Risk Managment – S-Interio

Operational risk and incident response program

PURPOSE

S-INTERIO LIMITED (referred herein as S-INTERIO) is a Canadian corporation, operates a Money Service Business (MSB), and is subject to the regulatory regime of Retail Payment Activities Act (RPAA) and regulations thereunder (PRAR). S-INTERIO is registered as a Payment Service Provider (PSP) with the Bank of Canada.

In accordance with Subsection 17(1) of the RPAA, “For the purposes of identifying and mitigating operational risks and responding to incidents, a payment service provider that performs retail payment activities must, in accordance with the regulations, establish, implement and maintain a risk management and incident response framework that meets prescribed requirements.”

This Operational Risk and Incident Response Program provides the framework for S-INTERIO to establish, implement, enforce, test and audit its policies, procedures and processes and to ensure that S-INTERIO complies, as an ongoing concern, with the requirements of the RPAA and RPAR.

In designing this Program, S-INTERIO strives to preserve the integrity, confidentiality and availability of its retail payment activities and of the systems, data and information associated with the performance of those activities.

This Program is establishing the framework for the company’s policies and procedures that will:

identify operational risks arising from the S-INTERIO retail payment activities;
protect against those operational risks;
detect incidents, anomalous events and lapses in the implementation of the framework;
respond to and recover from incidents; and
review and test this Program and the framework established hereunder.

S-INTERIO is committed to continuously improve the quality of its services and will implement risk assessment and management programs for each aspect of its PSP activities and each business opportunity to identify and assess threats inherent to such activities.

This Program takes into consideration significant levels of risk that the company is being constantly exposed to due to its online business operations. The rules and procedures established hereunder are intended to provide S-INTERIO’ employees the tools required to efficiently identify, manage, prevent and mitigate any foreseeable risk that the company could be exposed to.

2. Roles and Responsibilities:

The following shall be responsible for the S-INTERIO implementation and operation of this Program and its policies:

Position	Responsibilities	Comments	Name
Board of Directors	Annual overview and approval of this Program, targets, improvement and remedial plans	Receives reports for Security Officer and CEO Responds to emergency events	Nir Gabriel
Chief Executive Compliance Officer	Responsible for the implementation of this Program Responsible for supervision of day-to-day compliance Responsible for annual assessment and measurement of targets Responsible for material decisions for identification and mitigation of risks and incidents	Prepares annual reports for the BoD Communicates with CEO and other managers Responsible for purchasing and contractual relationships with suppliers	Edwin Martin Monjes
Chief Executive Manager	Responsible for managing the Team Responsible for overseeing the performance of SO and report to the BoD	Provides executive oversight and strategic direction • Ensures alignment between security objectives and business goals • Reviews quarterly security performance reports Approves annual security budget and resource allocation • Chairs executive security committee meetings • Ensures cross-departmental cooperation on security initiatives • Escalates critical security issues to Board of Directors	Pedro G. Fournier
Chief Information Security Officer (CISO)	• Develops and maintains information security policies and procedures • Oversees security architecture and technical controls • Manages security incident response and investigation • Conducts security risk assessments and vulnerability management • Ensures compliance with security standards and regulations • Coordinates security awareness training programs • Manages security vendor relationships and technology solutions • Deploys and configures security tools (SIEM, firewalls, antivirus) • Performs vulnerability scans and technical assessments • Maintains security documentation and procedures	• Monitors security infrastructure and systems • Leads incident response team activities • Reports security metrics and KPIs to executive management • Conducts security audits and assessments • Manages security budget and resource allocation • Coordinates with legal and compliance teams • Develops business continuity and disaster recovery plans	Mariano Ramirez

3. Scope of application

This Program applies to the operations and resources of S-INTERIO regardless of where its systems, data, information or assets are located or where their operations are performed, including the situations where most or all of operations and resources are located outside Canada; and applies to all aspects of the S-INTERIO operations, including without limitation the assets (including, but not limited to, systems, data and information) and business processes that are associated with the PSP’s performance of its activities.

S-INTERIO recognizes that, as outlined in section 87 of the RPAA, S-INTERIO remains liable for a violation that is committed by any of its employees, third-party service providers, agents or mandataries. Therefore, this Program applies to all its employees, agents and mandataries involved in the PSP operations or providing supporting services necessary for the PSP operations.

In defining its objectives, reliability targets and indicators S-INTERIO considers the scope of its operations, number of employees and executive officers involved in the operations of S-INTERIO, number of clients and total volume of transactions and/or funds being processed by S-INTERIO on a daily, monthly and annual basis. Based on these determinations, S-INTERIO will apply the principle of proportionality to identification of risks and threats and the proposed mitigation and prevention measures.

4. Objectives

S-INTERIO implements this policy to ensure that it can perform retail payment activities without reduction, deterioration or breakdown; and to ensure the availability of its systems, data and information involved in the performance of its business operations. S-INTERIO shall further ensure that its systems, data and information are preserved and their integrity and confidentiality are not affected by various risks further identified herein.

Availability of Business Services Offered by S-INTERIO

Based on the overview and assessment of S-INTERIO operations and services, it is hereby determined that the general availability of its systems, during working hours defined by S-INTERIO in its operating documentation, shall be 95%.

In the case of declared national emergencies that affect operations of S-INTERIO or third-party service providers involved in delivery of the retail payment services to the S-INTERIO clients, the availability of its services shall be established in accordance with the severity of the emergency, its impact on the delivery of services and any information provided by the government agencies responsible for the management of such an emergency.

In particular, the following availability is expected from the particular services provided or used by S-INTERIO:

SERVICE	AVAILABILITY	COMMENTS
For clients:
Access to client’s account
Access to account information – balances, reports
Access to retail payment services

For S-INTERIO
Internet service provider
Third party PSP providers
SWIFT access
Data storage access

Reliability targets and indicators

In defining its reliability targets and indicators, S-INTERIO will consider the risk assessed for each activity and process. The higher the risk, the higher reliability will be expected from such activity.

The following reliability targets are hereby defined by S-INTERIO for assessment and validation of their compliance with the availability threshold set herein:

System availability:

General system availability target – 95% of S-INTERIO operating time (e.g. less than 5% downtime for the systems);
Affected clients target – 90% of the clients will be able to access S-INTERIO systems during the declared operating times.
recovery time objectives – 4 hours for regular incident; 12 hours for severe incidents; 24 hours for national emergencies (the recovery time will be from the time the emergency is declared as over).
maximum tolerable downtime(s) – downtime of up to one hour during standard working hours and up to four hours during off-hours shall be deemed as tolerable and shall not be considered as the breach of the objectives set forth herein.

System integrity:

The integrity target for the S-INTERIO general systems, which are not involved in processing or storage of the clients’ data is hereby set at 99%
The integrity target for the S-INTERIO processing and storage systems that process or store clients’ data is hereby set at 99.99%

For the purpose of this target, the following shall apply:

Systems that are not involved in processing or storage of clients’ data include: company’s website (except for the payment platform), social media and online pages, customer support services, technical support services, and more.

Systems that process or store clients’ data include payment portal/application, data storage facilities, backup facilities, access points for each of the aforementioned systems.

Confidentiality of data and information:

The target for preservation of confidentiality and integrity of the clients’ information shall be 100%. No breach or unauthorized access and/or disclosure shall be tolerated.

Measurement of Targets and Indicators

For the purpose of measuring the targets, the following indicators will be considered:

Accessibility of the S-INTERIO payment portal or application and duration of time the systems were inaccessible for the clients.

S-INTERIO will establish reporting procedures and will require third party providers to implement the same reporting procedures responsible for record and reporting of the systems’ downtime.

Uninterrupted payment processing interface with the third-party service providers and the duration of time the interface was inaccessible for the S-INTERIO systems

S-INTERIO will establish reporting procedures and will require third party providers to implement the same reporting procedures responsible for record and reporting of the systems’ downtime.

System integrity shall be assessed based on reporting of the integrity protection systems, including firewall, cyber security systems and tools.

Annual internal and bi-annual external audits of the integrity protection systems will be conducted by S-INTERIO in accordance with its Confidentiality of Information Policy and Cyber Protection Policy.

All reporting systems and data generated by them shall be available for the S-INTERIO personnel responsible for supervision and measurement of the targets and overall operations of S-INTERIO systems.

Response and Remedial Actions

Improvement

S-INTERIO strives to constantly improve its performance and eradicate any existing or potential threats and interruptions of its operations.

Where possible, S-INTERIO will establish an improvement plan based on the annual measurements and assessment of the defined indicators. The improvement plan shall be based on progressive improvement of not less than 5% year over year, with the target goal being 10% for the year.

The improvement plan will include the following:

Assessment of newly available systems and defences and their implementation for S-INTERIO operations
Engagement of additional service providers in response to identified risks and incidents
Segregation of various operating systems to ensure integrity of each system separately and prevent flowing of an incident from one system to another.

Remedial Actions

S-INTERIO understands that in the current digital environment it will be almost impossible to prevent and avoid all risks and incidents. As such S-INTERIO has implemented Remedial plan that will allow fast and efficient recovery of its systems from various incidents and protection of other systems, data and information of S-INTERIO from affects of the incident.

The following general measures have been implemented:

Segregation of various systems allows for fast and efficient recovery of the affected system
Segregation of the operating systems from data storage ensures integrity of one system in a case of an incident affecting the other.
Secure, off-site storage of backups and recovery systems allows for fast and unaffected recovery of S-INTERIO systems in a case of an incident.
Emergency support with cyber-security providers will be established to ensure timely and professional response to cyber events.

Annual Review and Approval

S-INTERIO security officer (SO) shall review and approve S-INTERIO objectives, targets and indicators at least annually. SO will receive reporting from all systems and databases used by S-INTERIO and will evaluate whether the targets have been met and what improvement measures are available for the company.

In review and assessment of objectives, targets and indicators, SO will use the following considerations:

Level of risk posed by various systems
How identified incidents affect clients’ data and information
Availability of technological solutions to improve current systems
Costs associated with implementation of improvement systems
Risks arising from inability of S-INTERIO to meet or improve its targets.

SO will prepare an annual report and provide it for review and approval of the Board of Directors.

Roles and Responsibilities

Security Officer:

SO is a member of the S-INTERIO executive team and will be employed by S-INTERIO. In appointing SO, the Board of Directors shall ensure that SO has the knowledge and experience as required by the RPAA and its Regulations.

The Security Officer is responsible for reviewing and approving this Program upon its initial implementation and then at least annually.

SO shall review and approve all material changes to the operations of S-INTERIO before such a change is implemented by the company.

SO will receive as soon as possible but not more than within 48 hours the following reports and underlying information:

the findings of reviews of the framework for approval (subsection 8(4) of the RPAR);
the findings of testing (subsection 9(3) of the RPAR);
independent reviews of the framework (subsection10(3) of the RPAR); and
information about incidents (subparagraph 5(1)(i)(vi) of the RPAR).

SO is responsible to overview the operations of the company’s third-party providers and ensure their compliance with the standards set out in this Program. The performance of the third-party providers will be assessed by SO annually as a part of the annual internal audit of this Program.

In addition, SO is responsible with regards to third party providers for:

conducting due diligence assessments of the services and products provided by third party providers; and
monitoring the delivery of services and the performance of the roles and responsibilities.

Human and financial resources

SO, in consultation with the CEO, will determine that:

S-INTERIO has timely and reliable access to financial and human resources to establish, implement and maintain this Program and provide timely and sufficient response to incidents.
The human resources engaged by S-INTERIO have the skills, information and training necessary to carry out their roles.

SO will determine the required HR in compliance with the company’s growth and if increased demand for implementation of this Program is determined by SO or CEO during annual review.

Where SO identifies an emergency or requirement for the additional HR in timelines that do not allow waiting for the annual review and approval of the CEO, SO shall bring the HR plan for a special meeting with the CEO as soon as practicable.

SO will prepare and provide for the CEO’s approval the personnel plan with position descriptions, roles and responsibilities of each position identified by SO and the timelines for the implementation of the HR plan.

SO is also responsible for the engagement of third-party providers and independent subcontractors as might be required for support of this Program. The Board of Directors will determine the boundaries of SO’s individual authority to hire subcontractors and third-party providers and will ensure availability of financial resources for the hiring.

The CEO will bring to the Board’s approval annual HR financial plan with the itemized presentation of the resources required to support this Program, cost of employment, additional costs (equipment, insurance, training etc.).

SO, in consultation with the CEO and the HR administrator, will determine the following:

Financial resources required for the proposed firing
Timelines for the hiring
List of skills and expertise required from each position
Cross training and skills exchange within the organization
Interchangeable or substituting positions to ensure continuity of services in a case of personal emergencies, unforeseen circumstances and more
Professional training requirements and timelines for the training post-hiring
Introduction and training on this Program before commencement of active duty.

SO will prepare and implement training and an annual awareness plan for the HR. The plan will be based on an assessment of ongoing risks, identified deficiencies and incidents that the company dealt with during the preceding year.

Communication of Program, changes, updates and identified risks

SO will implement periodic internal email distribution to ensure all employees and contractors engaged in support of the retail payment activities or implementation of this Program are aware of the ongoing state of the company’s affairs.

Quarterly staff meetings will be held to ensure that the staff is aware of any changes to the Program or incidents that were identified. The meetings will be used to provide responses and answers to staff questions and inquiries.

SO will prepare and maintain records of such meetings, staff present and any special questions or discussions being held during the meeting.

5. Operational Risks and management

A. Definition

“Risk” as referred in this Program means: “a risk that any of the following will result in the reduction, deterioration or breakdown of retail payment activities that are performed by S-INTERIO”:

a deficiency in the PSP’s information system or internal process;
a human error;
a management failure; or
a disruption caused by an external event.

