Authentication - Multi-Factor Authentication means authentication through verification of at least two of the following types of authentication factors: 

    1. Knowledge factors, such as a password; or

    2. Possession factors, such as a token or text message on a mobile phone; or

    3. Inherence factors, such as a biometric characteristic.
       

  8. Nonpublic Information - Nonpublic Information shall mean all electronic information that is not Publicly Available Information (excluding anonymized or aggregated de-identified personal data) and is:

    1. i. Business related information of the Company, the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Company; 

    2. Any information concerning an identifiable person, including but not limited to: (A) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; (B) characteristics of protected classifications under state or federal law; (C) commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (D) biometric information; (E) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding an identifiable person’s interaction with an Internet Web site, application, or advertisement; (F) geolocation data; (G) audio, electronic, visual, thermal, olfactory, or similar information; (H) professional or employment-related information; (I) education information; (J) inferences drawn from any of the information described in the foregoing categories to create a profile about an identifiable person reflecting such person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes;individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more data elements which can be used to identify an individual, including but not limited to the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account; or (v) biometric records.  

    3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.
       

  9. Privacy Impact Assessment (PIA) – As described herein, the Privacy Impact Assessment is an exercise performed prior to the initiation of a new project or venture involving the collection, processing, sharing, or storage of information relating to Data Subjects, which will evaluate the effect that the initiative will have on the information of Data Subjects and the Company’s ability to manage that data in compliance with the policy statements set forth herein.
     

  10. Principle of Least Privilege - A fundamental information security principle, "least privilege" means giving a Uuser account only those privileges or data resources that are essential to perform its authorized function or responsibilities.
     

  11. Publicly Available Information - Publicly Available Information means any information that the Company has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law.
     

  12. For the purposes of this subsection, the Company has a reasonable basis to believe that information is lawfully made available to the general public if the Company has taken steps to determine:
     

  13. That the information is of the type that is available to the general public; and

    1. i.b. Whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so. 
       

  14. Security Event - Security Event means a Log Entry with a negative consequence or potentially negative consequence, such as system crashes, network packet floods, unauthorized use of system privileges, unauthorized access to sensitive data or execution of malicious code that destroys data.
     

  15. Security Incident - Security Incident means a violation or imminent threat of violation of computer security policies, acceptable use policies, standard security practices or one or more credible Security Events.
     

  16. Sensitive Personal Information - Sensitive Personal Information means personal information of a Data Subject relating to: (A) Racial or ethnic origin; (B) Political opinions or affiliation; (C) Religious or philosophical beliefs or affiliation; (D) trade union membership; (E) health or sex life; (F) genetic data; and (G) biometric data.
     

  17. User - User means any person who has been authorized to use the Company's Information Systems or access, process, or modify Confidential Information or information relating to the Company.
     

  18. User – The User is any person who has been authorized by the Company to read, enter, or update information. A user of information is expected to:

    1. Access information only in support of their authorized duties or job responsibilities.

    2. Comply with the Company’s information security program policies and procedures and with all controls established by the owner and custodian.

    3. Refer all disclosures of sensitive or confidential information to persons without authority to access said information.

    4. Keep personal authentication devices (e.g. passwords, tokens, PINs, etc.) confidential.

    5. Report promptly to the SysAdmin the loss or misuse of Company information.

    6. Initiate corrective actions when problems are identified.
       

  19. User Management – Company management who supervise Users as defined below. User Management is responsible for overseeing their employees' use of information, including:

    1. Reviewing and approving all requests for employees’ access authorizations.

    2. Initiating security change requests to keep employees' security record current with their positions and job functions.

    3. Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.

    4. Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.

    5. Providing employees with the opportunity for training needed to properly use the computer systems.

    6. Reporting promptly to the SysAdmin the loss or misuse of Company information.

    7. Initiating corrective actions when problems are identified.

    8. Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any information system to manage information.

