1.1. Overview 

PlusPlus takes protecting client data seriously. All PlusPlus employees, contractors, and suppliers are responsible for ensuring the security and confidentiality of client information. To meet this responsibility, we maintain a system of controls and requirements to prevent unauthorized access, modification, destruction, or disclosure of client data. This Data Protection & Handling Policy (Policy) establishes the system of controls for protecting Sensitive & Confidential Data (as defined below). 

1.2. Purpose

This Policy and supporting procedures are designed to provide PlusPlus with a documented and formalized data protection policy to comply with various regulatory and business needs. 

1.3. Scope 

The scope of this Policy covers all Confidential & Sensitive Data stored, accessed, or transmitted by our software platform, including its applications, components, infrastructure, and underlying code (together, our products). 

Additionally, this Policy applies to all employees, contractors, and third-party suppliers of PlusPlus that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle PlusPlus’s Confidential & Sensitive Data. All employees, contractors, and, as applicable, third-party suppliers are responsible for reading this Policy and complying with its requirements. 


The following roles and responsibilities regarding data protection practices are to be developed and subsequently assigned to authorized personnel within PlusPlus: 

Risk Committee: Responsibilities include approving and monitoring adherence to this policy as well as ensuring data stewardship is assigned, documented, and communicated. 

Chief Technology Officer (CTO): Responsibilities include providing overall direction, guidance, leadership, and support on methods and tools for secure storage, retention, and disposal of Confidential & Sensitive Data. 

Systems Administrator: Responsibilities include actually implementing the baseline configuration standards for all in-scope system components. The Systems Administrator (or assigned delegate) is responsible for establishing, documenting, reviewing, modifying, and terminating user access to Company information systems that contain sensitive and confidential data. 

End Users (Employees, Consultants): Responsibilities include adhering to the organization’s data protection policies, procedures, and practices and. Additionally, end users are to report instances of non-compliance to senior authorities, specifically those by other users. 

Vendors, Contractors, Other Third-Party Entities: Responsibilities for such individuals and organizations are much like those stated for end-users: adhering to the organization’s data protection policies, procedures, practices, and not undertaking any

measure to alter such standards that protect client data. Additionally, vendors, contractors, and other third-party entities are expected to complete due diligence and ongoing monitoring assessments per the requirements set forth in the Supplier Risk Management Policy. Vendors, contractors, and other third-party entities are required to immediately notify PlusPlus of any policy violations involving client data. 


PlusPlus products for clients are deployed using one of the following models: 

Software-as-a-Service (SaaS) Deployment: The SaaS deployment is an entirely cloud based offering. PlusPlus stores all data pertaining to the use of products, including confidential Consumer Data, on a secure cloud environment rather than on a client’s server or hardware. 

On-Premises Deployment: PlusPlus products operate on-premises (i.e., within a client’s security environment). Under on-premises deployments, confidential Consumer Data, investigation analysis data, and risk scoring data remain stored on-premises. 

3.1. Types of Data 

The following types of data are being stored, processed, and/or transmitted on system components that are owned, operated, maintained, and controlled by PlusPlus: 

o Sensitive: Applies to the most sensitive business information, to which access is strictly limited. Examples of sensitive information include, but are not limited to, passwords, encryption keys, consumer data. 

o Confidential: Applies to less sensitive business information, which is intended for use solely within the Company. Examples of confidential information include, but are not limited to, internal market research, audit reports, and marketing or strategic plans. 

o Public: Applies to all other information that does not clearly fit into the above classifications. 


4.1. Risk Management 

PlusPlus believes in proactive risk management of data protection threats. PlusPlus conducts a thorough, periodic information security risk assessment (Risk Assessment) of our products’ networks, systems, and applications to document threats and vulnerabilities to stored and transmitted information. The Risk Assessment incorporates data protection risks, including, but not limited to: 

o The types and volume of Sensitive & Confidential Data collected and processed through our products.

o The company’s jurisdictional legal and regulatory data protection obligations. 

The Risk Assessment serves as a roadmap for PlusPlus to implement mitigating controls to reduce the impact of identified data protection risks. The Chief Risk Officer oversees remediation plan development and tracks remediation actions to completion. 

4.2. Data Collection 

PlusPlus collects, processes, uses, shares, retains and disposes of Sensitive & Confidential Data only in compliance with our legal and business requirements. PlusPlus also works with clients to define the specific Sensitive & Confidential Data types collected by our products. 