SO must identify operational risks that relate to each of the following areas:

business continuity and resilience – risk to a S-INTERIO ability to perform retail payment activities due to the unavailability of people, processes, systems, premises or third parties;
cybersecurity—risk of unauthorized access to, malicious and non-malicious use of, a failure of, or a disclosure, disruption, modification or destruction of information system or data due to a cyber attack or a data breach;
fraud—risk of intentional activities by internal (i.e., originating from an entity with authorized access to systems, data or information) or external (i.e., originating from an entity without authorized access to systems, data or information) threats to cause a loss of, or obtain benefit from, the company’s assets, products or data;
information and data management—risk related to a failure to manage information or data through its life cycle;
information technology—risk related to inadequacy, disruption, failure, loss or malicious use of information technology systems, infrastructure, people or processes that enable and support business needs of the company;
human resources—risk related to inadequate or insufficient human resources or skill requirements;
Operational risk and incident response
process design and implementation—risk related to a failure to effectively design, implement, document or execute a process;
product design and implementation—risk related to a failure to effectively design, implement or manage a product or service;
change management—risk related to an inability to effectively implement changes, including through ineffective project design or delivery (includes but is not limited to changes to business structure, product design, services and information technology delivery);
physical security of persons and assets—risk related to an inability to safeguard employees, clients, physical assets or facilities; and
third parties—risk related to a failure to effectively manage third parties, including but not limited to third-party service providers, agents and mandataries, affiliated entities, other PSPs and financial market infrastructures.

In definition and establishing response to risks, SO shall:

identify and assign level of risk to each identified operational risk
prioritize the identified operational risks by the level and materiality, and
use the prioritized operational risks to inform the systems, policies, procedures, processes and controls needed to mitigate those risks

SO shall review and update these operational risks at least annually.

Where the company proposes to undergo a material change of its operational systems, processes and controls, SO shall review such changes in advance, assess any potential risks arising from the change and update this Program in a way that will provide response and mitigation to the risks prior to the implementation of the change(s).

B. Identification of Assets and Business Processes

SO shall identify the assets—including systems, data and information—and business processes that are associated with the payment service provider’s performance of retail payment activities, which reduction, deterioration or breakdown would adversely affect the PSP’s provision of retail payment activities.

SO will assign the level or risk and importance of the assets to the retail operations of the company, including the following:

The availability of the asset or process for the operations of S-INTERIO
Processes to ensure the integrity of the asset or process be maintained
Measure to ensure that the data and information:
- be available
- the integrity of the data and information be maintained;
- the data and information be kept confidential.

C. Protection of assets and business processes

Following the determination of risks and assets, SO shall implement protective measures to ensure that S-INTERIO operations and data are well protected from and preserved in case any risk realizes.

The determination and implementation of the protective measures will be risk-based and will rely on determination of the level of risk by SO as provided hereinabove. SO will also consider:

the inherent level of the risks S-INTERIO faces;
the potential impact of those risks on its retail payment activities, assets and business processes;
S-INTERIO ability to achieve its integrity, confidentiality and availability objectives; and
Extent of the risks arising from third parties and S-INTERIO affiliated entities (if any) operations.

D. Information technology and cyber security protective elements

Cyber security risks are inherent to any online operations and S-INTERIO are and will be always exposed to a variety of cyber security risks. SO will determine various cyber security risks, the level of their severity and will establish and implement protective measures to ensure prevention and efficient mitigation of such risks.

General

The following aspects of the cyber security policy will be established and implemented:

access management, including management of physical access and access to online systems
vulnerability management, remediation and patching
security software
securely configured devices
network security defences
secure cloud and outsourced information technology services
secure information system media
secure system development life cycle

Access controls

SO will establish physical and virtual access controls to S-INTERIO systems based on determination of the risk levels by SO. The controls will include the following:

Limit access to assets based on the role the person or system requiring access plays in S-INTERIO;
Establish “dual custody” or “separation of duties” procedures for sensitive or critical payment where one employee of S-INTERIO inputs information and another employee approves/confirms the transaction;
Limit every individual’s access to the minimum required to complete and validate a task

Granting, withdrawing or modifying access

Grant access rights and system privileges according to the roles and responsibilities of human resources
Establish approval of access by SO and the employee’s manager to ensure “dual custody” of granting access to sensitive systems
Establish progressive access controls based on increased sensitivity of the systems being accessed, or seniority of the individual getting the access (two-way-authentication and more)
Ensure that the rules applicable to the password complexity requirements and frequency of password change are in compliance with the industry standards and are being updated as needed.
Where possible, SO will investigate and implement various automated solutions that help mitigate risks associated with privileged access
Establish systems and measures to identify internal and external users and whether the access is made from within the physical environment of S-INTERIO or from outside
Establish recurring schedule to review the access and permissions provided to users and to identify incidents of abuse of access or breach of access policies.
implement multi-factor authentication for users with access to sensitive and/or critical assets
implement systems that allow for the tracking, logging and reviewing of access and activity history for identified assets

Vulnerability management, remediation and patching – Software

S-INTERIO acknowledges that in the reality of using software and online access to its systems it is constantly exposed to the risks of security vulnerabilities. Accordingly, S-INTERIO establishes the following policies and procedures to protect and prevent these vulnerabilities:

SO shall investigate and implement protective software in all high-risk access points to S-INTERIO systems, such as endpoint detection and response systems, anti-virus systems, anti-malware systems or software firewalls.
All protective software systems such as anti-virus, anti-malware, intrusion prevention or detection systems, network firewalls, endpoint detection or other security software shall be automatically updated with the most recent signatures, rulesets, threat intelligence, threat database or similar, when applicable.
SO will establish operational procedures to ensure periodic manual update of software systems that will supplement automatic updates and will ensure that all updated have been implemented in a correct and timely manner.
Manual testing and updates of SOftware shall be able to detect whether some of the current systems used by S-INTERIO are outdated and are no longer capable of automatic updates (end-of-life).
All security software must be setup to ensure regular, automated scanning of S-INTERIO systems.
Establish, implement and maintain remediation and patching practices for all software and firmware. The patching practices are based on reactive (response to automatically detected vulnerabilities) and pro-active (manual testing and detection of vulnerabilities or patching in compliance with the industry standards for prevention of future threats) approaches.
S-INTERIO uses various software systems developed by its third-party service providers. As such each system will be tested and a proper due diligence on the supplier’s software development life cycle and ensuring that the suppliers have a strong vulnerability management program shall be implemented.
Establish, implement and maintain vulnerability remediation timelines that are based on the risk assessment by SO and in proportionality to the sensitivity and criticality of the asset and the severity of the vulnerability.

Protection of Electronic Devices

All electronic devices and systems used by S-INTERIO are susceptible to cyber security risks and threats. As such SO shall:

All devices must be configured in a manner that complies with at least the level of baseline recommendation of industry specialists, and specifically adjusted to the security levels required by the payment industry standards.
Establish secure and unique configuration of all devices used by S-INTERIO including change of original passwords, deinstallation of unnecessary software and features, installation of security software and more.

Network Security Defences

In implementation of the S-INTERIO network security systems, SO shall consider and provide response to both internal and external threats. SO shall:

Establish, implement and maintain dedicated firewalls protecting S-INTERIO networks and systems.
Segregate internet-facing servers from the rest of the corporate network.
Establish, implement and maintain content firewall, domain name system firewall or other gateway filter technology that prevent network users and systems from connecting to known malicious internet locations
All communication shall be encrypted in compliance with the industry standards.
All access to shared resources shall be secured and based on personal authentication with MFA. No users, except for those authorized by SO and the Board of Directors shall have administrator access to S-INTERIO systems.
All Wi-Fi systems and endpoints must be encrypted and protected with unique passwords that are being changed periodically.
Separate public and private networks, segregate general and public Wi-Fi from corporate networks
Only approved providers of payment processing services that comply with the payment-industry standards shall be used to process payments or store financial information of the clients.
Establish, implement and maintain email security and authentication protocols on all email services.

Secure cloud, outsourced and storage of information technology services

In provision of its services, S-INTERIO inevitably relies on third-party service providers, which creates additional operational risks. SO will implement the following strategies to protect data and information transmitted between S-INTERIO and third-party service providers or are used by or stored at the third-party service providers:

Evaluate and assess how third-party service providers handle and access sensitive information and whether they comply with the levels of security established by S-INTERIO;
Ensure that the manner of storage of sensitive information and its protection from unauthorised access comply with the minimum standards dictated by the legal jurisdictions where its third-party service providers store or use sensitive information.
Ensure that information technology infrastructure and users communicate securely with all cloud services and applications.
Ensure that access of users and administrators to the cloud services use multi-factor authentication and that segregation of access of regular users and administrators is duly established.
Ensure that data encryption is enabled in transit and at rest.

Additionally, S-INTERIO uses storage media (flash drives, compact disks and external hard drives) and shall ensure that its media is protected against unauthorized access, distribution or destruction to ensure the integrity and confidentiality of the data, systems and information used to facilitate retail payment activities.

To protect its storage media and the information stored therein, SO must mitigate various threats by:

Protect and securely store information system digital media. All digital media shall be stored in two copies, in two separate physical locations, one on- and another off-site to ensure its recoverability in any case of disaster or incident affecting S-INTERIO online operations.
Only authorized individuals shall have access to and transport digital media outside of controlled areas. All movement of the media shall be authorized in advance in writing and recorded in a proper log system.
Sanitize information system media before disposal or repurpose. The emphasis shall be made to recoverability of the data stored on the media. Except for emergencies or unforeseen circumstances, the media shall not be reused or repurposed for any purpose other that storage of information. A physical destruction of media shall be ensured in a case of disposal.
Ensure that full-disk encryption is implemented for removable or portable media.
Leverage mobile device management solutions, including but not limited to disk encryption and remote wipe functionalities.

Detection and continuous monitoring of Risks and Incidents

SO will determine and implement systems that provide for monitoring and prompt and efficient detection and identification of incidents, anomalous events and lapses in implementation of this Program.

Subject matter of monitoring

The monitoring will be implemented to at least the following aspects of the S-INTERIO operations:

The retail payment activities of S-INTERIO
the systems, data and information involved in the performance of those activities
the protective elements in place to mitigate operational risks and protect assets and business processes
Storage and backup facilities and systems.

In particular, the monitoring, identification and response to the following events will be planned and managed:

unauthorized changes to systems or assets
misuses of access by employees and/or third-party service providers
breaches in internal policies (e.g., mandatory training, approval or record retention requirements)
reduction or deterioration in systems or controls
attempts by external entities to reduce, deteriorate or break down retail payment activities

Continuous Monitoring

SO shall identify and implement such monitoring systems that allow:

Continuous monitoring of S-INTERIO operations with the priority defined on a risk-based approach
Collection and retention of information required for investigation of an incident
Identify, determine and record all types of events;
Apply to the operations of third-party providers and identify incidents affecting or arising from the third-party services provided to S-INTERIO.

Monitoring of Information technology and cyber security controls

In particular, the following capabilities will be implemented with respect to Information technology and cyber security controls:

Key Indicators and Thresholds

SO will develop and implement key indicators and internal thresholds (which, if breached, would trigger an action or decision) as further provided in this Program.

All such systems will be capable of logging and monitoring of access, traffic and use of systems by either S-INTERIO personnel, their-party service providers or unauthorized users/intruders.

The logs will be monitored and audited periodically to ensure the integrity of all S-INTERIO systems.

network defences

Network defenses shall be set up in a way that provides for protection of S-INTERIO systems and detecting malicious activity (such as cyber-attacks) from within or outside the S-INTERIO corporate network by analyzing incoming and outgoing data.

SO will implement firewalls and secure gateways that comply with the industry standards and have at least the following capabilities:

Protection of the S-INTERIO systems
Detection of unauthorized access whether from within the organization or outside
Real-time notification of security personnel of such unauthorized access
Logging of all attempts and activities performed at S-INTERIO systems
Where possible, the system shall be configured in a way that allows immediate remote shut down of a system either automatically or by security personnel in any case of the detected intrusion.

malware detection

SO will be responsible for procuring proper malware detection and protection systems capable of identifying and eliminating all major threats known to the industry, including without limitation trojans, spyware, keyloggers and viruses. SOftware will be installed on all computing devices that communicate with the S-INTERIO network including without limitation servers, smartphones, laptops, tablets and point-of-sale terminals.

security monitoring and threat intelligence

SO will establish a proper schedule for proactively monitoring unauthorized or malicious

activity related to the S-INTERIO systems. It could be achieved by reviewing logs from

sources such as video surveillance, endpoint performance monitoring solutions and user behavioral analytics.

In determining which system to implement, SO will look for solutions that can collect

and correlate logs from various sources described above.

To increase proactive protection of S-INTERIO systems and preparedness of the company’s defenses, SO will establish training and skills’ update activities to personnel responsible for security of S-INTERIO systems to obtain information about existing or emerging cyber security threats that may affect S-INTERIO operations.

Escalation of incidents, anomalous events and lapses in implementation

SO will establish a detailed response plan in reliance on the risk-based approach. Each type of risks and incidents will be allocated:

reporting procedures
Escalating and decision-making processes
Internal thresholds and timelines for initial response, escalation, and resolution of an event
Roles of individuals responsible for the management of and response to the events
Processes that will ensure that S-INTERIO executive managers receive updates and information in a timely manner
Processes for the third-party providers to inform and involve S-INTERIO team in the management of an event that affects its operations.
Person responsible for communication and management of the incident.

Response and recovery

SO will set out a plan for responding to and recovering from incidents, including those involving or detected by a third-party service provider. SO shall approve the response plan based on the following considerations:

Whether incident occurred during normal course of busies of crisis event
Whether the incident could have a material impact on the operations of S-INTERIO
Whether the incident poses risk to integrity and confidentiality of the data and information systems of S-INTERIO

In the response plan, SO will:

set out the policies and procedures for the implementation of the response plan
measures to be taken to mitigate the impact of an incident
manual processes or alternate solutions the company will resort to if the primary systems are unavailable
Establish process for investigation and specific areas that must be investigated
Establish procedures that will ensure prevention or mitigation of further damages while the investigation is underway
Implement policies and procedures for reporting incidents to, and coordinating incident response with, relevant internal and external stakeholders
Determine and implement measures to promptly identify the status of all transactions at the time of the incident.
Establish and test processes to recover or correct data lost or otherwise affected by the incident
Implement policies and procedures to maintain appropriate records for each incident

In implementing the investigation and response plan of S-INTERIO, SO will ensure that the following are determined, identified and mitigated:

root causes
possible or verified impact on the company’s retail payment activities
possible or verified impact on end users and their personal and financial data
possible or verified impact on systems, data or information involved in the performance of retail payment activities

SO will establish policies and procedures for the creation, maintenance and protection of records pertaining to the incidents, which will provide for the following:

information about the incident’s root cause and its possible or verified impact, as determined by the investigation;
measures taken to mitigate the impact of the incident, to prevent or mitigate any further damage while an investigation is underway and to address the identified root causes of the incident;
manner in which S-INTERIO reported the incident and coordinated the incident response;
status of all transactions identified, the manner in which that status was identified and the manner in which it recovered any lost or corrupted data and corrected any data integrity issues;
process for documenting all aspects of the investigation, actions, planned actions and outcomes for each incident.