 

D. Roles and Responsibilities
 

  1. Director of Technology (DoT) – The DoT is responsible for overseeing all Company activities related to the development, implementation, maintenance, and adherence to the organization’s policies and procedures affecting the privacy of, and access to, information belonging to or in the possession of the Company.  The DoT is charged to provide development guidance and assist in the identification, implementation, and maintenance of Company information privacy policies and procedures in coordination with the Systems Administrator (SysAdmin), Operations Engineer, and Company legal counsel.  The DoT is also tasked with monitoring the Company’s compliance with the policy statements set forth herein, advising and training the Company’s employees on applicable privacy and data governance practices, responding to regulatory inquires regarding the Company’s privacy and data governance practices, and performing Privacy Impact Assessments as appropriate.
     

  2. Custodian – The Custodian is an operational role within a business unit, which involves certain responsibilities with regard to the safeguarding of information.  To the extent that the role is defined relative to business units and information, there will likely be many individuals within the Company who assume the role of “Custodian.”  In general, the Custodian of information is generally responsible for the processing and storage of the information. The Custodian is responsible for the administration of controls as specified by the Information Owner. Responsibilities may include:

    1. Providing and/or recommending physical safeguards.

    2. Providing and/or recommending procedural safeguards.

    3. Administering access to information.

    4. Releasing information as authorized by the Information Owner, the DoT, and/or the SysAdmin for use and disclosure in a manner consistent with Company policies and using procedures designed to protect the privacy of the information.

    5. Evaluating the cost effectiveness of controls.

    6. Maintaining information security policies, procedures and standards as appropriate and in consultation with the SysAdmin.

    7. Promoting employee education and awareness by utilizing programs approved by the SysAdmin, where appropriate.

    8. Reporting promptly to the SysAdmin the loss or misuse of Company information.

    9. Identifying and responding to security incidents and initiating appropriate actions when problems are identified.
       

  3. Systems Administrator (SysAdmin) – The SysAdmin is responsible for implementing the Company’s security and privacy controls and ensuring that the Company complies with applicable Company security and privacy policies.  The SysAdmin reports to the DoT on these issues and is delegated authority from the DoT to perform the tasks necessary to meet all applicable obligations.  The SysAdmin must: (i) possess professional qualifications and certifications, including training and work experience, required to administer the cybersecurity functions; (ii) manage the Company’s security professionals, including the hiring and training of qualified security personnel; and (iii) assure that resources allocated to meeting security and privacy obligations are utilized in an efficient and productive manner. The SysAdmin may delegate implementation and execution of tasks referred to the SysAdmin herein to the Company IT Personnel, but shall not delegate policy- or decision-making authority assigned herein.
     

  4. Information Owner – The Information Owner is an operational role within a business unit, which involves certain responsibilities with regard to defining the safeguards to be applied to information.  To the extent that the role is defined relative to business units and information, there will likely be many individuals within the Company who assume the role of “Information Owner” with respect to specific sets of information.  In general, the Information Owner is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual within the Company. The Information Owner has the responsibility for:

    1. Knowing the type of information for which they are responsible.

    2. Determining a data retention period for the information, relying on advice from the DoT, senior management, and legal counsel.

    3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the organizational unit.

    4. Authorizing access and assigning custodianship.

    5. Specifying controls and communicating the control requirements to the custodian and users of the information.

    6. Reporting promptly to the SysAdmin the loss or misuse of Company information.

    7. Initiating corrective actions when problems are identified.

    8. Promoting employee education and awareness by utilizing programs approved by the DoT or SysAdmin, where appropriate.

    9. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any information system to manage information.
       

  5. User – As defined herein, a User is expected to:

    1. Access information only in support of their authorized duties or job responsibilities.

    2. Comply with the Company’s information security program policies and procedures and with all controls established by the owner and custodian.

    3. Refer all disclosures of sensitive or confidential information to persons without authority to access said information.

    4. Keep personal authentication devices (e.g. passwords, tokens, PINs, etc.) confidential.

    5. Report promptly to the SysAdmin the loss or misuse of Company information.

    6. Initiate corrective actions when problems are identified.
       

  6. User Management – Company management who supervise Users as defined below. User Management is responsible for overseeing their employees' use of information, including:

    1. Reviewing and approving all requests for employees’ access authorizations.

    2. Initiating security change requests to keep employees' security record current with their positions and job functions.

