The purpose of this Data Protection and Privacy Policy is to establish principles, responsibilities, and controls for the collection, processing, storage, sharing, and protection of data within the organization. This policy aims to safeguard personal, confidential, and business-sensitive information, ensure compliance with applicable data protection regulations including the General Data Protection Regulation (GDPR), and maintain customer trust.

The Company shall adhere to the following data protection principles:

• Process data lawfully, fairly, and transparently.
• Collect data only for specified and legitimate business purposes.
• Limit data collection to what is necessary for the intended purpose.
• Ensure data accuracy and timely updates.
• Retain data only for as long as required by legal, contractual, or business requirements.
• Protect data through appropriate technical and organizational safeguards.
• Demonstrate accountability for compliance with applicable data protection laws.

Do’s

• Access only the data necessary to perform assigned job responsibilities.
• Use approved systems and secure communication channels for handling data.
• Follow established authentication and access control requirements.
• Report suspected data breaches, unauthorized access, or security incidents immediately to supervisors and Data Protection Lead.
• Encrypt sensitive data during storage and transmission where required.
• Restrict paper print-outs as far as possible of sensitive data. If unavoidable, destroy the paper prints right after use.

Don’ts

• Do not share confidential or personal data with unauthorized individuals.
• Do not download, copy, or transfer company data to personal devices without authorization.
• Do not store sensitive information in unapproved applications.
• Do not disclose passwords, credentials, or access tokens.
• Do not bypass security controls or access restrictions.
• Do not retain data longer than permitted by company policies or legal requirements.

The Company shall implement appropriate safeguards, including:

• Role-based access controls and least-privilege principles.
• Multi-factor authentication where applicable.
• Data encryption for sensitive information.
• Secure backup and recovery procedures.

Where AI technologies are used for business operations, analytics or automation, the Company shall implement additional controls to protect data.

AI Usage – Do’s

• Use only approved AI tools and platforms.
• Verify that AI systems comply with applicable privacy and security requirements.
• Remove or anonymize personal data before submitting information to AI systems.
• Validate AI-generated outputs before making business decisions.
• Conduct risk assessments before deploying AI solutions involving sensitive data.

AI Usage – Don’ts

• Do not input confidential, proprietary, regulated, or personal data into public AI tools unless explicitly authorized.
• Do not use AI-generated outputs without human review and validation.
• Do not rely solely on AI for decisions affecting legal, financial, employment, or customer rights.
• Do not bypass established security and privacy controls when using AI technologies.
• Do not use AI systems in a manner that violates applicable laws, contractual obligations, or customer agreements.

The Company may provide platforms and solutions that enable customers to upload and process their own data.

Customers remain the sole owners and of all data uploaded to or processed through the Company’s solutions and are responsible for including but not limited to:

• Ensuring they have the legal right, authority, and necessary permissions to upload, process, and share such data.
• Ensuring that uploaded data complies with all applicable laws, regulations, contractual obligations, and internal policies.
• Maintaining the accuracy, completeness, and legality of the data they provide.

The Company does not review, validate, or assume responsibility for the content, accuracy, ownership, legality, or regulatory compliance of customer-provided data. Responsibility for the data uploaded to the Company’s solutions remains exclusively with the customer.

The Company’s responsibility is limited to providing secure hosting, storage, backup, and disaster recovery capabilities for customer data in accordance with applicable service agreements and operational procedures. In the event of system failures, infrastructure outages, or disaster recovery scenarios, the Company shall take reasonable measures to restore customer data from available backups and recovery mechanisms.

Except for such backup and recovery obligations, the Company shall not be responsible for any loss, corruption, misuse, unauthorized disclosure, regulatory non-compliance, or other consequences arising from the nature, content, quality, or legality of customer-provided data.

The Company may provide platforms and solutions that enable customers to upload and process their own data.

Customers remain the sole owners and of all data uploaded to or processed through the Company’s solutions and are responsible for including but not limited to:

• Ensuring they have the legal right, authority, and necessary permissions to upload, process, and share such data.
• Ensuring that uploaded data complies with all applicable laws, regulations, contractual obligations, and internal policies.
• Maintaining the accuracy, completeness, and legality of the data they provide.

The Company does not review, validate, or assume responsibility for the content, accuracy, ownership, legality, or regulatory compliance of customer-provided data. Responsibility for the data uploaded to the Company’s solutions remains exclusively with the customer.

The Company’s responsibility is limited to providing secure hosting, storage, backup, and disaster recovery capabilities for customer data in accordance with applicable service agreements and operational procedures. In the event of system failures, infrastructure outages, or disaster recovery scenarios, the Company shall take reasonable measures to restore customer data from available backups and recovery mechanisms.

Except for such backup and recovery obligations, the Company shall not be responsible for any loss, corruption, misuse, unauthorized disclosure, regulatory non-compliance, or other consequences arising from the nature, content, quality, or legality of customer-provided data.

The Company may:

• Process personal data on a lawful basis where there is a need.
• Maintain transparency regarding data processing activities.
• Implement appropriate technical and organizational security measures.
• Support the rights of data subjects, including:
  • Right of access
  • Right to rectification
  • Right to erasure
• Notify relevant authorities and affected individuals of data breaches where legally required.
• Ensure appropriate safeguards are implemented for data transfers.

Data shall be retained only for the period necessary to fulfill business, contractual, legal, or regulatory obligations.

Upon expiration of retention requirements:

• Data shall be securely deleted.
• Disposal methods shall prevent unauthorized access or recovery.
• Retention schedules shall be reviewed periodically to ensure compliance with legal requirements.

Compliance with this policy is mandatory for all personnel and applicable third parties.

The Company reserves the right to:

• Monitor compliance with this policy.
• Conduct audits and assessments.
• Investigate suspected violations.
• Take corrective or disciplinary action where non-compliance is identified.

This policy shall be reviewed periodically and updated as necessary to reflect changes in legal, regulatory, business, or technology requirements.

• Company reserves the right to update the Data Protection Policy from time to time.
• Such updates will be published on the company website.
• While reasonable security measures are implemented to protect personal data, no measure can guarantee absolute protection against all risks.