4.3. Use and Disclosure 

PlusPlus uses the following guidelines for the use and disclosure of Sensitive & Confidential Data: 

o Internal data use: Only use Sensitive & Confidential Data for approved business purposes consistent with the scope of services outlined in the respective client’s contract. 

o Internal data sharing: Limit the internal sharing of Sensitive & Confidential Data to members of the workforce whose access is necessary to execute their specific roles and responsibilities (i.e., apply the principle of “Just Enough Privilege”). 

o External data sharing: May share Sensitive & Confidential Data with third parties for approved business purposes that are consistent with the purposes for which PlusPlus collected the Sensitive & Confidential Data. Written agreements are maintained with such third parties that require them to maintain robust data protection and security controls to ensure an appropriate level of protection. 

o Cross-border data transfers: Ensure that all parties with which we engage in cross-border data sharing provide adequate data protection safeguards for Sensitive & Confidential Data transfers. The identities and respective countries of non-U.S. suppliers, or types of non-U.S. suppliers, that may access/store Sensitive & Confidential Data are disclosed to the client. 

4.4. Retention, Storage and Disposal 

4.4.1. Retention 

Unless otherwise required by law, PlusPlus retains Sensitive & Confidential Data only for as long as necessary to fulfill the purposes for which it is collected and processed, or to meet legal and client contractual obligations. To support

compliance with these obligations, the CTO shall, on an annual basis, review PlusPlus’s existing retention practices regarding Sensitive & Confidential Data. 

4.4.2. Storage 

Sensitive Data is only stored in approved systems, databases, and devices. The storage location depends on the type of deployment: 

On-premises: Sensitive Data is stored on client-owned or client 

leveraged servers. 

Cloud: Sensitive Data is stored in a secure, dedicated cloud environment behind a firewall. 

PlusPlus specifically prohibits employees from storing Sensitive Data in the PlusPlus development environment, on their PlusPlus-issued laptops or desktop computers, on their personal devices, on removable media (e.g., USB flash drives), or on printed media. 

4.4.3. Disposal 

Once Sensitive & Confidential Data is no longer necessary or has reached the end of its retention period, it is securely disposed of. Processes are in place for the secure disposal of data when the data is no longer needed for legal, regulatory and, business requirements. An automatic or manually executed process is to be in place for identifying and securely removing data that exceeds the defined legal, regulatory, and business requirements. As for disposing of data, the following methods are to be utilized for both hard copy and electronic data: 

▪ Purging, sanitizing, and deleting data from all system components. This can be done by utilizing a secure wipe program in accordance with 

industry-accepted standards for secure deletion (i.e., degaussing). 

▪ Destroying (cross-shredding) any cardholder data that is in a hardcopy format. 

▪ For electronic media stored on system components that are no longer in use, data is to be disposed of through any one of the following 


▪ Disintegration 

▪ Shredding (disk grinding device) 

▪ Incineration by a licensed incinerator 

▪ Pulverization 

▪ Instances of disposal of customer data will be tracked via a ticketing system and will include the steps taken to complete the removal.

4.5. Information Security 

PlusPlus maintains reasonable technical, organizational, and physical security measures to protect the security and confidentiality of Sensitive & Confidential Data from unauthorized access or unlawful disclosure. The security for Sensitive & Confidential Data is managed in accordance with the PlusPlus’s Information Security Policy. Critical security controls include, but are not limited to, the following: 

o Encryption in transit: Sensitive & Confidential Data transfers must be sent via a secure transfer system, such as TLS or SFTP. 

o Encryption at rest: All PlusPlus servers, workstations, and laptops must use disk encryption. 

o Outbound files: Use a secure file transfer platform to transfer files outside of the PlusPlus network. 

o Inbound files: During transfer, verify that all files sent into the PlusPlus network are free of corruption and that the file originated from a known source. o Database: Encrypt company application databases that are externally accessible via web traffic and provide a level of identification security using an application specific protocol, such as HTTPS. Sensitive Data in PlusPlus databases must additionally be encrypted client-side before being inserted into the database. o Data segregation: Sensitive Data remains in either (i) the on-premises deployment of our products, or (ii) the secure cloud environments. 

o Production and test environments: Sanitize all production data before use in non-production environments, as applicable. 

o Incident management: Maintain a process for identifying, managing, and resolving privacy incidents, in accordance with the PlusPlus Incident Response Policy. 