    3. Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.

    4. Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.

    5. Providing employees with the opportunity for training needed to properly use the computer systems.

    6. Reporting promptly to the SysAdmin the loss or misuse of Company information.

    7. Initiating corrective actions when problems are identified.

    8. Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any information system to manage information.

 

E. Noncompliance

  1. Waivers and/or risk acceptance for any variation, modification, delay, or failure to implement a control set forth herein must be submitted to the DoT, SysAdmin, or delegated representative for decision or guidance and any such waiver and/or risk acceptance must be documented, with such documentation stored with the copy of this policy in the Company’s official records.

  2. Any Uuser exceeding assigned privileges could be subject to loss or limitations on use of information systems or resources, as well as disciplinary and/or legal action, including but not limited to termination of employment and/or referral for criminal prosecution.

 

II. Policy Statement

 

A. Data Access by Users

 

  1. One purpose of the Data Governance and Classification Policy is to ensure that authorized Users have appropriate access to Company data and information.  While the Company has a responsibility to protect the security of data and information in its possession, the processes and procedures set forth herein to protect that data should not unduly interfere with the efficient conduct of the Company's operations.
     

  2. The value of the data to the Company is increased when it is available where necessary and used appropriately; its value is diminished through misuses, misinterpretation, corruption, or when unnecessarily restricted or unavailable when needed.
     

  3. The Company will protect its data assets through security measures that enforce the proper use of data when accessed with authorization.
     

  4. Every data item will be classified by the relevant Information Owner to have an appropriate level of access, commensurate with the information security principle of least privilege.
     

  5. The relevant Custodian is charged with implementing controls appropriate to the classification set forth by the Information Owner and will provide the technology framework for data access to be provisioned to authorized Users. Specifically, Custodians shall implement group-based policy restrictions, classifying data files consistent with restrictions identified by Information Owners and limiting User access based on policies approved by Information Owners and User Management.
     

  6. Any User may appeal the denial of access to User Management; if the appeal is denied, access may be appealed to the Information Owner if necessary.

 

B. Data Access by Data Subjects

 

  1. In some jurisdictions, Data Subjects (including some customers and employees of Company) have rights to determine how their data is collected, processed, shared, or stored.  In general, Company shall act as a “processor” with respect to any personal data processed on behalf of its customers, who will act as “controllers” as those terms are defined per the GDPR. To establish uniformity within the Company with regard to the processing of NPIData Subject data, the Company has adopted the following policies, the terms of which are incorporated herein by reference:

    1. Data Subject Request for Access, Portability, Rectification, and/or Erasure (attached hereto as Appendix A).

  2. To establish uniformity in the collection and storage of data within the Company, the Company has adopted the following policies, the terms of which are incorporated herein by reference:

    1. Information Asset Management Controls (attached hereto as Appendix B).

  3. The terms set forth in the above policies shall be enforced subject to Section I(ED) above.

 

C. Data Usage

 

  1. Another purpose of the Data Governance and Classification Policy is to ensure that Company data is not misused or used unethically, according to applicable law and regulations and with due consideration for individual privacy.
     

  2. Users must only access and use data as necessary for the performance of their job functions, subject to authorization levels and security policies established by the Custodian.  Data should not be accessed for personal gain or for other inappropriate purposes.
     

  3. Updating Data – Authority to update Company data may be granted by Custodians and User Management to those persons whose job duties specify and require responsibility for updating such data.  Custodians should ensure that adequate security controls and/or change management procedures have been implemented to manage “updates” to critical Company data, their definitions and processes, and enable recovery of original data if the integrity of data is compromised by the update.
     

  4. Data Disclosure – Disclosure of Company data must be controlled in accordance with the Company's security policies and practices.  Appropriate and authorized uses must be considered before sensitive data may be disclosed to either internal/external persons. Unauthorized disclosure of data to either internal/external persons is a violation of this policy.
     