Internal Review and TESTING OF Compliance Program

Review

SO is responsible for establishing a schedule for internal review of this Program at least as follows:

Annually
Before making any material change to the S-INTERIO operations, systems or this Program

The review will include:

This Program’s conformity with the requirements of the Act and Regulations;
S-INTERIO effectiveness at meeting its integrity, confidentiality and availability objectives, considering its targets and indicators;
the adequacy of the human and financial resources for ensuring implementation of this Program.
the S-INTERIO ability to meet its integrity, confidentiality and availability objectives;
the sufficiency of the allocated roles and responsibilities and adequacy of human and financial
resources; and
the PSP’s arrangements for assessing and mitigating risks from third-party service providers, agents.

S-INTERIO will maintain records of each review, which will include:

the date on which it is conducted;
its scope,
methodology; and
findings

Testing

In addition to the annual review of this Program as a whole, SO shall establish a schedule for testing specific elements of the program as follows:

Verifying and validating controls: assess the effectiveness and identify deficiencies in the individual elements that make up this Program
Scenario-based testing: assess whether S-INTERIO Program (including incident management planning) will preserve the integrity, confidentiality and availability of:
- retail payment activities of S-INTERIO; and
- the systems and data that provide or facilitate the provision of those activities,
Testing of changes: Periodic testing to ensure that this Program will continue to be adequate and effective after a material change to the S-INTERIO operations or its systems, policies, procedures, processes, controls or other means. The scope of this testing should cover elements of the framework and operations that will be affected by the change.

Outcomes of testing

At the outcome of the testing, SO and the testing team will identify gaps, vulnerabilities and deficiencies in the Program. As a part of identification, SO shall assess whether the identified vulnerabilities have been exploited by unauthorized individuals prior to the testing.

and will take timely actions to remedy such gaps and vulnerabilities as needed to ensure that S-INTERIO continues to meet the operational risk and incident response requirements established in this Program and in the RPAA and RPAR.

Based on the testing results, SO will identify material outcomes and will determine whether S-INTERIO framework, systems, policies, procedures, processes and controls should be modified or updated.

SO will ensure that:

the date each test is carried out
the methodology of each test
the results
any measures taken or to be taken to address those results

are recorded in compliance with the records part of this Program.

Independent Review/Audit

S-INTERIO does not have an internal or external auditor and therefore is not required to conduct an independent review of its Program.

Once an independent auditor is appointed, this Program will be updated to correspond to the requirements of the RPAA with regards to the independent external review to be conducted every three years.

Third Party Service Providers

Definition

Under section 2 of the RPAA, “a third-party service provider is a person or entity that, under a contract, provides a PSP with a service related to a payment function and is not an employee, agent or mandatary of the PSP”.

A third-party provider includes all of the following, that, under a contract, provide a service related to a payment function that S-INTERIO performs, and applies notwithstanding of whether such a third-party provider is located:

entities affiliated with S-INTERIO
other PSPs
individuals or companies that are not defined as PSP’s but provide related services

Standards of Third-Party Service Providers

SO will establish policies and procedures to ensure that while retaining the services of a third party, S-INTERIO continues to meet integrity, confidentiality and availability objectives and maintain compliance with this Program.

SO will:

determine the materiality of the services being provided by a third-party service provider
assess the risk of a third-party service provider before engaging its services, including its risk management practices and operational performance
establish contracts with the third-party service provider and clearly allocate roles and responsibilities, including in relation to the ownership, integrity, confidentiality and availability of data and information
create management and mitigation controls, as necessary, including termination plans
monitor engaged third-party service providers

In performing the assessment of the third-party service provider and its performance, SO will assess the following:

ability to protect data and information that they obtain from or in the course of performing services for S-INTERIO;
the security connections, transmission and storage of information exchanged between S-INTERIO and third-party provider;
communication channels between S-INTERIO and third-party service providers prior to making changes to the services that they provide, the manner in which they are provided or their practices for managing operational risk;
monitoring and controlling mechanisms including the time and manner in which the third-party service provider will inform the payment service provider of any detected breach of the payment service provider’s or the third-party service provider’s data, information or systems;
the third-party service provider’s risk management practices in relation to the services that they provide to the payment service provider

SO will establish an assessment schedule that meets the minimum requirements of the RPAA before the commencement of the relationship with the third-party service provider and at least once a year.

Management and Mitigation Controls

In addition to the initial and annual assessment of third-party service providers, and to supplement contractual provisions, SO shall establish a management and mitigation plan that includes:

monitoring of the third-party service provider’s financial and, when relevant, regulatory standing
ongoing security monitoring and testing conducted by S-INTERIO, such as monitoring data and monitoring and testing technical interconnections with third-party service providers
integration of third-party service providers, or the services they provide, in this Program and mandating third party service providers to implement this Program in their operations relating to the S-INTERIO retail payment activities
Where the implementation of this Program is not feasible due to material difference in negotiating powers, SO will ensure frequent testing of communication or service delivery channels between S-INTERIO and the third-party service provider to ensure ongoing compliance with this Program.

Effective January 1, 2025

IT ASSET MANAGEMENT POLICY

Introduction

S-INTERIO LIMITED (referred herein as S-INTERIO) is committed to identifying and safeguarding all assets belonging to, having title of, or in the custody of the company. This Policy established the processes of receiving, tagging, operating and disposing of equipment. S-INTERIO will maintain up to date inventory and asset controls to ensure equipment users and locations are well known and being properly tracked.

Most items of S-INTERIO’ IT equipment might store sensitive company’s and clients’ data, loss or disclosure of which might result in significant damages and losses to the company and its clients.

PURPOSE

This Policy will provide a clear instruction on the appropriate management of physical and digital assets to help to ensure that S-INTERIO is meeting its legal and contractual obligations. This policy has also been developed to help the company to optimize the investment in technology and to maximize the lifecycle and the effectiveness of use of its physical IT assets.

Application

This policy applies to all S-INTERIO employees and subcontractors who use, receive into their custody or provide service to the assets of S-INTERIO.

Where this Policy refers to the assets of S-INTERIO, it shall include any assets of the company’s clients under the custody of S-INTERIO.

POLICY

Asset Types

The following types of assets are subject to the application of this Policy:

Desktop workstations
Laptop computers
Tablet, handheld and cellphone devices
Printers, copiers, fax machines, scanners and multifunction print devices
Servers and network devices (e.g. firewalls, routers, switches, Uninterruptible Power Supplies (UPS), endpoint network hardware, and storage)
Telephony Systems and Components including VoIP and other online phone systems
Internet Protocol (IP) Enabled Video and Security Devices
Memory, online and physical storage devices of any type

Asset Value

Assets which cost less than $100.00 shall not be tracked, including computer components such as smaller peripheral devices, video cards, or keyboards, or mice. This Asset Value provision shall not apply to the assets, which store data regardless of cost. These assets include:

Network Attached Storage (NAS) or other computer network data storage devices
Hard drives, SSD, thumb drives, memory cards and other storage drives
Any type of storage media with data stored on them including system backup data

Asset Labeling And Tracking

Every existing or newly acquired asset of S-INTERIO, including the assets obtained from the company’s clients shall:

have a company’s internal asset number assigned. The internal number shall be recorded along with the assets serial number (where applicable).
All assets shall be recorded within asset-tracking database immediately upon their receipt and processing by the company. The database shall include the following details pertaining each asset:
- Date of purchase
- Make, model, and description
- Serial Number
- Location / Owner
- Status – Inventory / In Use / Disposed

Procedure

Management of IT Assets

All IT assets purchased by S-INTERIO are the corporate property and will be deployed and utilized in accordance with the asset management plan. IT assets which were purchased for any particular purpose shall be used for that purpose unless a proper authorization is obtained from the authorizing owner.
IT department will acquire assets in accordance with the company’s annual budget plan, asset acquisition plan and any particular necessities of the individual users.
All IT assets must be assigned to individual users or to a department who will be held responsible for their care and security at all times until such device(s) is returned to the IT Department for repurposing or decommissioning.
IT Department will ensure that all devices that are being issued for personal use of S-INTERIO employees (e.g. laptops, phones, tablets etc.) have administration rights removed from the user’s account in a manner that the user will be unable to change or by-pass corporate information protection measures such as firewall, anti-virus, passwords and more.
IT Department will ensure that it has a direct admin-level remote access to all S-INTERIO devices, and that it is able to block any device from using company’s networks, delete information from a device, change passwords and completely lock the device if and when required.
Each employee and subcontractor of S-INTERIO is responsible to ensure that assets are adequately administered and maintained to ensure they remain fit for purpose and compliant with the licensed conditions applicable to the asset.
Individual users or departments will be held responsible for protecting the IT assets that have been assigned to them against loss whether by theft, mishandling or accidental damage by using appropriate physical security measures.
End users are not allowed to install unapproved software on devices. Requests should be made to the IT Department to have additional software to be installed on the device. Any software installed must be legitimately purchased and licensed for the requested use.
All changes to the assets, including change of ownership, reassigning, disposal or any other change shall be reported to the IT department. IT Department will immediately record proper information into the company asset management plan.
All IT assets that have reached their respective end-of-life status, are no longer in use or in a need of repair must be returned to the company’s IT Department for repair, disposal or reassignment.
Before being reissued, sent for service to outsource service providers, or decommissioned, IT Department shall completely wipe any asset that has been used to process or store company’s information.
Decommissioning of an asset shall include a complete and comprehensive wiping of the asset followed by its physical destruction.
IT Department will source compatible service providers, which have sufficient resources, facilities, knowledge and experience to provide asset service and decommissioning services in a manner that will prevent an unauthorized disclosure of information with at least the same levels of protection implemented by S-INTERIO.

Responsibilities

SO is accountable for the implementation of this policy and will be responsible for:

Coordinating IT asset audit activity such as annual inventory checks for management reporting;
Updating and maintaining the accuracy of the asset management system as soon as a change is made (including office moves, reports of lost or stolen equipment and disposals);
Ensuring that IT equipment is signed for by end users when collected from or returned to the IT department and is recorded in the asset management system;
Ensuring that any IT asset is being disposed of in accordance with the provisions of this Policy.

S-INTERIO employees and subcontractors issued with IT assets will be responsible for:

Proper maintenance and protection from theft, damage, destruction or unauthorized access to IT equipment issued to them throughout its life cycle;
Preventing unauthorized relocation, reassignment or transfer of IT assets without the authorization of the IT Department;
Reporting the destruction, loss, theft or any actual or suspected unauthorized access to IT assets immediately to IT Department;
Keep up with and fully comply with the company’s information security policy, including periodical change or passwords, prevention of unauthorized access, and use of properly licensed software.
Returning all IT assets to the IT Department for decommissioning upon the asset reaching its end-of-life, or when it is no longer required for the user’s use.

ASSET DISPOSAL AND REPURPOSING

Any servicing of the company’s assets must be performed in accordance with the following procedures:

All service providers must be evaluated by the SO and company’s IT department to ensure their reliability and overall capacity to fulfill the requirements of this Policy.
All service providers must sign a corresponding service agreement that includes express provisions for Confidentiality, protection of information and requirement to comply with this Policy.
Employees of service providers who arrive to S-INTERIO facilities to perform the service must be reviewed and approved by the IT Department prior to their arrival to the premises.
Any asset sent outside S-INTERIO facilities for repair or service must be kept segregated from other equipment of the service provider. The segregation must ensure that no assets or information of S-INTERIO gets mixed with the assets and information of other clients of the service provider.

Procedures governing asset management shall be established for secure disposal or reassignment of equipment.

When disposing of any asset, sensitive data must be removed prior to disposal. IT Department staff shall determine what type of data destruction protocol should be used for erasure to ensure complete and final erasure that will prevent future reconstructing of a data. For media storing confidential or personal information of S-INTERIO clients, disks shall be physically destroyed prior to disposal.

Audit Controls and Management

SO will ensure that IT assets inventory and utilization is being audited periodically and at least once a year. The audit shall include verification and update of the IT Asset management list(s), random inspection of equipment to confirm its physical integrity, use of appropriate software and utilization of proper access control measures (firewall, password etc.). To provide satisfactory evidence of compliance with this IT Asset management Policy, the audits shall include:

Current and historical asset management system checks for various classes of asset records.
Spot checks of record input and accuracy against tracking database.
Evidence of internal process and procedure supporting this policy for compliance with general workstation computing policies.

Compliance

Any actual or suspected breach of this policy must be immediately reported to the SO or IT Department. The SO will take appropriate action and inform the relevant internal and external authorities.

A breach of this policy may result in any device being remotely wiped, blocked from the company’s network and being prevented from using S-INTERIO’ software licenses and software.

Due to the significant risk of loss or unauthorized disclosure of confidential or sensitive information, and as an integral part of the S-INTERIO commitment to protect its information and IT assets, any contravention of this Policy will result in disciplinary procedure up to and including the termination of employment or contract for services with S-INTERIO.

