Data Protection and Information Security Policy

Last updated: June, 2022

Purpose

The purpose of this policy is to document and support the Company's implementation of
appropriate technical and organizational measures to maintain the confidentiality,
availability, and integrity of the Company's data, including Personal Data managed by the
Company, and the Company's information technology systems.

Definitions

• "Personal Data" means any information that refers, is related to, or is associated with
  an identified or identifiable individual.
• "Company Data" means any confidential, sensitive, and/or Personal Data processed
  or otherwise handled by the Company.
• "Company IT Systems" means any information technology systems, such as computer
  and communication systems owned and/or operated by the Company, as well as any
  physical databases that include Company Data.

Scope

This policy applies to all use of and access to Company Data and Company IT Systems by any
Company personnel (including employees, officers, contractors, or business partners) or any
other third parties.

Access Control

The Company's Access Control Policy, details the Company's practices and procedures with
respect to access to Company IT Systems and Company Data, including account management,
password guidelines, and remote access protocols.

Organizational Safeguards

Company CISO ("Security Manager") has been designated as the responsible for overseeing
the overall implementation, coordination and maintenance of this policy.

In addition, the Company has designated certain employees as managers ("Manager(s)")
responsible for overseeing implementation of this policy among designated groups of
employees/other personnel.

The Company's Managers are as follows:

• CEO
• Deputy CEO
• Head of R&D Research and Development
• Customer Engagement Manager
• CISO
• Product Management 

• Overseeing compliance of employees with this policy and all other security restrictions relevant to their positions
• Ensuring that no security breaches result from employee actions

• Instruction and training of employees regarding their security responsibilities, their use of Company IT Systems, and their handling of Company Data, in accordance with the Company's Employee Data Protection Training policy.
• Restricting unauthorized access by personnel to Company IT Systems or Company Data, including by enforcing the Company's Access Control Policy.
• Keeping records of critical job functions that will allow for continuity in the event that an individual employee can no longer fulfill his/her job functions
• Relaying any relevant personnel changes (new hires, termination of employees, changes in job function) to the Security Manager so that access controls can be adjusted as necessary and in accordance with the Company's Access Control Policy.
• Reporting any breaches or suspected security breaches to the Security Manager without delay
• Ensuring that employees keep all Company Data accurate, up to date, and in line with Company's Record Retention and Destruction and other policies
• Ensuring that all personnel are aware of existing non-disclosure undertakings and that any new personnel, including third party contractors, will be subject to non-disclosure undertakings

Failure to comply with this policy will result in disciplinary action and may result in termination
of employment.

Technical Safeguards

The Company's IT Systems shall include, without limitation, the following measures:

• Company IT Systems must be securely configured according to a security baseline,
  which must include removal of unnecessary services, changing vendor-supplied
  default or otherwise weak user accounts and passwords.
• Company IT System components must maintain current security patch levels.
• Web servers must be hardened according to a secure baseline.
• Web servers must only allow HTTP/S methods on a production web server. All other
  methods must be disabled.
• Web servers must be configured to accept requests for only authorized and published directories.
• Default sites, executable or directory listings must be disabled.

Antivirus/Malware

• Industry standard anti-virus and anti-spyware software protection programs and
  techniques should be used to prevent harmful software code from affecting the
  systems and to monitor for vulnerabilities.
• Malware prevention technologies should include, but are not limited to, desktop and
  gateway antivirus.
• Patches should be applied where appropriate on a regular and ongoing basis.

Network Security

• Industry standard firewalls should be implemented in any case in which external data enters the Company's IT Systems.
• Inbound and outbound connections must be denied unless expressly allowed.
• Firewall events must be monitored in order to detect potential security events.
• Network Intrusion Detection or Prevention Systems (NIDS/NIPS) must be
  implemented to monitor network traffic.
• Effectiveness of controls must be tested on a periodic basis.

Logging and Monitoring

• Security relevant events, including login failures, use of privileged accounts, changes
  to access models or file permissions, modifications to installed software, or the
  operating system, changes to user permissions or privileges, or use of any privileged
  system function, shall be logged on all systems.
• Access to security logs shall be restricted to authorized persons.

System clocks shall be synchronized to an agreed standard to ensure the accuracy of
audit logs.

Encryption and Pseudonymization

• Any particularly sensitive data and any Personal Data that is stored digitally, whether
  permanently or temporarily, should be encrypted.
• Personal Data should be pseudonymized where appropriate.
• Company Data that is in transit should be encrypted.

• No Personal Data should be transmitted through unsecure email, fax, over the phone,
  or through any other unsecured protocols.
• A data loss prevention system should be utilized.
• Unique identifiers, such as separate credentials and/or multi-factor authentication
  should be used for each individual accessing any confidential or Personal Data.
• Following the guidelines of the Payment Card Industry’s Data Security Standards (PCI
  DSS 3.2)/ISO 27001 or with ISO 27001 (Information Security Management)/ ISO 27017
  (Cloud Security)/ ISO 27018 (Cloud Privacy).

Physical Safeguards

All information held by the Company, in a physical format, including Personal Data, must be
used and stored in a secure manner in an access-controlled location and subject to the
following safeguards:

• Least privilege rules for administrator access
• A minimum number of individuals should have access
• Logs of all actions by individuals who have access should be maintained
• Documents and digital storage media are physically destroyed or securely overwritten
  when they are no longer required
• Physical access to infrastructure housing Company Data must be restricted.
• Access allowed based on a need-to-know basis

Clean Desk Policy

• Any confidential or Personal Data that exists as a hardcopy or in electronic form, such
  as working documents, open files, and other paperwork shall be secured at the end
  of each day.
• Employees and other Company personnel should clear all working documents from
  desks or open areas, close any open files, and lock or shut down computers prior to
  leaving workspaces.