  5. Responsible Processing - The Company should only collect and/or process NPI in a manner permitted by applicable law. Some jurisdictions place specific limitations on the types, amount, and duration of personal data that may be collected or processed. In addition to instances where such collection/processing is explicitly limited by statute, regulation, or otherwise, the Company should aspire to the following data governance principles:

    1. limit to the collection of personal data to that which is adequate, relevant, and reasonably necessary for the purposes for which it is being processed;refrain from processing personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, without the Data Subject’s consent;

    2. refrain from processing personal data in a discriminatory manner that violates state or federal laws; and

    3. obtain consent from the Data Subject prior to processing Sensitive Personal Information.

 

D. Data Integration

 

  1. Purpose - Data integration refers to the ability of data to be assimilated across Information Systems.  Effective data integration requires that the integrity of the data be uncompromised and the development of a data model, corresponding data structures, and domains.
     

  2. Prohibition on Using Centralized Data on Non-Centralized Systems - Downloading individually identifiable data from central systems to electronic files for the purpose of uploading or connecting the data to non-central systems (ex: shadow systems, external vendors) without the knowledge and authorization of the SysAdmin and Custodian is not supported and introduces risks associated with data integrity, security, and long-term sustainability of information systems that may not be mitigated due to the nature of the practice.  Specifically, changes to the centralized data-set or the non-centralized data-set will not be mirrored to the other version, resulting in corruption/incompleteness of the data-set.  Furthermore, uploading centralized data to a non-centralized resource could result in modification of the data by interpretation (ex: removing fields, transposing fields), thereby corrupting the integrity of the data.
     

  3. Instance-Specific Approval from SysAdmin and Custodians – Approvals received from a Custodian for integration of data sets shall be specific and apply only to the authorized instance.  Integration approved at one time should not be inferred for future instances, which may be subject to new or changed conditions.  Furthermore, approvals should be documented for purposes of change management; failure to obtain new approvals would result in a gap in change management documentation.

 

E. Data Integrity

 

  1. Verification – Data systems and/or processes that are involved in the creation of Company reports should incorporate data integrity verification and validation processes that ensure the highest levels of data integrity where possible.  Validation processes may need to include reconciliation measures (ex: checksums, hash totals, record counts, test sets) to ensure that software performance meets expected outcomes.  Data verification programs such as consistency and reasonableness checks shall be implemented to identify data tampering, errors or corruption, and omissions.

 

III. Data Governance Processes

 

A. Data Governance Standards

 

  1. The purpose of establishing standards is to ensure that Company data retains a high degree of integrity and that critical data elements can be integrated across operational units and Information electronic systems so that personnel may rely on data for information and decision-making.
     

  2. Company data will be consistently maintained and the processing related thereto clearly documented, according to the best practices established by key stakeholders and Information Owners.
     

  3. It is the responsibility of each Information Owner and applicable Custodian to ensure the correctness of the data values for the elements within their charge.
     

  4. Information Owners and Custodians shall maintain records of their processing activities, including but not limited to the following:

    1. the date that the data was collected;

    2. the document number for the privacy notice or privacy statement presented to the Data Subject at the time of collection, describing the type of data collected/processed and the purposes for which it was processed, and to whom it would be shared or disclosed;

    3. data validating the consent of the Data Subject to the collection and processing, including but not limited to date, time, and IP address from which consent was granted and means for indicating affirmative consent;

    4. for Data Subjects under the age of sixteen (16), verifiable consent must be obtained from the parent or guardian of the Data Subject, which verifiable consent must be stored with the Data Subject’s records;

    5. records identifying when the data is processed, shared, or disclosed; and

    6. all inquiries from the Data Subject regarding their date, including the date and subject of the inquiry.

ii. 
 

B. Communicating Data Governance Standards

 

  1. Policies and procedures for data standardization and standard reporting practices shall be communicated by Information Owners to Custodians and User Management, who will ensure that all authorized Users are trained on applicable standards.
     

  2. A copy of this policy and all other security policies applicable to data governance and classification shall be maintained by the SysAdmin, who may provide access to such policies to persons authorized by the SysAdmin.