Schedule A to the Asset Management Policy – Off-Site Treatment of Assets

In certain circumstances, S-INTERIO might decide to send its equipment for repair, servicing and decommissioning to an off-site service provider. Sending of the equipment shall be in accordance with the following procedure:

S-INTERIO SO will prepare a list of authorized service providers who were evaluated by the SO and were found as reliable and capable of meeting the requirements of the Asset Management Policy;
SO shall perform Know-Your-Client procedure for each service providers. All findings and information about the service provider shall be stored and updated at least annually.
Only service provider on the list of the SO is authorized to access and service or destroy S-INTERIO assets.
Each completed service must be confirmed in writing, with the service provider confirming that no information was compromised, and no security incidents happened during its custody over company’s assets.
All financial or sensitive information must be deleted from the equipment prior to sending to the service. IT department will delete the information from the equipment in a manner that prevents reconstruction of the information at a later time.
IT Department will keep records of all equipment being sent off-site for repair or decommissioning. The list will be updated as needed.
SO will audit the list of equipment at least quarterly.

Any changes to this Schedule A require approval of the SO and IT Department Manager.

Effective January 1, 2025

CHANGE MANAGEMENT POLICY

S-INTERIO LIMITED (referred herein as S-INTERIO) operates in a digital environment and obtains significant amounts of clients personal, business and proprietary information. Proper management of the company’s business software, including without limitation security patches and software modifications requires S-INTERIO to establish a formal policy concerning these and other changes to its software.

Many changes to the corporate software and digital environment bear inherent risks that must be managed through an approach that combines proper documentation, authorization, planning, and testing. By establishing this Change Management Policy, S-INTERIO endeavors to minimize the risks of negative effect that some changes might have on the company’s IT

environment.

PURPOSE

This Policy established the process that is to be used for effective and controlled implementation of changes to the software and digital environment of S-INTERIO. This policy is meant to include any changes to a network or server infrastructure and business applications.

POLICY

Change control has become a critical issue due to the ever-increasing amount of regulatory compliance requirements and the need to fully document the change control process for accountability and tracking changes. Additionally, with the increasing regulatory compliance requirements of the S-INTERIO’ clients, any change process to its software or digital environment might have material impact on operations and compliance requirements of such clients. Accordingly, all corporate and business system components and IT resources that are planned to undergo changes must be planned, executed and documented accordingly.

The use of the formal change management procedure will be required when any changes are discovered or requested which impact previously reviewed, approved and published project deliverables. The documentation and tracking of all change requests will be managed using the defined procedure and facilitated by the use of the change management log.

As an integral part of any change to the company’s IT system, the company must adhere to the following conditions:

Establish change control procedure including planning, implementation and authorization
Establish minimum reporting criteria for change control documentation
S-INTERIO must ensure that separation of duties and responsibilities exists between the development/test environment(s) and production environment(s), complete with access controls in place.
S-INTERIO must ensure segregation of the business and production information from the development or testing environment
Test data and all associated accounts are removed before a production system becomes active.

Management signoff by appropriate parties, along with approval for all stages of the change control lifecycle, is required for each change.
Operational functionality testing is performed and must be documented for each change, where applicable so as to verify that the change does not adversely impact the security of the company’s systems and processes.

The following approach will be used to approve change requests:

The Project Manager will make decisions to analyze and proceed with changes if the changes do not impact scope, budget or schedule or result in an increase in risk for the project.

Changes which do impact scope, budget or schedule will be forwarded to the Board of Directors for review and approval.

Prior to any change being authorized in accordance with the procedure provided herein, the Project Manager must review all business contracts affected by the change and provide company’s clients with the detailed update related to the proposed change and its projected impact on the client’s services with S-INTERIO.

All requests, whether approved or denied, will be recorded by the Project Manager.

This Change Management Policy will apply to all of the company’s IT and security systems, which include:

Software Development – all of these changes are covered by this Policy. Any change affecting company’s client(s) must be preapproved as provided above.

Hardware – Installation, modification, removal or relocation of computing equipment.

Software – Installation, patching, upgrade or removal of all software products utilized by S-INTERIO will be covered by the Policy.

Database – Changes to databases or files such as additions, reorganizations and major maintenance.

Changes to system configuration.

Any modification or relocation of desktop equipment and services.

Any changes that are required to complete tasks associated with normal job requirements.

Procedure

Change Procedure

The primary purpose of this Policy is to ensure that any changes to the company’s software or digital environment are processed in the most efficient manner with the minimal impact on the company’s business and its services to the clients. Change procedure shall include the following steps:

Request the change – the requesting employee must prepare a written request in accordance with the provisions of this Policy.
Classify the change – once received, the request must be classified and prioritised by the IT Department Manager or the Board of Directors. The classification shall include the scope of a change as well as its urgency and priority.
Analyse the Change and its impact – the change must be justified and approved by all affected parties, including in and outside the company. Where a change has a potential of affecting S-INTERIO clients, such request shall be reviewed and analyzed with the client. The complete scope of the change and its impact on organization must be documented and provided to the approving authority for review and consideration.
Approval – the IT Department Manager or the Board of Directors will appoint the officers responsible for the review and approval of the change request. The approval process must include review of technical, financial and business aspects of the request. Clients’ response to the change notice will be provided for the review as well.
Implementation – implement the change, including acquisition of the required hard- and software, making any necessary adjustments to the company’s processes and procedures and completing the change in the most efficient and cost-effective way. As an integral part of implementation, S-INTERIO will verify the impact of the transition process as well as the final change and will strive to minimize the impact as mush as possible.
Verification – upon completion of the change and its implementation, S-INTERIO shall supervise the processes affected by the change and evaluate the actual impact of the change and any consequent changes required from the organization in response to the change.
Documentation – the change and any review and approval information must be properly documented.

Communication and Reporting

All change requests must be communicated internally and externally as follows:

With all department managers whose departments could be affected by the change;
With IT Department and Security department as a part of the approval process;
With the Board of Directors – any change affecting the organization in its entirety or exceeding the budget authorization of the requesting owner.
With all the clients that might be affected by the change. Although no express consent of a client in required for any internal change, S-INTERIO must ensure that the following conditions are met:
- - The proposed change and its impacts are not contradictory to the company’s contractual obligations;
  - The proposed change will not result in significant impact on the client’s legal, regulatory and other compliance requirements. Should the client advise of such impact – the CEO of the company must be consulted of the change.
  - The change will not result in detrimental impact on the company’s ability to supply its services to the clients.
  - The change will not decrease company’s ability to comply with clients’ confidentiality and privacy requirements.

Where it is determined that the change might result in additional regulatory or licensing compliance requirements to the company, the change must be communicated prior to its approval to the company’s legal counsel.

All steps of a change must be recorded and reported to the approval body. The reporting must include:

- - Detailed description of a change
  - List of change requests (both approved and rejected)
  - Completion of each of the stages of a change
  - Decision of exit or cancellation
  - Other reports as might be requested by the approval body.

Cancellation, Exit plan

Prior to the commencement of any change, S-INTERIO will evaluate the costs and operating impact of the project’s cancellation. As a part of the approval process, the company will evaluate and implement a back-up plan to ensure that no change process results in a loss of data and/or material interruption to the company’s services, or company’s continuous operations in a case of failed change implementation.

The cancellation and exit plans must be submitted and reviewed as an essential part of the approval process.

Effective January 1, 2025

INCIDENT RESPONSE POLICY

Introduction

S-INTERIO receives into its custody and protection significant amounts of its clients’ information, including sensitive and personal information. One of the main aspects of information security is establishing proper incident response and management process. Effective notification, control and mitigation of consequences of a security incident is necessary to ensure that any incident is not only properly managed but also provide an opportunity for prevention of future similar activities that could potentially disrupt the operation of Score Productions or compromise its business information.

Purpose

The purpose of this Incident Response Policy is to provide a well-defined, organized approach for handling any potential or actual threat to computers and data. This Incident Response Policy defines the roles and responsibilities of various levels of the company’s personnel. The purpose of this Policy could be achieved by complying with the following principles:

Identify accountability for responding to computer security incidents
Establish appropriate notification and escalation process
Ensure effective response to computer security incidents
Secure and protect data in order to minimise the organisational impact of a computer security incident

Implement measures to minimalize or completely eliminate the impact of an incident
Investigate the incident and put in place preventive measures for the prevention of future incidents

Application

This policy applies to all S-INTERIO employees and subcontractors who have access to the company’s premises or company’s computers, networks or storage of information.

This Policy applies to incidents that either happen at S-INTERIO or at a third party whereas S-INTERIO was identified as a source of incident.

Definitions

A computer security incident, for the purposes of this plan, includes events where there is suspiSOn that:

Confidentiality, integrity or accessibility of S-INTERIO data has been compromised
Computer systems or infrastructure has been attacked or is vulnerable to attack
An unauthorized access to the company’s computer systems has been obtained

policy

Breach of Personal Information — Overview

In addition to the S-INTERIO’ commitment to protect its clients’ personal and business information, the company must comply with the relevant provisions of Personal Information Protection and Electronic Devices Act (PIPEDA) as further defined in Privacy Policy.

This Incident Response Policy outlines steps the company will take upon discovery of unauthorized access to personal information of its clients.

In accordance with the company’s Privacy Information, the following definitions shall apply:

Personal information means any and all information about an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual. Most information the firm collects about an individual is likely to be considered personal information if it can be attributed to an individual.

Business information means any information about business activities, operations or projects of our clients.

Significant Harm provisions under PIPEDA: Where it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual, S-INTERIO will act immediately to inform any affected individuals, Office of the Privacy Commissioner, as well as any government institutions or organizations that S-INTERIO believes can reduce the risk of harm that could result from the breach or mitigate the harm, including without limitation such organizations as law enforcement, payment processing, information storage, email providers and more.

Significant harm shall include any of the following: bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Source of Information: It does not matter what is the source of the information, whether it refers to our clients or their respective clients, and whether there are additional individuals or businesses that are responsible for the collection and protection of such information. This policy will apply to all personal and business information retained by S-INTERIO and its employees.

Types of Incidents

Security incident types include but are not limited to:

MaliSOus code attacks – attacks by programs such as viruses, trojan horse programs, worms, rootkits, and scripts to gain privileges, capture passwords, and/or modify audit logs to hide unauthorised activity.

Unauthorised access – includes unauthorised users logging into a legitimate account, unauthorised access to files and directories, unauthorised operation of “sniffer” devices or rouge wireless access points.

Disruption of services – includes erasing of programs or data, mail spamming, denial of service attacks or altering system functionality.

Misuse – involves the utilization of computer resources for other than official purposes.

Breach of personal information

Denial of service/Distributed denial of service

Excessive port scans

Firewall breach

Unusual Events – includes erratic and persistent unusual system behaviour on desktops, servers or the company’s network.

Incident Severity

Incidents will be classified by the Chief Information Officer (or Chief Information Security Officer once appointed) based on the perceived impact on the company’s business operations and its relations with the clients:

Minor –incidents for which there are routine solutions. Sensitive information has not been exposed or accessed by unauthorised parties.
Medium – incidents that do not have routine solutions but are limited in scope and consequences.
Severe – incidents that involve significant personal data leakage, compromised institutional data, or that impacts a significant number of users, all of which has significant consequences

Employee Responsibilities

Employees and subcontractors shall be aware of this policy, make themselves knowledgeable of the company’s expectations and basic understanding of IT security incidents. All employees and subcontractors of S-INTERIO shall participate in the Cyber Security Awareness Training.

All employees and subcontractors of S-INTERIO must report any suspected or confirmed incident as defined above to their supervisor and the IT Department immediately upon discovery. Reportable incidents shall include also notification(s) received from any third-party service providers or other business partners with whom the organization shares personal information of clients.

Where the computer security incident involves physical security issues in addition to computer security issues the incident must be reported to the Company’s security officer.

Upon becoming aware of an incident, an employee shall preserve any available information pertaining the incident, including the source of information, any available logs, and other information that the employee will be instructed by the IT department to retain. The employee shall assist IT Department in resolving and investigating the incident as might be required by IT Department or SO.

Response to IT Incidents

All Incidents

In a case of an IT security incident and following its reporting to the IT department, members of the IT Department will be responsible for performing the initial investigation to determine if an incident has occurred.

IT Department and the employee shall complete the following steps:

Create an incident file
Consider disconnecting of the potentially infected system from the company’s network and other services to prevent further contamination
Collect and review log files
Identify the scope and type of problem, including classification as minor, medium or severe
Review installed or running privileged programs
Inspect the system for file tampering and for unauthorized services installed on systems
Review system and network configurations
Take corrective action including change of passwords, segregation of computer systems from other network, cleaning the systems from malware
Examine the system in its entirety and other hosts to ensure prevention of contamination

Medium and Severe Incidents

SO or Chief Information Security Officer (CISO) will:

Brief S-INTERIO executives and the Board of Directors
Together with the executives of the company commence damage (including reputational damage) mitigation procedures
Establish a system of periodical updates of the incident resolution and investigation and report to the Board
Where required, have the insurer of S-INTERIO get involved and provide their support to the incident management and mitigation
Upon resolution of the incident and completion of the investigation, provide a comprehensive report to the Board along with SO’s suggestions for future prevention of similar incidents.

Recovery

The goal of this Policy is to ensure that any IT security incident is efficiently resolved and any loss of information or system’s operations are fully recovered and any existing security vulnerabilities are fully resolved and eradicated.

Recovery shall include idenitifiaction and protection of the attacker’s point of penetration and any associated vulnerabilities and making sure that no further incidents will be able to exploit the same manner and opin of penetration.

Periodic Testing & Remediation

It is the responsibility of the IT Department to test and review the Incident Response Policy and the corresponding procedures and plan quarterly. When testing is done, each system should be scanned for the open vulnerability before remediation and then scanned again after the remediation to verify that the vulnerability has been eliminated.

All employees and subcontractors of S-INTERIO shall pass Cyber Security Awareness Training, at least annually.

All new employees or subcontractors shall be instructed by the IT department on their responsibilities in a case of an IT security incident and the reporting and response responsibilities hereunder.

Corporate Reporting

Upon incident being resolved and closed, the SO will prepare a comprehensive report that shall include:

Description of the incident and actions taken
Scope of risk and degree of exposure
Description of action taken to mitigate and resolve the issue
Suggestion of actions to be implemented to prevent similar incidents in the future
Internal and external communications that were taken

Effective January 1, 2025

PASSWORD MANAGEMENT POLICY

Intent

S-INTERIO LIMITED (referred herein as S-INTERIO) has established various rules and procedures to ensure protection of its sensitive information from unauthorized access and disclosure. One of the main and the most efficient measures to achieve this goal is a proper management and limitation of access to information by assigning passwords to the users of the corporate IT assets.

