1. OVERVIEW AND SCOPE

1.1. Overview
PlusPlus takes protecting client data seriously. All PlusPlus employees, contractors,
and suppliers are responsible for ensuring the security and confidentiality of client
information. To meet this responsibility, we maintain a system of controls and
requirements to prevent unauthorized access, modification, destruction, or
disclosure of client data. This Data Protection & Handling Policy (Policy) establishes
the system of controls for protecting Sensitive & Confidential Data (as defined
below).
1.2. Purpose

This Policy and supporting procedures are designed to provide PlusPlus with a
documented and formalized data protection policy to comply with various regulatory
and business needs.
1.3. Scope
The scope of this Policy covers all Confidential & Sensitive Data stored, accessed,
or transmitted by our software platform, including its applications, components,
infrastructure, and underlying code (together, our products).
Additionally, this Policy applies to all employees, contractors, and third-party
suppliers of PlusPlus that collect, access, maintain, distribute, process, protect,
store, use, transmit, dispose of, or otherwise handle PlusPlus’s Confidential &
Sensitive Data. All employees, contractors, and, as applicable, third-party suppliers
are responsible for reading this Policy and complying with its requirements.

2. ROLES AND RESPONSIBILITIES

The following roles and responsibilities regarding data protection practices are to be
developed and subsequently assigned to authorized personnel within PlusPlus:
● Risk Committee: Responsibilities include approving and monitoring adherence to this
policy as well as ensuring data stewardship is assigned, documented, and
communicated.

● Chief Technology Officer (CTO): Responsibilities include providing overall direction,
guidance, leadership, and support on methods and tools for secure storage, retention,
and disposal of Confidential & Sensitive Data.
● Systems Administrator: Responsibilities include actually implementing the baseline
configuration standards for all in-scope system components. The Systems Administrator
(or assigned delegate) is responsible for establishing, documenting, reviewing,
modifying, and terminating user access to Company information systems that contain
sensitive and confidential data.
● End Users (Employees, Consultants): Responsibilities include adhering to the

organization’s data protection policies, procedures, and practices and. Additionally, end-
users are to report instances of non-compliance to senior authorities, specifically those

by other users.
● Vendors, Contractors, Other Third-Party Entities: Responsibilities for such
individuals and organizations are much like those stated for end-users: adhering to the
organization’s data protection policies, procedures, practices, and not undertaking any

measure to alter such standards that protect client data. Additionally, vendors,
contractors, and other third-party entities are expected to complete due diligence and
ongoing monitoring assessments per the requirements set forth in the Supplier Risk
Management Policy. Vendors, contractors, and other third-party entities are required to
immediately notify PlusPlus of any policy violations involving client data.

3. DATA DEFINITION

PlusPlus products for clients are deployed using one of the following models:

● Software-as-a-Service (SaaS) Deployment: The SaaS deployment is an entirely cloud-
based offering. PlusPlus stores all data pertaining to the use of products, including

confidential Consumer Data, on a secure cloud environment rather than on a client’s
server or hardware.
● On-Premises Deployment: PlusPlus products operate on-premises (i.e., within a
client’s security environment). Under on-premises deployments, confidential Consumer
Data, investigation analysis data, and risk scoring data remain stored on-premises.
3.1. Types of Data
The following types of data are being stored, processed, and/or transmitted on system
components that are owned, operated, maintained, and controlled by PlusPlus:
o Sensitive: Applies to the most sensitive business information, to which access is
strictly limited. Examples of sensitive information include, but are not limited to,
passwords, encryption keys, consumer data.
o Confidential: Applies to less sensitive business information, which is intended
for use solely within the Company. Examples of confidential information include,
but are not limited to, internal market research, audit reports, and marketing or
strategic plans.
o Public: Applies to all other information that does not clearly fit into the above
classifications.

4. DATA PROTECTION POLICY

4.1. Risk Management
PlusPlus believes in proactive risk management of data protection threats. PlusPlus
conducts a thorough, periodic information security risk assessment (Risk
Assessment) of our products’ networks, systems, and applications to document
threats and vulnerabilities to stored and transmitted information. The Risk
Assessment incorporates data protection risks, including, but not limited to:
o The types and volume of Sensitive & Confidential Data collected and processed
through our products.