 

C.Privacy Impact Assessment (PIA)

 

  1. Before engaging in any new processing activity which is likely to result in a high risk to the rights and freedoms of Data Subjects natural persons, Information Owners and Custodians shall perform a Privacy Impact Assessment, determining whether and to what extent the proposed processing activity could impact the privacy of data belonging to a Data Subject.
     

  2. Each PIA shall include the following information:

    1. A description of the proposed processing activities and their purpose;

    2. An assessment of: i) the need for and proportionality of the proposed processing; ii) the risks arising from the proposed activity; and iii. all measures proposed to mitigate said risks (including safeguards and security measures).
       

  3. The DoT shall either participate in the PIA or review the PIA prior to implementation of the proposed processing activity and shall advise key stakeholders on the outcome of the PIA.  The DoT is further encouraged to seek input from affected Data Subjects relating to the PIA, if appropriate.
     

  4. In the event that the PIA indicates that the proposed activity poses a high level of unmitigated risk under the circumstances but key stakeholders choose to proceed, the appropriate privacy regulators or GDPR supervisory authority shall first be consulted (if applicable).

 

APPENDIX A

Lawful Processing and Data Subject Request for Access, Portability, Rectification, and/or Erasure

 

IV. Approvals

 

  1. SCOPE: The policies defined herein shall apply to all employees, officers, directors, agents, representatives, contractors or affiliates of the Company, with respect to all Public Information and Nonpublic Information on Data Subjects collected, processed, shared, or stored by the Company.  Particularly, the policies stated herein are intended to comply with applicable privacy laws on the date of approval, including but not limited to the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) of the European Union (EU). In general, Company shall act as a “processor” with respect to any personal data processed on behalf of its customers, who will act as “controllers” as those terms are defined per the GDPR. Personal Data shall only be used by Company in furtherance of the objectives of the Services provided to its customers. Personal Data shall not be utilized by the Company for any purpose other than providing services directly or indirectly to its customers.  No personal data, or any part thereof, shall be sold, assigned, leased, or otherwise disposed of to third parties by Company.To the extent that it will be acting as a processor on behalf of its customers, Company shall promptly (within 48 hours of receipt) refer all data subject requests relating to customer data to the respective customers for processing (including authentication and fulfillment).  Company shall promptly inform such data subjects that Company is acting solely as a processor and the data subject’s request has been referred to the applicable controller for processing. Notwithstanding the foregoing, in the event that a data subject request is received relating to personal data being processed by Company for its own purposes, such requests shall be processed based on the procedures described herein.
     

  2. DEFINITIONS: This policy incorporates all definitions set forth in the Company’s Data Governance and Classification Policy as if reiterated herein.
     

  3. LAWFUL PROCESSING – EU DATA SUBJECTS: Information relating to Data Subjects residing in or located in certain jurisdictions (including but not limited to the EU and Brazil) may only be collected and/or processing to the extent at least one of the following conditions is met:

    1. Consent - the Data Subject has consented to the processing of his or her personal data for one or more specific purposes, after first being clearly and conspicuously informed of the purposes for which consent is being sought provided with a copy or access to the Company’s applicable privacy policy;

    2. Performance of Contract - the processing is necessary for the performance of a contract to provide a product or service to the Data Subject or at the request of the Data Subject, which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;

    3. Legal Compliance - the processing is necessary for compliance with a legal obligation to which the Company is subject (such as maintenance of tax records or documents to evidence legal compliance);

    4. Vital Interests - the processing is necessary to protect the vital interests of the Data Subject or another natural person;

    5. Public Interest - the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company; or

    6. Legitimate Interest - the processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child; or

    7. Other Lawful Bases - some jurisdictions may permit additional lawful bases for processing; if the Company intends to collect or process NPI pursuant to these additional bases, the DOT should first consult with legal counsel admitted to the applicable jurisdiction for an assessment of whether the proposed processing is permitted by the applicable jurisdiction.
       