PURPOSE

This policy describes the requirements for acceptable password selection and maintenance. It provides guidance on creating and using passwords in ways that maximize security of the password and minimize misuse or theft of the password.

Passwords are the most frequently utilized form of authentication for accessing a computing resource. Due to the use of weak passwords, the proliferation of automated password-cracking programs, and the activity of malicious hackers and spammers, they are very often also the weakest link in securing data. Passwords must therefore follow the policy guidelines listed below.

This Policy will provide a clear instruction on the appropriate issuance and management of passwords.

Application

This policy applies to all S-INTERIO employees and subcontractors who use, receive into their custody or provide service to the IT assets of S-INTERIO.

Where this Policy refers to the assets of S-INTERIO, it shall include any assets of the company’s clients under the custody of S-INTERIO.

policy

All passwords (e.g., email, web, desktop computer, laptop, mobile device, etc.) should be strong, hard to predict and guess passwords and should follow the guidelines below. In general, a password’s strength will increase with length, complexity and frequency of changes.

Based on the risk assessment by S-INTERIO, certain applications and access accounts will require a heightened level of protection. Where it is deemed by the company, or required by its clients, S-INTERIO will augment its regular Password Policy with alternate security measures such as multi-factor authentication (MFA). High risk is deemed but is not limited to: systems that provide access to critical or sensitive information, access to financial or personal information of S-INTERIO clients, controlled access to shared data, and administrator accounts that maintain the access of other accounts or provide access to the company’s security infrastructure.

SO together with IT Department will be responsible to implement this Policy and establish and maintain passwords in compliance with at least the following requirements:

General

- All passwords must:

contain at least Fifteen (15) alphanumeric characters.
contain at least: One (1) numeric character; One (1) alphabetic character; One (1) special character.
At least one (1) alphabetic character must be upper-case and at least one (1) must be lower-case.
Passwords cannot consist of a single word in any dictionary, language, slang, dialect, jargon, etc.
Passwords cannot consist of easily guessed or obtained personal information, names of family members, pets, etc.

- To help prevent identity theft, personal or fiscally useful information such as Social Security or credit card numbers must never be used as a user ID or a password.

- All passwords are considered sensitive information and as such they should never be written down or stored on-line unless adequately secured.

- Passwords should not be inserted into email messages or other forms of electronic communication. And should never be stored on the same device/media with the account name/ID.

- The same password should not be used for multiple accounts or to access accounts or perform actions external to S-INTERIO business activities (e.g., online banking, benefits, etc.).

- Passwords shall be changed at least ninety (90) days but not more frequently than once per day. Any attempt to change the password within 24 hours period (except where a default password is being changed to a user’s unique password) shall be reported to the IT Department.

- All S-INTERIO systems must use password history enforcement policy under which no password reuse shall be allowed (at least 10 prior passwords must be compared).

- Passwords should not be shared with anyone, including administrative assistants or IT administrators. Necessary exceptions may be allowed with the written consent of the SO.

- If a password is suspected of being compromised, it should be changed immediately, and the incident reported to the IT Department.

- Attempts to guess a password should be automatically limited to ten incorrect guesses. Access should then be locked for a minimum of ten minutes with a notice of multiple attempts to be sent to the IT Department automatically.

- All accounts that support such function must have inactivity logout procedures turned on in a way that no account will remain inactive more than 30 minutes before the automatic logout protocol is initiated.

Administrator Passwords

In addition to the general password guidelines listed above, the following apply to any system administrator passwords:

Admin passwords for client devices must be changed at least every ninety days.

Passwords for servers must be changed as related personnel changes occur.

Incident response and reporting procedures must be following in any case of actual or suspected password been compromised. Any potentially affected passwords must be changed immediately.

Uniform responses should be provided for failed attempts, producing simple error messages such as “Access denied”.

All failed attempts should be logged, and logs shall be retained for a minimum of 30 days.

Issuance of any administrator password shall be considered as “privileged access” and shall require a written approval of at least two supervisory authorities of the user, one must be SO and another either direct supervisor or company’s CEO.

Password Issuance Procedure

Prior to the issuance of password to any S-INTERIO employee or subcontractor, the following procedure must be followed:

Two levels of supervision (usually individual’s direct supervisor and company’s SO or IT Department Manager) shall recommend issuance of a password, including the determination of levels of access and programs to which such employee shall be allowed to access.

IT Department will prepare the password(s) in accordance with the recommendation of the management.

The password(s) will be provided to the employee personally and not by sending it by email or other open communication.

Under no circumstances shall user’s password and ID be sent or written in the same media or the same channel of communication. This rule shall include separate emails or separate messages that the user can receive only on the same device.

Employee will be required to change their password during the initial log-in attempt.

Any passwords sent by email (in exceptional situations) must be sent by encrypted email communication within secured network.

Old/Unused accounts

All accounts of former employees or accounts that remain unused for a period of 90 days and longer shall be disabled by the IT Department and deleted 30 days afterwards. IT Department shall verify that account does not contain unrecoverable or sensitive information prior to its deletion and shall obtain a written confirmation from the department manager responsible for the account.

Any access rights of former employees shall be terminated during the termination interview or immediately thereafter if the interview was unplanned. No former employees shall be allowed access to S-INTERIO systems or their former accounts. No former employee shall be allowed to retrieve personal data from their accounts, and IT Department shall expressly deny any such requests.

Effective January 1, 2025

RECORDS RETENTION AND DISPOSAL POLICY

PURPOSE

During its regular course of business, S-INTERIO LIMITED (referred herein as S-INTERIO) collects and retains personal, business, financial and other records of its clients, visitors, contractors, service providers and employees. This policy shall ensure that records are retained and stored in a reasonably secure manner and in accordance with the legal requirements.

POLICY

It is intended that records will not be kept for any longer than required by the law, unless there is a valid business or legal reason to keep them longer. S-INTERIO policies or procedures that either express or imply any reference to storage, retention or disposal of information are subject to this policy. All retention periods stated in this policy are minimum retention periods and S-INTERIO may decide to extend the retention period for valid and justified reasons.

Employees of S-INTERIO shall ensure that all records are legible, filed in order, properly stored, secured, and retained and disposed of in accordance with this policy. Information found on any form of record may be admissible in court or subject to requests for information and must therefore be prepared and stored in accessible, usable and legible format.

During retention periods, records must be stored securely by providing adequate physical security, technological security and administrative controls to protect against unauthorized use, unauthorized disclosure, loss and/or theft of the records in accordance with the Privacy Policy.

All Records shall be disposed of in a manner that results in permanent deletion of information which removes the ability of retrieval or reconstruction of the records or any information contained therein. The disposal of digitally stored information shall be taken care of by certified professionals with sufficient experience and expertise to ensure prevention of any reconstruction of the digital files following the disposal of information.

Factors Affecting Record Retention Policy

All Records created, captured and managed within S-INTERIO must be maintained for various future purposes, such as financial and tax audits, legal claims and investigations and more. The period of retention may be extended and set by S-INTERIO in accordance with the following factors:

The usefulness of the information in the record for ongoing client’s support, quality assurance, research, training and protecting the legal interests of S-INTERIO and its employees and service providers;

The usefulness of the information in the record to the client, in particular with regards to legal actions against third parties;

Contractual obligations of S-INTERIO with regards to the storage, protection and disposal of the information (such as NDA agreement and other contractual arrangements with the disclosing parties);

The archival or historical information in the records;

The physical, financial and technological resources available to S-INTERIO to store and maintain the documents in a secure manner for longer periods;

The purpose for creating the document, whether it is still required for that purpose or if there is an anticipated need to refer/use the document in the future;

Whether the document has been referred to in the past 6 months.

PRIVACY LEGISLATION

The Personal Information Protection Act (PIPA) and Personal Information Protection and Electronic Documents Act (PIPEDA) outlines obligations for any organization that collects, uses and stores personal information of its clients or general public.

Personal information in the custody of S-INTERIO must be securely stored to protect the records from theft, loss or unauthorized use or disclosure. Secure disposal involves permanently destroying the records by irreversible shredding, thus making them unreadable (or in the case of electronic or video records, erasing or over-writing the information on digital media).

The Chief Information Officer of S-INTERIO shall evaluate periodically, and not less that once a year, the legislative changes affecting this Policy and the retention periods defined herein. Once such change is identified, this Policy shall be updated without any delays and the staff shall be informed and trained on the new provisions of the Policy.

KEEPING RECORDS

The Canadian Revenue Agency (CRA) recognizes records retained in an electronically readable format, as long as the records can be related back to the supporting documents and are supported by a system that can produce accessible and usable copies.

If there is a notice of a potential or actual claim, inspection, inquest, investigation or other legal proceeding or claim, relevant records are retained until the proceeding is finally disposed of or completed even if the applicable retention period is at an end.

All information retained by S-INTERIO shall be stored on properly encrypted storage devices. IT Department Manager will recommend to the company’s senior management which type and level of encryption shall be used with regards to different types of information.

Where the information was provided to S-INTERIO under certain contractual relations, the provisions of the contract must be reviewed with regards to the requirement for the storage and protection of such information. IT Department manager will advise company’s management whether it is feasible for S-INTERIO to implement such means of protection and whether the company will be able to comply with the requirements of the contract. Where it was decided that the company will comply with the contract, S-INTERIO shall establish encryption and protective procedures that meet or exceed the requirements of the agreement.

PROCEDURE

Employees and service providers of S-INTERIO shall ensure that records under their custody or control are used or transferred in accordance with the following procedures pertaining to security, storage, retention and disposal:

Security of Records

Employees of S-INTERIO shall take steps that are reasonable in the circumstances to ensure that personal information in their custody or control is protected against theft, loss and unauthorized use or disclosure in accordance with the Privacy Policy.

Access to such information must be provided only on a need to know basis, and must be protected by limiting the access to authorized personnel only, use of passwords or encryption software to access it.

Storage

Personal information must be stored in a way that protects it from disclosure or unauthorized use, including locked storage and identifying such information as “Personal Confidential Information”. This information may be kept in any reasonably appropriate storage space such as an electronic filing system, cabinets or office as long as such storage space provides for proper protection of the information and limiting the access to authorized personnel only.

Retention

Generally, personal information shall be kept for 6 years from the completion of the services to a client of S-INTERIO, unless the person to whom the information pertains consents to or requests its earlier disposal.

If any legal or investigative action had commenced during the retention period, including without limitation CRA audits, claims, death investigations and more), the retention period shall be extended until the complete exhaustion and termination of such proceedings.

Disposal

All personal information shall be disposed of in a manner that ensures secure destruction of Records. All digital information should be destroyed by deleting any files related to such information and overwriting the storage with new files/information.

All paper records should be shredded whether by the authorized employee of S-INTERIO, or by an approved service provider that can provide such service on the premises of S-INTERIO, in which case an employee of S-INTERIO shall supervise the destruction and ensure that no documents were used, copied or retained by the service provider’s employees.

Any disposal of information must be performed by the employees of S-INTERIO or a licensed/certified contractor who has the ability to perform secure destruction of the company’s data, has undertaken to comply with this Policy as well as Information Security Policy and will provide a written confirmation of destruction upon completion of the service.

HR RECORDS RETENTION

Though the retention periods might vary depending on the type of the record and accompanying circumstances, this policy will provide for the longest applicable retention period to streamline the process and to ensure that the records are available in a case of audit or inspection.

Accordingly, all human resources records of S-INTERIO will be treated as “payroll records” for which the retention period is set for a minimum of six (6) years from the end of the last taxation year and can be kept in paper or electronic format.

Outsource of storage

The company may decide, at its sole discretion, to relocate certain records to an outsource storage facility. In such case, the following rules shall apply to the storage of the information:

S-INTERIO shall ensure that information is being sent to facility within Canada or in the country of its origin (if initially stored outside Canada). No information shall cross the border without prior written authorization of the company’s CEO or Legal Counsel.

Physical files or storage media shall be deposited in facility with at least the same level of physical protection as implemented by S-INTERIO at its premises. The storage facility shall be manned 24/7 and shall provide sufficient physical and security segregation of the company’s information.

The storage facility shall implement proper disaster response plan and procedures to ensure on-going protection of the company’s information and prevention of unauthorized access.

All digital storage facilities and servers shall be located in Canada and implement at least the same levels of information protection and prevention of unauthorized access as those implemented by S-INTERIO.

Before delivery of the company’s information for the outsource storage, the Chief Information Officer shall verify that storage company holds any certifications and accreditations as might be required by S-INTERIO’ clients’ whose information is contained in the transferred records (e.g. PCI compliance, financial institutions’ requirements, and more).

Effective January 1, 2025

INFORMATION SECURITY POLICY

S-INTERIO LIMITED (referred herein as S-INTERIO) receives, generates and processes information of its clients as an integral part of its business operations. The integrity and security of information constitutes an essential part of all S-INTERIO business contracts and business relations with its clients.

S-INTERIO is committed to safeguarding its IT systems, to securing its data holdings and to protecting its own as well as its clients’ information with administrative, physical and technical security safeguards appropriate to the sensitivity of the information. S-INTERIO implements various safeguards to protect its information against theft, loss, unauthorized use or disclosure, unauthorized copying or disposal.

Compromising of confidentiality, integrity, or availability of information under S-INTERIO’ control could adversely affect the achievement of business goals and performance of its business contracts and result in harm to S-INTERIO and its clients.

PURPOSE

The purpose of this Policy is to establish rules and procedures intended to protect the confidentiality and integrity of the information under its control.

This Policy defines company’s objectives and strategy related to information security, establishes principles for information security management, and specifies fundamental information security control requirements.

Application

This policy applies to all S-INTERIO employees and subcontractors as well as to all suppliers of IT and Information security services for or on behalf of S-INTERIO.

Where S-INTERIO or its subcontractors hold information as a part of its performance of business services, the rules and procedures of this Policy shall be adjusted to bring them in conformity with the requirements of business contracts directing the operations of S-INTERIO.