o The company’s jurisdictional legal and regulatory data protection obligations.
The Risk Assessment serves as a roadmap for PlusPlus to implement mitigating
controls to reduce the impact of identified data protection risks. The Chief Risk
Officer oversees remediation plan development and tracks remediation actions to
completion.
4.2. Data Collection
PlusPlus collects, processes, uses, shares, retains and disposes of Sensitive &
Confidential Data only in compliance with our legal and business requirements.
PlusPlus also works with clients to define the specific Sensitive & Confidential Data
types collected by our products.
4.3. Use and Disclosure
PlusPlus uses the following guidelines for the use and disclosure of Sensitive &
Confidential Data:
o Internal data use: Only use Sensitive & Confidential Data for approved business
purposes consistent with the scope of services outlined in the respective client’s
contract.
o Internal data sharing: Limit the internal sharing of Sensitive & Confidential Data
to members of the workforce whose access is necessary to execute their specific
roles and responsibilities (i.e., apply the principle of “Just Enough Privilege”).
o External data sharing: May share Sensitive & Confidential Data with third
parties for approved business purposes that are consistent with the purposes for
which PlusPlus collected the Sensitive & Confidential Data. Written agreements
are maintained with such third parties that require them to maintain robust data
protection and security controls to ensure an appropriate level of protection.
o Cross-border data transfers: Ensure that all parties with which we engage in
cross-border data sharing provide adequate data protection safeguards for
Sensitive & Confidential Data transfers. The identities and respective countries of
non-U.S. suppliers, or types of non-U.S. suppliers, that may access/store
Sensitive & Confidential Data are disclosed to the client.

4.4. Retention, Storage and Disposal

4.4.1. Retention
Unless otherwise required by law, PlusPlus retains Sensitive & Confidential Data
only for as long as necessary to fulfill the purposes for which it is collected and
processed, or to meet legal and client contractual obligations. To support

compliance with these obligations, the CTO shall, on an annual basis, review
PlusPlus’s existing retention practices regarding Sensitive & Confidential Data.
4.4.2. Storage
Sensitive Data is only stored in approved systems, databases, and devices. The
storage location depends on the type of deployment:

▪ On-premises: Sensitive Data is stored on client-owned or client-
leveraged servers.

▪ Cloud: Sensitive Data is stored in a secure, dedicated cloud environment
behind a firewall.

PlusPlus specifically prohibits employees from storing Sensitive Data in the
PlusPlus development environment, on their PlusPlus-issued laptops or desktop
computers, on their personal devices, on removable media (e.g., USB flash
drives), or on printed media.
4.4.3. Disposal
Once Sensitive & Confidential Data is no longer necessary or has reached the
end of its retention period, it is securely disposed of. Processes are in place for
the secure disposal of data when the data is no longer needed for legal,
regulatory and, business requirements. An automatic or manually executed
process is to be in place for identifying and securely removing data that exceeds
the defined legal, regulatory, and business requirements. As for disposing of
data, the following methods are to be utilized for both hard copy and electronic
data:

▪ Purging, sanitizing, and deleting data from all system components. This
can be done by utilizing a secure wipe program in accordance with
industry-accepted standards for secure deletion (i.e., degaussing).
▪ Destroying (cross-shredding) any cardholder data that is in a hardcopy
format.
▪ For electronic media stored on system components that are no longer in
use, data is to be disposed of through any one of the following
procedures:
▪ Disintegration
▪ Shredding (disk grinding device)
▪ Incineration by a licensed incinerator
▪ Pulverization
▪ Instances of disposal of customer data will be tracked via a ticketing
system and will include the steps taken to complete the removal.

4.5. Information Security
PlusPlus maintains reasonable technical, organizational, and physical security
measures to protect the security and confidentiality of Sensitive & Confidential Data
from unauthorized access or unlawful disclosure. The security for Sensitive &
Confidential Data is managed in accordance with the PlusPlus’s Information
Security Policy. Critical security controls include, but are not limited to, the
following:
o Encryption in transit: Sensitive & Confidential Data transfers must be sent via a
secure transfer system, such as TLS or SFTP.
o Encryption at rest: All PlusPlus servers, workstations, and laptops must use
disk encryption.
o Outbound files: Use a secure file transfer platform to transfer files outside of the
PlusPlus network.
o Inbound files: During transfer, verify that all files sent into the PlusPlus network
are free of corruption and that the file originated from a known source.
o Database: Encrypt company application databases that are externally accessible

via web traffic and provide a level of identification security using an application-
specific protocol, such as HTTPS. Sensitive Data in PlusPlus databases must

additionally be encrypted client-side before being inserted into the database.
o Data segregation: Sensitive Data remains in either (i) the on-premises
deployment of our products, or (ii) the secure cloud environments.
o Production and test environments: Sanitize all production data before use in
non-production environments, as applicable.
o Incident management: Maintain a process for identifying, managing, and
resolving privacy incidents, in accordance with the PlusPlus Incident Response
Policy.
4.6. Access
A critical component of any successful organization is the ability to properly
provision, manage, monitor, and off-board all users that have been granted access
rights to company-wide information – a concept universally known as access rights
and/or access control. The phrase “system resources” includes any type of
component, application, data source, or any other type of business resource
identified by a company for which users have the ability to access through a
process generally known as authentication and authorization. PlusPlus’s data
access policy consists of several parts:
o Client authentication: PlusPlus authorizes user access to our products only and
does not permit client access to underlying PlusPlus systems or databases.
▪ Role-Based Access Control (RBAC) protocols: Access is limited to
that which is required for the performance of job duties for individual

users, and generic access by PlusPlus employees is not allowed. The
RBAC protocols encompass the following components:
▪ Data Classification: A classification scheme that labels each kind
of data with one or more categories. (see Data and Personnel
Classification Matrix Document)
▪ Personnel Classification: A classification scheme that gives
each user access to particular data categories. In particular, it
specifies that these access permissions must satisfy the “principle
of least privilege.” (see Data and Personnel Classification Matrix
Document)
▪ User onboarding: How PlusPlus employees are assigned unique
user ID’s and given initial data access permissions.
▪ Access Policies: Requirements for users to authenticate and
access the data.
▪ User off-boarding: Procedures for off-boarding employees and
contractors.