  4. RIGHT TO ACCESS
     

    1. Inquiries by Data Subjects regarding information collected, processed, shared or stored should be referred to the DoT for processing.
       

    2. Data Subjects may request that the Company disclose information about their personal data collected, processed, shared, or stored by the Company.
       

    3. Before data can be disclosed to a Data Subject, the Data Subject must first authenticate their identity. The extent of authentication required shall be dependent upon the sensitivity of the information requested (see below). This may be accomplished using Multi-Factor Authentication in one of the following two ways:[1] 

      1. For inquiries by phone, the Data Subject must be able to both: 1) provide a knowledge-based authentication response (ex: provide a unique identifier associated with the account,  (such as the last 4-digits of a Social Security number, driver’s license number, or identification number on record), or the Data Subject’s date of birth,  (if located in Company records); [2] and 2) respond to a confirmation sent to the Data Subject’s email account on record.

      2. For inquiries by email or website: 1) the Custodian shall call the telephone number associated with the account and authenticate the request; and 2) during such call, the Data Subject shall provide a knowledge-based authentication response (ex: provide a unique identifier associated with the account,  (such as the last 4-digits of a Social Security number, driver’s license number, or identification number on record,) or the Data Subject’s date of birth,  (if located in Company records).
         

    4. If duly authenticated, the SysAdmin may provide the Data Subject with the following information:

      1. Confirmation if the Company processes the Data Subject’s information;
         

      2. A free of charge copy of the data held by the Company on the Data Subject in a commonly used electronic format[1];
         

      3. A description of the following:

        1. the purposes for processing the Data Subject’s information;

        2. the categories of data processed;

        3. the recipients or categories of recipients of the data;

        4. the projected retention period or criteria used for determining the retention period;

        5. a short description of the individual’s rights to rectification or erasure, to restrict processing or object to processing, and the right to lodge a complaint with a GDPR supervisory privacy authority (if applicable);

        6. information on any regulated automated decision-making processes (i.e. decisions performed on an automated basis either involving sensitive information or with legal effects, such as automated evaluation of credit applications), including the criteria utilized and the potential consequences resulting from the processing.
           

      4. In some instances, it may be impossible for the Company to authenticate the Data Subject adequately.  In those instances, the Data Subject shall be informed that the Company is unable to adequately authenticate their identity with an explanation why it has no reasonable method to verify the subject’s identity.
         

      5. For Data Subjects residing in or located in certain jurisdictions the EU, they may make access requests at any time, though in some cases they may be charged for copies of information after the initial requests.
         

      6. For Data Subjects residing in the State of California, they may make access requests no more than twice in a 12-month period.
         

  5. RIGHT TO PORTABILITY
     

    1. Requests by Data Subjects that their data be ported to them or a new provider should be referred to the SysAdmin for processing.
       

    2. Data subjects in certain jurisdictions (including bot not limited to California, the EU, and Brazil) may demand that their personal data be ported to them or a new provider in machine readable format if the data in question was: 1) provided by the Data Subject to the Company; 2) is processed automatically (i.e. in electronic format); and 3) is processed based on consent or fulfilment of a contract.
       

    3. Prior to fulfilling any Data Subject portability request, the Data Subject must first authenticate the request pursuant to the procedure described in Section IV(c) above.
       

    4. In fulfilling a data portability request, the data shall be converted to a structured, commonly used and machine readable form, which can be either made available to the Data Subject or transmitted to a provider designated by the Data Subject.
       

    5. In the event that the requested records also contain data on Data Subjects other than the Data Subject making the portability request, information relating to other Data Subjects must either be redacted or such Data Subjects must first consent to the portability request before their data may be provided.
       

  6. RIGHT TO RECTIFICATION
     

    1. Requests by Data Subjects that their data be rectified (if factually inaccurate) or made complete (if incomplete) should be referred to the DoT for processing.
       

    2. Prior to fulfilling any Data Subject rectification request, the Data Subject must first authenticate the request pursuant to the procedure described in Section IV(c) above.
       