This Policy applies equally to the information of S-INTERIO and its clients, and S-INTERIO shall afford its clients’ information with at least the same level of protection as it uses for its own.

This Policy shall apply to all types of information, whether stored in physical or digital form, whether on or off company’s premises. This policy and any corresponding procedures shall be adjusted to provide proper and efficient solution for information stored digitally, off-site or on the online storage.

POLICY

S-INTERIO Policy supports the development and maintenance of the Information Security Program in accordance with business, legal and privacy requirements applicable to the business activities of S-INTERIO. S-INTERIO provides a safe and secure environment for the collection, storage, access and retrieval of information, and will take appropriate measures to preserve the confidentiality, integrity, and availability of information, support information security within the organization, and to maintain a secure IT environment. This program must address, at minimum, the following control objectives and practices:

A general information security framework applicable to all levels of S-INTERIO personnel;
Ongoing review of the security policies and procedures of the company;
An information security awareness and training program for all staff;
Policies, standards, practices and/or procedures for ensuring the physical security of the premises, the security of information processing facilities and the protection of information throughout its lifecycle (creation, acquisition, retention and storage, use, disclosure and disposition);
An access management process for information and information processing facilities;
Secure systems acquisition, development and maintenance;
Security audits;
Acceptable use of information technology;
Business continuity and disaster recovery; and
Information security incident management.

It is S-INTERIO’ policy to:

protect the confidentiality and integrity of information throughout its life cycle in accordance with legal and contractual obligations and the reasonable requirements of the parties that own and/or control the information, and authorized users;

Establish and maintain secure, reliable and available information technology-based services;

hold individual users accountable for their unauthorized or inappropriate access to, use of, disclosure, disposal, modification of, or interference with information or services.

establish accountabilities and implement processes and controls that ensure compliance with various legal and contractual responsibilities of S-INTERIO as the custodian of information;

Guidelines

All employees, subcontractors and service providers of S-INTERIO have the following responsibilities within the framework of the information security program of the company:

All personnel:

All employees and subcontractors are responsible to ensure the security and protection of information throughout its lifecycle. The protection of S-INTERIO’ information is a basic responsibility of all personnel, which must understand and comply with their obligation to protect company’s information throughout its lifecycle — creation, retention, storage, use, disclosure and disposition, and to take appropriate measures to prevent loss, damage, abuse, or unauthorized access to information assets under their control.

Staff must at all times engage in practices that are consistent with published information security policies, procedures, and guidelines. Additionally, staff are obliged and expected to report all actual and suspected information security incidents, including, but not limited to, unauthorized access, theft, system or network intrusions, willful damage, and fraud. immediately upon learning of them.

As an integral part of the Company’s commitment to establish and maintain a comprehensive information security regime, all personnel must look after any physical device(s) (phones, computers, laptops, etc.) and access articles (keys, ID cards, system IDs, passwords, etc.) assigned to them for the purposes of performing their job duties. Employees further must respect the classification of information as established by the Information Owner including regular and privileged access rights, and comply with all the security requirements defined in this document and all supporting procedures and guidelines.

Senior management

Senior management shall provide the necessary guidance and support for the development and maintenance of the Information Security Policy and procedures, in line with privacy and legal requirements and business strategy objectives.

Senior management shall ensure timely availability of resources and workforce to provide on-going and uninterrupted support and further development of the company’s information security policy and procedures.

Senior management will appoint responsible officers for implementation of this Policy and will ensure that all employees of the company receive training and guidance for proper compliance with this Policy.

Chief information officer (CIO)

The CIO has overall responsibility for information security and shall ensure that information security goals are identified, defined, meet organizational requirements and are addressed within the Information Security Program.

The CIO shall manage and coordinate the design, implementation, operation and maintenance of this Policy within the defined scope of the company’s operations. The CIO shall actively foster a culture of information security by leading and supporting activities both internally and externally to increase awareness of S-INTERIO’ information security policies and procedures.

CIO is responsible for classifying information in accordance with policies and guidelines. All information must have an assigned information owner who will be accountable for ensuring that systems are assessed for security requirements, including those flowing from legislative and contractual obligations.

CIO is also accountable for ensuring that systems are designed, configured, implemented, operated, maintained, upgraded, and decommissioned consistent with the established security needs.

CIO, upon request, must be able to determine the location of technology assets and their respective owner and must ensure continuity of ownership of technology and informational assets.

Procedure

CIO together with the IT department will define processes and standard practices that all company’s departments and employees must follow in the development and delivery of secure services and to ensure appropriate security of information.

System Control Requirements

The system of security controls protecting corporate information must be designed and operated such that:

all governance and business security requirements are met
The system is designed in a manner that unexpected failure of any given control mechanism will not result in significant harm to the overall operational state of the system (redundancy);
the harm resulting from a security failure is limited and contained, with minimal potential to expand beyond predetermined bounds (segregation)
the control framework provides evidence / assurance of its own effectiveness, and includes mechanisms for correction of deficiencies
the risk management procedures comply with the Risk Management Policy of S-INTERIO and allow design of the systems in conformity with the company’s risk management approach.
The system of security controls and individual control mechanisms must be assessed and tested prior to use and periodically thereafter.
Involved technology, products, or tools must be properly configured and operated to ensure that all security controls are effective.

Control Mechanisms

Information security system shall provide for the security measures and internal as well as external controls as follows:

internal controls – defined responsibility and delegation of authority, process controls, segregation of duties, and independent reviews
service management – definition, responsibility, alignment with business requirements, and service integration
contractual controls, including outsourcing
personnel controls – screening, employment terms and conditions, compliance agreements, awareness training, supervision, incentives, and consequences for full time and part time staff, contractors and vendors’ personnel
access control and accountability – identification, authentication, authorization, session control, non-repudiation, and audit
physical, environmental, premises, utilities, and housekeeping controls
cryptographic controls – protocols, algorithms, key and certificate management, and products
planning, architecture, development, acquisition, acceptance, and maintenance
zones and gateways – physical and network security, and remote access
operations controls – IT service management, operating procedures, system integrity, monitoring and reporting, intrusion detection, and incident management

Business Continuity

The potential consequences of security incidents, disasters, security failures, and service disruptions must be analyzed as a part of the company’s Risk Management Program to determine critical services and implement sufficient supporting IT infrastructure components. All systems must be monitored as an on-going concern and tested in accordance with the procedures established by the IT Department.

CIO in cooperation with the IT department and under supervision of the company’s CEO shall prepare and implement disaster recovery plan the provide proper response for various incidents of service disruption or loss of operability of S-INTERIO’ systems. Disaster recovery plan shall provide for effective protection of information, restoration of services, recovery of information and protection of critical services. Disaster recovery plan shall be tested at least annually.

All information of S-INTERIO and its clients in its custody must be periodically backed-up in a way that will prevent loss of significant amount of information in a case of digital or physical disaster. IT Department Manager will establish a written back-up procedure, including determination of back-up services that will allow on- and off-line back-up storage, including periodical back-ups that will be stored off-site.

Security Infrastructure Services

The following security infrastructure services, are required to support the achievement of the goals of this policy and overall corporate security objectives:

Electronic Access Systems to provide the following functionalities: identity management, access control, and privilege management;
Information protection system: key and certificate management for information encryption and password protection
Intrusion Detection and Incident Management
Security Status Tracking and Reporting
Other system identified by the IT department and approved by the CIO.

Separation of Administrative Functions

As an integral part of information security, S-INTERIO has implemented the policy of segregation of authorities in a way that will prevent one person having access authorization to both production and administration resources.

Upon transfer of a person from one position to another, IT Department shall remove all access rights from the person and implement the same procedure followed in a case of new employees for the issuance of new access privileges.

Exceptions

In certain situations, the management of S-INTERIO might decide to provide certain exceptions for compliance with this Policy. In such case the following procedure must be followed:

Any exceptions for this policy must be approved by the CEO and CIO of S-INTERIO;
Prior to the approval of any exceptions, the CIO shall review all company’s contracts and legal regulations applicable to S-INTERIO to ensure that the proposed exception complies with the requirements contemplated therein.
All information owners who might be affected by the exception must be notified and their opinion must be evaluated prior to exception being approved.
All exceptions must be managed as high-priority privilege, with corresponding password and other security measures allocation.

Policy Maintenance

All employees and subcontractors of S-INTERIO must be trained at least annually. Ay change to this Policy must be published at least 10 business days before it becoming effective.

This Policy must be reviewed and updated (where needed) at least annually or as soon as the need for update was identified, whichever is sooner.

CIO will establish a process of verifying compliance with this Policy through planned and unplanned audits, system checks, emergency drills and more.

Schedule A to Information Security Policy – Separation of Authority

S-INTERIO shall define roles and responsibilities for the requesting, approval, issuance, and verification of the access to information by S-INTERIO employees and subcontractors as follows:

The person requesting issuance of access shall not be otherwise involved in the process of approval or issuance of the requested access.

The person authorizing the access cannot be the same person that issues the access

The person verifying the issuance and proper use of an access can keep any other related roles, but cannot be the same person who issues and verifies the access for the same individual.

Where possible, CIO will appoint officers of the company to fulfill these responsibilities in a way that will prevent exploitation of a direct supervisory authority among authorizing, verifying and issuing individuals.

Where exception for one of these rules is required, the exception must be approved by the company’s CIO and Chief Information Security Officer (in the absence of which the CEO will be the second approving authority).

Schedule B to Information Security Policy – Data Transmission and Encryption

As an additional safeguard for the protection of business, sensitive and personal information, S-INTERIO will implement encryption of data transmission in the following situations:

As a rule, no personal information of S-INTERIO clients shall be transmitted by regular email communication.

All transmission of data between S-INTERIO and its clients must take place in the applications/programs that both parties use for transmission of information – e.g. Salesforce.

All online communication including email and messaging services that contain transmission of personal of business information of S-INTERIO or its clients must always be encrypted.

Where the data is being uploaded to online storage facilities or temporary storage devices, it must be encrypted and protected with personalized passwords in accordance with the Password Management Policy.

All clients of S-INTERIO must be informed of this encryption requirement and must implement the same encryption protocols in their communication with S-INTERIO.

All service providers of S-INTERIO that might receive information of S-INTERIO or its clients must comply with these provisions.

All encryption keys will be stored by the IT Department Manager in conjunction with the CIO in a secure location that prevents unauthorized access. Where encryption keys are stored in a digital form, they will be stored on a computer that has the highest privilege access level in the company, and where possible not connected to the main corporate network.

S-INTERIO encourages its clients to provide their own encryption keys for operating with their respective data transmissions. In such case, the client will be responsible to provide S-INTERIO with the encryption key(s) and all corresponding procedures with regards to the operation/maintenance of the keys.

Any exceptional situation such as emergency, clients’ system lockdown and more that will require S-INTERIO employees of subcontractors to transfer data to the client outside of the regular communication channels will require a prior written confirmation for such transmission by the client’s authorized officer.

Effective January 1, 2025

ELECTRONIC DEVICES POLICY

Intent

We understand that personal electronic devices such as phones, PDA’s, tablets and more had become an inevitable reality. In some circumstances, the use of personal electronic devices might be useful and beneficial for both employee and S-INTERIO. Notwithstanding, the ever growing use of personal electronic devices creates an increasing threat to protection of personal confidential information and might allow an unauthorized access to computer systems of S-INTERIO.

This policy is intended to govern the use of various electronic devices, computers and removable media by all employees, subcontractors and service providers of the company.

This policy governs the rules of use of personal as well as company issued electronic devices.

Application

This policy shall apply to all employees, contractors and service providers of S-INTERIO, and shall govern the use of the following devices:

Personal and workplace cellular phones, whether smartphones or regular cell-phones;
PDA’s, tablets and other personal electronic devices;
Personal and workplace computers, including laptops, desktops and more;
Removable storage devices whether personal or issued by S-INTERIO

MOBILE DEVICES – Cellular Phones, PDA’s, Tablets etc.

Employees of S-INTERIO must use their personal phones or phones that were issued by S-INTERIO only for business purposes and must limit as possible use of their personal phones during business hours. Company’s phone(s), whether cell phones or land-lines, are intended for the company’s business purposes only and non-business use of the phones can hurt the company’s business. A pattern of excessive personal phone calls during working hours or on premises of the company, is not acceptable and may lead to disciplinary action.

If certain emergency situations require employee’s use of a phone for personal purposes, such use should be in the most discrete way, without interference with their regular duties, and in a way that will not create hindrance to other employees, visitors and clients of S-INTERIO.

Employees that use their personal phones on the premises of S-INTERIO during breaks or lunch time shall use the same level of discretion and avoid interference with the work of other employees.

Employees of S-INTERIO shall remember that use of a cellular phone may create perception of interference with the visitors’/clients’ privacy and confidentiality. In such cases, S-INTERIO has the right to order employees to cease any use of cellular phones at the workplace until further notice.

S-INTERIO is not liable for the damage, destruction or loss of personal cellular phones at the workplace. During the working hours and/or while on premises, employees are strictly prohibited from using cellular phones for any other purpose, such as internet access, gaming, texting, music etc.

For privacy reasons, S-INTERIO employees are prohibited from taking photographs or other recordings of company facilities, personnel, documents and/or clients using camera or microphone on their cellular phone. In particular, S-INTERIO employees are strictly forbidden from using their personal phones or electronic devices to picture or otherwise record clients’ premises, items of clients’ possession, any of the clients’ belongings whether inside or outside clients’ premises.

No mobile personal devices shall be connected to the workplace networks without prior written authorization of the company’s Chief Information Officer or Chief Security Officer. Where a public WiFi connection is available, all personal mobile devices shall be connected to such public access points only.

Computers

The use of personal or workplace issued computers shall be limited to the work related purposes only. Employees of S-INTERIO shall not use their personal computers at the workplace, unless such usage was authorized by the management.

Where S-INTERIO issues a workplace notebook for an employee’s work-related use, such computer shall be used solely for the work related purposes, and the employee must prevent access to or use of the computer by their family members, relatives, and other unauthorized individuals.