▪ “Just Enough Privilege”: To protect against unauthorized access to
Sensitive & Confidential Data internally, PlusPlus limits user access
based on the principle of “Just Enough Access.” Users are provided with
only enough access to relevant systems, applications, and information to
execute their job responsibilities. User access rights to our products,
internal network, systems, and applications are regularly and annually
reviewed to identify and terminate access rights that are no longer
needed. For purposes of this section, a user refers to any employee,
contractor, consultant, or supplier accessing company information.

4.6.1. Access Authorization
PlusPlus is required to protect the confidentiality, integrity, and availability of its
information systems that contain sensitive and confidential data. All sensitive and
confidential data must be protected via access controls to ensure that data is not
improperly disclosed, modified, deleted, or rendered unavailable. The Systems
Administrator or assigned delegate is responsible for establishing, documenting,
reviewing, modifying, and terminating user access to Company information
systems that contain sensitive and confidential data.
As described in section Data Access Request Process, approvals must be
obtained and documented prior to granting access. Employees who have been
authorized to view information at a particular classification level will only be
permitted to access such information on a need to know basis. All access to
systems should be configured to provide a particular user access only to what
he/she needs to perform his/her business function. On an as-needed basis,
employees may request additional access permissions if their work requires it.
This additional access must be approved in writing by the relevant executive.
4.6.2. Data Access Request Process

The following generally describes the workflow used within the Company for
requesting new access:

1. The manager of the candidate (whether internal or external) will
determine if he/she is fit to perform the new role and authorize access via
the Authorization Request Form by completing and signing the form. The
form must reflect the access requirements based on the employee’s role
and clearly identify any additional access requirements above the
standard defined role.
2. The Systems Administrator or his/her delegate will review the request and
approve it if the roles assigned to the employee are consistent with
security policies. If the access requested requires privileges above the
user’s role, the Systems Administrator will engage additional system
owners or management to collect necessary approvals prior to
authorization.
3. Once the request has been approved, the System Administrator will
create the user account(s) requested.

4.6.3. Changes to Access & Removal of Access
Requests for change of access must be submitted by the user’s manager. HR
and department managers must complete an access change checklist as part of
any employee transfer when a role or department change is initiated.
Direction regarding the removal of an employee’s access shall follow the same
workflow above except the request for removal can come from either the HR
Department or the employee’s manager and should be requested within a
reasonably acceptable expeditious manner and in accordance with HR policies
concerning user/employee off-boarding.
4.7. Training and Awareness
4.7.1. Information Security Training
PlusPlus conducts annual Information Security Training as required per our
Information Security Policy. A component of this required training includes
coverage of data protection and privacy requirements related to Sensitive &
Confidential Data. The data protection and privacy training components include,
but are not limited to, requirements about Sensitive & Confidential Data
collection, handling, use, disclosure, and safeguarding.
4.7.2. Developer/Engineer Training

PlusPlus provides training on secure coding practices to its developers. This is
facilitated by the management team. The training covers all the content included
in the most recent OWASP Top Ten, providing technical concepts and
recommendations to address them.

5. POLICY ADMINISTRATION

5.1. Ownership and Review
The Policy Owner owns this Policy and is responsible for reviewing the Policy for
updates annually, or following any major changes to PlusPlus’s sensitive data
environment. The Policy Approver retains approving authority over this Policy.
5.2. Monitoring and Enforcement
PlusPlus periodically monitors adherence to this Policy to help ensure compliance
with applicable laws, requirements, and contractual agreements that apply to Client
& Consumer Data. PlusPlus may also establish enforcement mechanisms,
including disciplinary actions, to help ensure compliance with this Policy.
5.3. Related Documents
o Information Security Policy
o Incident Response Policy
o Supplier Risk Management Policy

TITLE Data Protection and Handling Policy
FILE NAME Data Protection and Handling Policy.pdf
TIMESTAMP 12/27/2022 at 19:33:16
VERSION V-2
OWNER Aleksandar Gargenta
ADMINISTRATOR Aleksandar Gargenta
APPROVER Aleksandar Gargenta

Document History

Reviewed on 12/4/2023 by Tomomi Menjo

V-2 12/27/2022
at 19:33:16

Changed by: Aleksandar Gargenta sasa@plusplus.co
Comments: Re-publishing. No changes made.

V-1 01/22/2022
at 00:21:24

Changed by: Aleksandar Gargenta sasa@plusplus.co