    3. Record data should not be deleted – instead, an additional notation should be made of the Data Subject’s request or the additional information added to the existing records.
       

  7. RIGHT TO ERASURE
     

    1. Requests by Data Subjects that their data be erased should be referred to the SysAdmin for processing.
       

    2. In some jurisdictions, Data Subjects may request that their data be erased in the following circumstances:

      1. Where data is no longer necessary for the purpose for which it was collected or processed;

      2. Where the data was collected with the consent of the Data Subject, which consent is later withdrawn without another justification for processing;

      3. Where the data was processed based on legitimate interests, if the Data Subject objects and the Company is unable to demonstrate an overriding legitimate grounds for processing; or

      4. Where the data is unlawfully processed or where otherwise required by law.
         

    3. Prior to fulfilling any Data Subject erasure request, the Data Subject must first authenticate the request pursuant to the procedure described in Section IV(c) above.
       

    4. When a Data Subject requests that their data be erased, the request shall be evaluated for validity and if valid, the request shall be completed without undue delay.  In some circumstances (addressed below), the Company may be unable to complete the erasure request.  Further processing should be suspended pending resolution of the request.
       

    5. In the event that the Data Subject’s information that is requested for erasure has been made public or entered into the public domain, the SysAdmin shall issue a notification to other controllers processing the data or persons to whom data has been disclosed (where practicable), that a request for erasure has been made unless such notice would be impossible or involve disproportionate effort.
       

    6. Exemptions – Different jurisdictions allow different exemptions from obligations to delete personal data.  When a deletion request is received, the DOT should determine the applicable jurisdiction and apply the exemptions as permitted by law.  Exemptions in some jurisdictions may include, but are not limited to, some of the following: Data Subject information need not be erased if processing is necessary:

      1. for the exercise of the right of freedom of expression and information;

      2. for compliance with a legal or regulatory obligation;

      3. for performance of a public interest task or exercise of official authority;

      4. for public health reasons;

      5. for archival, research or statistical purposes (if any relevant conditions for this type of processing are met);

      6. if required for the establishment, exercise or defense of legal claims;

      7. to complete the transaction for which the personal data was collected, provide a good or service requested by the Data Subject, or reasonably anticipated within the context of the Company’s ongoing business relationship with the Data Subject, or otherwise perform a contract between the Company and the Data Subject;

      8. to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity;

      9. to debug to identify and repair errors that impair existing intended functionality;

      10. to exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.

      11. to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the Data Subject has provided informed consent;

      12. to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; or

      13. to otherwise use the Data Subject's personal data, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.Data Subject information need not be erased if processing is necessary:
         

  8. ​RIGHT TO RESTRICT SALE

    1. As a policy, the Company does not sell personal information of any Data Subject. Accordingly, in response to a Data Subject request that their personal information not be sold to third parties, the Data Subject should be promptly informed that the Company does not sell personal information to third parties.Requests by Data Subjects that their personal information not be sold to third parties should be referred to the SysAdmin for processing.
       

  9. EXEMPTIONS

    1. The Company may withhold data or abstain from taking action above where otherwise authorized by law, so long as such authorization does not conflict with state, federal, or international law or regulations.

    2. In the event that a Data Subject’s request is denied or not granted in full, the SysAdmin shall provide a written response to the Data Subject’s inquiry, stating the Company’s response and identifying the basis for its action.

    3. In the event that a Data Subject’s request for access would adversely affect others, such as revealing trade secrets or proprietary intellectual property (such as disclosing the internal logic of automated decision making), the Company is authorized to withhold access of those portions of the data which would adversely affect others, but must comply with the remainder of the Data Subject’s request if not otherwise prohibited by law or where the Company is otherwise authorized by law to withhold such information.

    4. If the Company is in possession of a large quantity of data on a Data Subject, the SysAdmin may require the Data Subject to specify the information or processing activities to which a generalized request relates.
       

  10. DUE DILIGENCE AND RECORD-KEEPING
     

    1. Due-Diligence – All Data Subject requests should be processed in the following manner to confirm and document the Company’s compliance with the policies described herein:

      1. Before responding to a Data Subject request, the the DOT shall responding employee should first confirm whether the request complies with Company policy relating to such requests.