Where employees of S-INTERIO intend to use their workplace issued computers outside of S-INTERIO and connect them to public access points, the employees shall obtain prior approval for such connections from the company’s IT department. Any connection of the workplace issued device to a public network shall be done in accordance with the relevant procedures that might be published by the company from time to time.

personal devices for business use

As a general rule, any use of personal electronic devices for the company’s business is not allowed (except for receiving and placing calls from a personal cell phone). No S-INTERIO information shall be uploaded to employees’ personal computers or mobile devices.

Where information contains the information of S-INTERIO clients, financial information or personal identifiable information, any use of personal devices must be absolutely forbidden.

Any exception for this rule must be approved by the company’s Chief Information Officer in writing.

Protected Access

All S-INTERIO computers must have password protected access. All passwords are individualized, each employee must use their personal passwords and must avoid disclosing such password(s) to other employees, visitors or any other unauthorized person. All passwords shall be updated and changed periodically in accordance with the password management procedure of S-INTERIO.

Employees are absolutely forbidden to “recycle” password by using the same password to multiple access accounts or devices. Each device, each account and each password protected access that employee uses must have separate, unique and distinct from all other passwords.

In the event of actual or suspected disclosure, loss or compromise of the passwords, an employee must immediately notify management team and IT department of S-INTERIO.

Employees must always ensure that their workstation computer is locked or turned off during employee’s absence from their workplace. Even during short breaks or lunch time, an employee must lock their computer.

Internet and Email Appropriate Use

Employees of S-INTERIO are provided with an internet access for working purposes only. Any use of internet for non-working related purposes is strictly prohibited. Employees of S-INTERIO shall not use internet access for their personal purposes.

Email

Email access shall be used only for the working purposes. Employees of S-INTERIO should remember that most of the information which S-INTERIO receives, processes and stores from or on behalf of its clients contains confidential information disclosure of which is strictly prohibited.

Accordingly, employees of S-INTERIO must ensure that personal information of its clients is not sent by open, unprotected and unencrypted email communication. No personal email accounts shall be used on the company’s computers. Where a client of the company wants to send or receive information from S-INTERIO, only means of communication approved by the IT Department must be used.

Any sending of clients’ information, whether identifiable or not, including any digital files, by personal email is absolutely prohibited. Any employee that use their personal email accounts to send clients’ information will be subject to disciplinary measure up to an immediate termination of their employment with the company.

S-INTERIO will not allow transmission of personal confidential information by email correspondence.

Ownership and monitoring rights

Any access to computers, internet and cellphones which were issued by S-INTERIO is provided to employees under limited license to use for the work related purposes only. S-INTERIO has the right to prevent, limit or monitor any access of its employees to internet, email or social media from its computers or using its internet.

All information that was collected or created by employees of S-INTERIO while using computers or internet access of S-INTERIO belongs exclusively to S-INTERIO and employees have no rights to such information or documents. The employees that download or upload their personal information while using S-INTERIO computers or internet access shall be deemed as expressly waiving their privacy rights to the information and consent to S-INTERIO monitoring or collecting such information for the purpose of monitoring employee’s performance, compliance with the company’s policies and other authorized uses.

S-INTERIO may from time to time, and without providing any prior notice to its employees, monitor their use of company provided computers, email accounts and/or internet access. Such monitoring shall not create or be interpreted as interference with employees’ privacy and shall be at the sole discretion of S-INTERIO.

Instant Messaging

While widely accepted and ever growing means of communication, instant messaging applications pose a significant risk of disclosure or loss of information as well as unauthorized access to the data stored on S-INTERIO computers.

Only company’s approved and pre-installed instant messaging applications shall be used by its employees and subcontractors for the work related purposes. No personal instant messaging shall be done during work hours, and no company’s information shall be transmitted by any immediate messaging system.

Removable Media Devices

The use of removable media devices creates a significant threat for S-INTERIO operations. Unauthorized use of removable media devices might lead to disclosure of personal and confidential information of S-INTERIO and its clients. Moreover, removable media devices are considered as one of the major distributors of viruses, malware and other harmful applications.

Removable media devices shall include all and any type of devices that are capable of recording, storing and transmitting information from one computer to another. Among others, removable media devices shall include:

USB flash drives and various types of memory cards

Hard drives (also known as SSD or portable drives)

Cellular phones, PDA’s, tablets and other personal electronic assistants

Workplace issued devices

Notwithstanding the dangers of the removable media devices, their use is required and frequently unavoidable for the work related purposes. Where such use is required, S-INTERIO will issue removable media devices to its employees. Such devices shall be encrypted and will require a personal password to access the information stored on the device.

The rules governing password protection and use of the protected devices shall be in accordance with the rules listed above in the “Computers” section.

Employees of S-INTERIO shall use authorized removable media devices for work related purposes and must avoid situations in which such devices are being inserted into a non-workplace related computers.

All information stored on the devices shall be a copy of the original, which shall maintain on the computers of S-INTERIO. In an event of the loss of information, an employee must immediately notify S-INTERIO and invest their best efforts into locating of the lost device.

S-INTERIO employees are strictly prohibited from using their personal electronic devices such as cellular phone, tablet, personal computer and any other similar device as an unauthorized media storage device for the storage or transportation of S-INTERIO business information.

Upload of Information to Internet

The use of internet based storage, also known as “cloud storage”, becomes an ever growing tool for storage, transmission, backup and distribution of information among various users.

Notwithstanding the benefits of these tools, employees of S-INTERIO are strictly prohibited from uploading any information from their work computers to their private cloud storage accounts, including sending such information via personal email in order to retain a copy of the information.

Any type of uploading of the company’s information to private email or online storage accounts is absolutely prohibited.

Where S-INTERIO issues a private access for its employees to the corporate cloud storage account, the rules relating to the protection of information, use of passwords and prevention of breach and unauthorized use listed hereinabove shall apply to the use of such cloud storage.

Effective January 1, 2025

PHYSICAL SECURITY POLICY

Introduction

S-INTERIO LIMITED (referred herein as S-INTERIO) is committed to securing the assets and information of its clients and providing any necessary security measures to its physical premises. Access to physical premises of the company constitutes once of the weaker access points and might pose certain risks to the integrity of business information and assets.

The purpose of this policy is to provide a framework and procedures for controlling access to S-INTERIO physical premises and preventing unauthorized access, theft of information or causing hart to the premises, assets or information.

PURPOSE

This Policy is designed to protect the confidentiality, integrity, and availability of both clients’ and Scor Promotions information by providing for the physical security of the company’s assets and premises.

Application

This policy applies to all S-INTERIO employees and subcontractors as well as visitors who attend the premises of S-INTERIO.

Where this Policy refers to the assets of S-INTERIO, it shall include any assets of the company’s clients under the custody of S-INTERIO.

POLICY

This Policy establishes the following physical security procedures and standards designed to limit unauthorized physical access to S-INTERIO facilities.

All S-INTERIO locations shall have designated public access and employee only access areas, except for those locations where public access is prohibited. Any access to restricted areas shall be controlled by access cards or personal access codes and shall be granted only by the company’s Security Officer based on the corresponding request of each individual’s supervisor.

Any company’s information, computers that have such information stored on them or that are connected to the corporate network and all information storage devices must be located in the limited access areas with the access provided to employees and subcontractors on a need-to-know basis.

S-INTERIO shall limit physical access to its premises to authorized employees, subcontractors, service providers and authorized visitors only.

S-INTERIO shall establish incident response procedures to provide for efficient response to any incident(s) of actual or attempted unauthorized access to the company’s premises.

Procedure

Access

All S-INTERIO employees, subcontractors, and authorized visitors will be issued ID cards with the associated access privileges that must be worn while on the premises.

S-INTERIO IT Department (or Security Department) shall assign access rights to each employee’s/subcontractor’s access cards in order to limit their access to the need-to-know areas only.

All access control systems such as card readers (or password pads) shall have record keeping abilities that allow registering and keeping of the records of all attempts (successful and unsuccessful) to gain access to the areas under such system’s control.

All S-INTERIO employees and subcontractors must surrender their access cards upon termination of their employment/contract. IT Department shall be immediately informed of the termination and shall remove any access rights in the electronic access control systems of S-INTERIO.

After-hours access to S-INTERIO premises is monitored and controlled by IT and Security Departments.

Any event of loss access cards or compromised access code(s) must be reported immediately to the company’s IT and Security Departments.

Access Control System

S-INTERIO Security Officer (SO) will evaluate and determine the characteristics and technical specification of all access control systems of the company. Prior to the implementation of the SO’s suggested access control systems or their respective modifications, such suggestions must be approved by the company’s CEO.

Closed circuit television (CCTV) System:

S-INTERIO uses CCTV systems inside and outside its physical facilities. The CCTV system is operated by the company and all its recordings are owned by S-INTERIO. The CCTV system is used for the sole purpose of supervision of premises and prevention of unauthorized access and potentially criminal activities. S-INTERIO will limit the use of the images generated by the CCTV for the record keeping, investigative and preventive purposes only. The images will be also use for further improvement of the company’s access control systems and as evidence in criminal or civil actions.

Alarm System

In addition to CCTV and access control systems, S-INTERIO shall have operating alarm system at all times in accordance with the determination of the SO.

Alarm systems must be activated during non-business hours upon the last employee departing from the facility.

Security Officer will determine the list of employees who are authorized to lock the premises at the end of each work day. The list must be revised and updated at least annually.

Deactivating codes to the alarm system will be issued to authorized employees by the SO of S-INTERIO. Each deactivation code must be personalized and must allow identification of the person attempting the de-activation of the system. Such personal code must be changed at least every twelve (12) months and must be cancelled as soon as the employees employment is being terminated.

The last person departing from the premises must conduct a building check at the close of each business day to confirm the building is empty and will activate the alarm.

Removal of Equipment

In general, all employees and subcontractors of S-INTERIO are required to provide their services while on the premises of S-INTERIO. Except for the personal mobile devices and laptops, no company’s equipment is allowed to be removed from the premises.

Any removal of computer equipment from the company’s premises must be approved by the owner of the equipment (department manager to whom the equipment belongs) and IT Department manager.

IT Department Manager must conduct an annual equipment audit during which the location, operability and completeness of all company’s equipment is verified.

Visitor Access

All contractors who attend S-INTERIO premises in order to provide their professional services must obtain access card from the Security Department of the company. The inviting or facilitating employee must submit a corresponding request ahead of the visitor’s arrival in order to allow efficient and streamlined process of access approval and granting.

Any visitors of S-INTERIO are required to sign-in by providing personal ID and shall be escorted by the inviting employee during whole duration of their stay on the premises.

A visitor’s host or inviting party has the responsibility to ensure that visitors understand company’s security policy and procedures, and know the limits of their access rights. The host must verify that visitor(s) has surrendered their access card and departed from the company’s premises at the end of their visit.

All visitors must have their access/ID cards visible at all times.

Access Removal – Former Employees

As a rule, all access privileges must be removed before an employee is informed of the termination of his/her employment with the company. S-INTERIO will implement a corresponding HR Procedure that will ensure providing of a timely update to the IT Department prior to the commencement of a termination interview with an employee.

Where no prior removal was possible, or employee’s termination was unforeseen or unplanned, the IT Department must be informed immediately after the notice been given to the company and must immediately remove any access privileges of the former employee. IT Department will maintain access logs for such account for a period of at least 60 days following the termination of employment.

Change

Any changes, modifications and service to the existing security systems shall be authorized by the company’s Security Officer.

Version: January 1, 2025

Intent

The Personal Information Protection and Electronic Documents Act (PIPEDA) and Personal Information Protection Act (PIPA) establish rules to govern the collection, use, and disclosure of personal information. S-INTERIO is committed to protecting and respecting the personal information of its customers, employees, business partners, and all other entities it interacts with in accordance with PIPEDA and PIPA accordingly. This policy will provide guidelines to ensure company’s compliance with the laws and proper protection of the personal information that might be collected, stored or used by the company.

Commitment to Privacy

The appropriate collection, use and disclosure of clients’ personal information is fundamental to our day-to-day operations and to provision of our professional services. Protecting the privacy and the confidentiality of our clients’ personal and business information is important to the staff at S-INTERIO.

As a service provider, S-INTERIO will be in receipt of our clients’ personal and business information as well as the information of their respective clients. All such information is being provided to S-INTERIO under various confidentiality provisions on top of which apply the provisions of PIPEDA and PIPA.

We strive to provide our clients with an excellent service, and in doing so, we will abide by our commitment to privacy in the collection and handling of personal information.

Applicability of This Privacy Policy

This policy attests to our commitment to privacy and demonstrates the ways we ensure that our clients’ and employees’ privacy is protected. This policy applies to the personal information of all our clients, employees, contractors and service providers that is in our possession and control.

What is Personal Information?

Personal information means any and all information about an identifiable individual.

Business information means any information about business activities, operations or projects of our clients.

It does not matter what is the source of the information, whether it refers to our clients or their respective clients, and whether there are additional individuals or businesses that are responsible for the collection and protection of such information. This policy will apply to all personal and business information retained by S-INTERIO and its employees.

Guidelines for Compliance

The following guidelines have been implemented to ensure S-INTERIO remains compliant with PIPEDA and PIPA requirements. The personal information of S-INTERIO employees, customers, clients, business partners, etc., must be managed so as to meet proper information practices, applicable laws and standards of practice.

Accountability

We take our commitment to securing client’s privacy very seriously. Each service provider, contractor and employee of S-INTERIO is responsible for the personal information under his/her control. Our employees are informed about the importance of privacy and receive information periodically to update them about our Privacy Policy and related issues.

Purpose of Information Collection

Personal and business information is collected in order to establish a relationship with our clients and provide them with our professional services. S-INTERIO obtains most of the personal information directly from its clients or from other sources whom a client has authorized to disclose such information to S-INTERIO. S-INTERIO will limit the collection and use of information only for the following permitted purposes:

To prepare and provide our professional services to a client;
To plan, administer and manage our internal operations;
To conduct risk management and quality improvement activities;
To compile statistics (without the use of identifiable information);
To comply with legal and regulatory requirements, and
Fulfill other purposes permitted or required by law.

S-INTERIO will obtain client’s particular consent if the use of the client’s personal information is required for any other purpose. In addition, where possible, S-INTERIO will limit its use of personal information only to non-identifiable information (no names, ID’s and other identifying details will be used).

In order to comply with the purposes stated herein, S-INTERIO will implement, where possible, an information segregation procedure, which will ensure separation of any identifiable information from other information collected from its clients.

Consent

The provision of services by S-INTERIO is regularly preceded by a contract signed by a client. Client’s execution of such contract will serve as its explicit consent to disclosure and collection of information by S-INTERIO.

Where the information is collected through client’s use of S-INTERIO’ websites, social media pages and other online tools, clients will be notified of such collection through corresponding privacy policies and terms of use implemented to the websites and social media pages by S-INTERIO. In any case, clients’ use of S-INTERIO’ websites and social media pages shall serve as their express consent for collection and use of their personal information by S-INTERIO.

A client has the right to withdraw his/her consent at any time and for any reason. In such case, S-INTERIO will cease any use of the client’s personal information.

Notwithstanding the withdrawal request, the law permits (and in certain circumstances requires) certain collection, use, storage and disclosure of the personal information, despite the consent withdrawal. Such information might be stored for the record keeping purposes, future accounting and legal purposes, but its use will be limited only to the circumstances of emergency or in accordance with the order of any relevant legal or administrative tribunal.

Limiting Collection Use, Disclosure and Retention

S-INTERIO collects information by fair and lawful means and collects only that information which may be necessary for purposes related to the provision of its professional services. The scope of collected information and the purpose(s) of its use shall comply with the express terms and conditions published by S-INTERIO at the time of its collection.

Under no circumstances does S-INTERIO sell client lists or other personal information to third parties.

S-INTERIO will retain personal information only for the time it is required for the purpose of providing its professional services, managing client’s file and records keeping, and will destroy such information once it is no longer needed. However, some information is kept for a longer period for various legal, accounting and tax related purposes. The storage and destruction of the personal information shall be governed by the Records Retention and Disposal Policy.

Accuracy

As the main source of the personal information, the client is responsible to provide accurate, up-to-date and relevant information and to advise S-INTERIO of any changes in a timely manner. S-INTERIO will not be responsible for the accuracy of information provided by its clients or other service providers.

Where clients requests, S-INTERIO will allow the correction of the client’s personal information to ensure its on-going accuracy. While S-INTERIO is not responsible to verify and confirm the accuracy of information that has been collected from its clients, where company’s employees come to a conclusion that certain information is inaccurate and requires correction or re-collection, such employee shall provide all the details pertaining such information to the company’s Chief Information Officer.

Safeguards: Protecting Private Information

Protection and safeguarding of clients’ personal information is of utmost importance for S-INTERIO, and we will invest our reasonable efforts into protecting clients’ information from unauthorized disclosure or use.

S-INTERIO maintains personal information in a combination of paper and electronic files. All such records are stored on the premises with the access limited only to those with the need to know and might be transferred to off-site storage following the completion of the S-INTERIO services.

All information stored on paper files will be filed in locked filing cabinets, inside controlled facility of S-INTERIO, with the keys being controlled by the company’s Chief Information Officer or Chief Security Officer. Only employees with the express need-to-know and authorization of their supervisor or Chief Information Officer shall have an access to the keys.

All information stored in a digital format shall be maintain on password protected devices, with the passwords complying with the company’s Electronic Devices Policy and procedures.

Access to personal information will be authorized only for the service providers and employees that are dealing with the client, and other agents who require access in the performance of their duties, and to those otherwise authorized by law.

S-INTERIO computer systems are password-secured and constructed in such a way that only authorized individuals can access secure systems and databases.

Privacy legislation compliance

S-INTERIO will ensure on-going compliance of the collection, use and retention procedures with the evolving and changing legal regulations applicable to the company’s operations. The compliance process will be in accordance with the Legal Compliance Policy of the corporation.

The company will advise its clients of any changes in its use and retention policies with regards to the personal information of a client stored or used by S-INTERIO. The CIO will define the means of notification (whether a personal notice, update of Privacy Policies on its websites or use of other means of communication).

Relocation of Personal Information

S-INTERIO is the custodian of all information collected and stored by the company. It will continue to comply with its policies and procedures with regards to the personal information, its protection and destruction.

In any situation of status change or relocation of personal information of S-INTERIO to its respective subsidiaries, amalgamated or merged companies, the CIO shall verify that:

Any new custodian of information comply with at least as stringent provisions as S-INTERIO;
All clients whose information is stored or used by S-INTERIO will be informed of a change, will be provided with the contact information of the person responsible for the protection of information in the new entity and will be provided with an opportunity to remove their information from S-INTERIO’ custody.

Access and Correction

Access by Individual

With limited exceptions in accordance with the law, S-INTERIO will give access to its clients to their personal information within a reasonable time, upon presentation of a written request and satisfactory identification. A service fee may be charged to cover our expenses associated with such request; an advance notice will be provided prior to the processing of a request.

All requests and disclosure of information must be made in writing with the client providing written request to review their personal information. Where client requests so expressly, S-INTERIO may send their personal information to their personal email address, in which case the client will be requested to sign a corresponding waiver in favour of S-INTERIO. No disclosure over the phone shall be made. All other rules will be in accordance with the company’s Information Security Policy.

“Satisfactory identification” under this Policy shall mean verifying of the client’s identity with two pieces of government issued ID’s, one of which contains person’s photograph. All ID’s must be valid and clearly legible.

In a case an error is found in a personal information, S-INTERIO will make the appropriate corrections following its receipt of client’s written request. Any correction requests should be sent to the following email address: dataprotection@s-interio.com

If, for the reasons provided by the law or by a relevant legal or administrative tribunal, an access or correction request is denied, a written confirmation of such denial will be provided to the client for review and possible challenge.

Access by Third Parties

As a rule, S-INTERIO will not allow access to personal information to any third parties who are not the owner of a personal information.

Nonetheless, circumstances might require involvement of the company’s management and the Chief Information Officer to provide proper response to various requests for access.

All individuals of organizations that attempt to access personal information of any of S-INTERIO clients shall be deemed as non-authorized to access until provided otherwise. This shall include independent parties, media, law enforcement agencies and more. In a case of the request to access information the following procedure must be followed:

An employee receiving the request shall not provide direct response, shall collect the contact and personal information of the requesting party. The employee shall advise the party that no access may be allowed at the time of inquiry, and that one of the senior company’s officers will contact the requesting individual.

All the details of the request must be reported immediately to the company’s Chief Information Officer, company’s CEO and the legal counsel.

No disclosure of any personal or business information will be allowed without obtaining an express written consent of the individual whose information is the third party seeking to access.

Where no consent was provided by the individual, or S-INTERIO was not able to reach the individual to obtain such consent, the access to information shall be denied, unless there is court order providing otherwise.

Unless there is an express order from the authorized court or administrative tribunal, S-INTERIO will delay the disclosure of information until client’s consent has been obtained. S-INTERIO will send a written notice to the client informing the client of the request to access information and will make a reasonable attempt to receive client’s response.

All requests for disclosure of personal information in accordance with a court or administrative tribunal order will be forwarded for review and response by the Legal Counsel of S-INTERIO.

In a case of a media request(s), S-INTERIO will respond that it is not able to disclose the information and will direct the requesting person to contact the owner of the information directly. Employee who receives media request to access information shall not communicate with the requesting person and immediately forward the request to the company’s CIO. No further actions will be taken in a case of a media request.

All employees and subcontractors of S-INTERIO will be trained on proper information disclosure procedures, including information security training and various risks and exposures of the company with regards to the personal information of its clients.

Breach, Theft or Unauthorized Access

S-INTERIO will immediately inform any affected clients and individuals of any breach, theft or unauthorized use of their personal information, and will implement any remedial actions in order to limit any further disclosure or prevent additional instances of similar circumstances.

In addition to the individual(s) affected by the breach, S-INTERIO may notify other affected parties, which identity might be reasonably identified by S-INTERIO. S-INTERIO shall notify other organizations and government institutions if it is believed that doing so can reduce or mitigate the harm from the breach.

Where it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual, S-INTERIO will act immediately to inform any affected individuals, Office of the Privacy Commissioner, as well as any government institutions or organizations that S-INTERIO believes can reduce the risk of harm that could result from the breach or mitigate the harm, including without limitation such organizations as law enforcement, payment processing, information storage, email providers and more.

Notwithstanding the provisions contained in this section, S-INTERIO will take any reasonable and diligent precautions to protect personal information in its possession. Nevertheless, S-INTERIO may fall victim to unauthorized access, theft or destruction of the information it possesses, in which case and as long as S-INTERIO acted in a reasonable manner, it shall not be held responsible or accountable for such instances.

S-INTERIO will keep all the records relating to potential or actual breaches, whether reported to the OPC or not. The information shall contain the following details:

date or estimated date of the breach;
general description of the circumstances of the breach;
nature of information involved in the breach;
internal assessment of “the real risk of significant harm” standard; and
whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified.

Minors and individuals lacking legal capacity

Most of S-INTERIO services are being offered to adult clients in the age of legal capacity (in Canada – 18 years old) who can provide their valid consent for collection and use of their personal information. All S-INTERIO services and supporting legal documents assume that the individuals consenting to S-INTERIO services and incidental collection of information are adults with the legal capacity to provide such consent.

Where S-INTERIO in aware that certain services are being offered to minors or individuals lacking legal capacity, or that particular individuals access S-INTERIO’ general services, the company will seek the consent from their respective legal guardians who have the authority and the capacity to provide such consent.

Where S-INTERIO becomes aware of certain personal information that was collected from minor clients or individuals lacking legal capacity without proper consent, S-INTERIO will act promptly to investigate the process of collection of such information, to obtain a valid consent where possible, or to delete such personal information where obtaining consent was not possible.

complaints

Every individual having concerns or complaints with regards to the collection, use, storage or destruction of their personal information will have the right to contact company’s Chief Information Officer and submit their complaint for review by the company.

Should S-INTERIO fail to resolve the complaint, it will provide the individual with a contact information of the Ontario Privacy Commissioner for further review and resolution of the complaint(s).

maintenance

This policy as well as any procedures hereunder will be reviewed by the CIO at least annually. Where required, a proper updates/changes will be made, and all employees and subcontractors of S-INTERIO will be trained on the provisions of the new/updated policy.

Effective January 1, 2025

LEGAL COMPLIANCE POLICY

Operations of S-INTERIO impose various legal and administrative liabilities on the company and its directors/managers. In addition, various service contracts between S-INTERIO and its clients might dictate multiple compliance requirements such as privacy, confidentiality, compliance with local and foreign laws and more. As the provision of services becomes more and more international and many clients or services of the company are located overseas, the on-going compliance with legal and administrative requirements becomes ever so important and valuable for the future development of S-INTERIO business.

PURPOSE

This Policy established the rules and applications intended to ensure ongoing compliance of the company and its services with the legal and administrative requirements.

POLICY

Ongoing legal compliance may be achieved only through a continuous improvement and assessment of company’s operations and documents including internal policies, procedures, and agreements. The company must make revisions to all corporate documents in any case of legal or regulatory change as well as before introduction of any of the company’s services to the overseas markets.

Company’s CEO and legal counsel shall ensure and verify the on-going compliance of S-INTERIO’ operating documents with any change of the legal environment of the company’s operations. To enable the senior management of the company to comply with its responsibilities hereunder, the procedures provided herein shall be followed by the company’s staff.

Procedure

Legal Compliance

Legal compliance of S-INTERIO operations will be achieved through an ongoing review and verification of the company’s documents with the legal provisions and regulations applicable to the scope of business operations.

All existing documents of the company, including agreements, contracts, policies and procedures must be reviewed and confirmed in compliance with the laws at least annually.

Legal counsel of S-INTERIO must review and verify compliance of the company’s documents within 30 days from each legislative change affecting the operations of the company.

Every newly created document that affects legal relations of the company with its employees or third parties must be reviewed and approved for publication by the legal counsel of the company.

Territorial Compliance

In addition to the general legal compliance of S-INTERIO operations, the company must ensure its compliance with various legal regulations in the countries and regions of its operations.

Management of S-INTERIO will advise company’s legal counsel of any new territory or country in which the company intends to establish its business operations prior to commencement of such operations.

The manager responsible for the operations in certain country will prepare a complete description of services to be offered by S-INTERIO in such country and will provide the list to the company’s legal counsel.

Where company intends to hire employees or contractors to be engaged by S-INTERIO on a constant basis in a foreign country, company’s counsel shall be advised accordingly and in advance to the initial hiring.

For the ongoing compliance in countries of S-INTERIO presence the regular rules listed in Paragraph A above will apply.

Contractual compliance

Every business contract to be executed by the company must be reviewed and approved by the company’s legal counsel.

The assessment of a business contract shall include the following aspects:

- - Verification of legal compliance of contract with company’s operations;
  - Assessment of legal and administrative risks arising from a contract;
  - Assessment of compliance requirements imposed on S-INTERIO by a contract;
  - Evaluation of contract’s operations in the existing contractual environment of S-INTERIO – legal counsel shall ensure that a new contract does not constitute or results in a breach of any of the existing contracts of S-INTERIO.

Legal counsel together with the manager will evaluate the jurisdictional provisions of the contract and will verify S-INTERIO’ ability to comply with the contract’s jurisdiction and with the legal regulations applicable in the jurisdiction of the contract.

Legal and Administrative processes

In any situation of legal claim, administrative investigation, complaint to a government authority or sanctions being considered or imposed on the company, the following steps should be taken:

- Company’s legal counsel must be advised of an action immediately upon the company becoming aware of it;
- Clients who might be affected by the action will be advised of the action and company’s position with its regard.
- The Board of Directors will be kept updated with periodical updates on each legal action having material impact on the business of a corporation.

Operational risk and incident response program

Exclusive S-interio. AML Policy | Privacy Policy | Terms & Conditions | Risk Managment

More Info

Copyright ©️ 2021 - 2025 S-Interio. All rights reserved.