      2. If the request otherwise complies with Company policy, the DOT shall designate a Company employee to respond to the request;

      3. the responding employee should consult the Company’s most recent data map, to identify locations where responsive information is stored.

      4. Within two (2) business days of receiving the Data Subject request, the responding employee should promptly contact Information Owners who control the responsive data sets and notify them of the Data Subject request, disclosing the nature of the data request (ex: deletion of Data Subject records), the date of the request and the due date of the response.

      5. Ten (10) business days before the Company’s response is due, the responding employee should verify with Information Owners whether all responsive information has been received and/or processed.

      6. If all Information Owner confirmations have not been received by the responding employee at least five (5) business days before the Company’s response is due, the responding employee shall contact the DoT for assistance, including but not limited to potentially notifying the Data Subject that the Company’s response may be delayed.
         

    2. Record-Keeping - For each Data Subject request received by the Company, a record should be created listing the following information (which shall be retained in the Data Subject’s records):

      1. The date and manner in which the request was received (ex: by phone, including the telephone number, date and time of the call, and the employee who received the call).

      2. The identity of the employee who processed the request.

      3. The authentication methods performed (ex: Data Subject provided last 4 digits of Social Security number during call, replied to email confirmation prompt).

      4. The scope of the request (ex: access to Data Subject records, requested that personal information not be sold).

      5. A checklist of all Information Owners who are identified (per the Company’s most recent data map) as possessing responsive data and a list of when confirmations were received by the responding employee.

      6. The date and manner of the Company’s response to the request (regardless of whether the request was fulfilled or denied).

      7. If a request has been fulfilled, the record should identify the types of information processed pursuant to the request (ex: if a Data Subject requests information on all transactions in the past 90 days but only 60 days of information is retained, the response should indicate that only 60 days of data was provided and the reason), as well as a record of responsive information received from and/or processed by responding Information Owners.

      8. If the request has been denied, the record should identify the reason that the request was denied and the date that the Data Subject was informed of the denial.  It is important that, even in circumstances where requests will be denied, the Data Subject should be timely informed of the denial and the reason therefore.
         

  11. TIMEFRAME FOR COMPLIANCE
     

    1. Data Subject requests described above must be satisfied within the period required by applicable law, and in any case no more than thirty (30) calendar days one month of the request. or the Data Subject must be provided with a response indicating the Company’s basis for not fulfilling the request.  In circumstances where the Company’s response cannot be fulfilled within the applicable legal response perioddelivered in that period, based on the scope of the Data Subject request or any other reason, the responding employee should promptly consult the DoT regarding whether an extension is permissible (based on applicable law) and if so, the procedures for promptly notifying the Data Subject of the delayed response.

 

APPENDIX B

Information Asset Management Controls

  1. SCOPE – DATA AND CONTROL MAPPING: The policies set forth herein are intended to define where various types of data collected and/or processed by the Company shall be stored and applicable. This appendix should be consulted [monthly/quarterly] [3] by the DoT to verify that they remain accurate, or be amended for accuracy.
     

  2. PRIMARY CUSTOMER DATABASE: The Company’s primary customer database, including customer product registrations and personal data, shall be stored on the Company’s Amazon Web Services cloud services platform.

    1. A backup copy of the primary customer database will be stored ________________.
       

  3. MARKETING DATABASE:

    1. The Company’s marketing database shall be stored _______________________.

    2. A backup copy of the marketing database will be stored ________________.
       

  4. EMPLOYEE RECORDS:

    1. The Company’s employee records shall be stored _______________________.

    2. A backup copy of the employee records will be stored ________________.
       

  5. NIST CYBERSECURITY FRAMEWORK ASSESSMENT: Company has performed an initial assessment of its processes, procedures and controls per the NIST Cybersecurity Framework, attached hereto as Exhibit A. This initial assessment is used in conjunction with this policy to identify controls implemented by the Company, mapped to applicable security and privacy standards.