4.6. Access 

A critical component of any successful organization is the ability to properly provision, manage, monitor, and off-board all users that have been granted access rights to company-wide information – a concept universally known as access rights and/or access control. The phrase “system resources” includes any type of component, application, data source, or any other type of business resource identified by a company for which users have the ability to access through a process generally known as authentication and authorization. PlusPlus’s data access policy consists of several parts: 

o Client authentication: PlusPlus authorizes user access to our products only and does not permit client access to underlying PlusPlus systems or databases. ▪ Role-Based Access Control (RBAC) protocols: Access is limited to that which is required for the performance of job duties for individual

users, and generic access by PlusPlus employees is not allowed. The 

RBAC protocols encompass the following components: 

Data Classification: A classification scheme that labels each kind of data with one or more categories. (see Data and Personnel 

Classification Matrix Document) 

Personnel Classification: A classification scheme that gives 

each user access to particular data categories. In particular, it 

specifies that these access permissions must satisfy the “principle 

of least privilege.” (see Data and Personnel Classification Matrix 


User onboarding: How PlusPlus employees are assigned unique 

user ID’s and given initial data access permissions. 

Access Policies: Requirements for users to authenticate and 

access the data. 

User off-boarding: Procedures for off-boarding employees and 


“Just Enough Privilege”: To protect against unauthorized access to Sensitive & Confidential Data internally, PlusPlus limits user access 

based on the principle of “Just Enough Access.” Users are provided with only enough access to relevant systems, applications, and information to execute their job responsibilities. User access rights to our products, 

internal network, systems, and applications are regularly and annually 

reviewed to identify and terminate access rights that are no longer 

needed. For purposes of this section, a user refers to any employee, 

contractor, consultant, or supplier accessing company information. 

4.6.1. Access Authorization 

PlusPlus is required to protect the confidentiality, integrity, and availability of its information systems that contain sensitive and confidential data. All sensitive and confidential data must be protected via access controls to ensure that data is not improperly disclosed, modified, deleted, or rendered unavailable. The Systems Administrator or assigned delegate is responsible for establishing, documenting, reviewing, modifying, and terminating user access to Company information systems that contain sensitive and confidential data. 

As described in section Data Access Request Process, approvals must be obtained and documented prior to granting access. Employees who have been authorized to view information at a particular classification level will only be permitted to access such information on a need to know basis. All access to systems should be configured to provide a particular user access only to what he/she needs to perform his/her business function. On an as-needed basis, employees may request additional access permissions if their work requires it. This additional access must be approved in writing by the relevant executive. 

4.6.2. Data Access Request Process

The following generally describes the workflow used within the Company for requesting new access: 

1. The manager of the candidate (whether internal or external) will 

determine if he/she is fit to perform the new role and authorize access via the Authorization Request Form by completing and signing the form. The form must reflect the access requirements based on the employee’s role and clearly identify any additional access requirements above the 

standard defined role. 

2. The Systems Administrator or his/her delegate will review the request and approve it if the roles assigned to the employee are consistent with 

security policies. If the access requested requires privileges above the user’s role, the Systems Administrator will engage additional system 

owners or management to collect necessary approvals prior to 


3. Once the request has been approved, the System Administrator will create the user account(s) requested. 

4.6.3. Changes to Access & Removal of Access 

Requests for change of access must be submitted by the user’s manager. HR and department managers must complete an access change checklist as part of any employee transfer when a role or department change is initiated. 

Direction regarding the removal of an employee’s access shall follow the same workflow above except the request for removal can come from either the HR Department or the employee’s manager and should be requested within a reasonably acceptable expeditious manner and in accordance with HR policies concerning user/employee off-boarding. 

4.7. Training and Awareness 

4.7.1. Information Security Training 

PlusPlus conducts annual Information Security Training as required per our Information Security Policy. A component of this required training includes coverage of data protection and privacy requirements related to Sensitive & Confidential Data. The data protection and privacy training components include, but are not limited to, requirements about Sensitive & Confidential Data collection, handling, use, disclosure, and safeguarding. 

4.7.2. Developer/Engineer Training

PlusPlus provides training on secure coding practices to its developers. This is facilitated by the management team. The training covers all the content included in the most recent OWASP Top Ten, providing technical concepts and recommendations to address them. 


5.1. Ownership and Review 

The Policy Owner owns this Policy and is responsible for reviewing the Policy for updates annually, or following any major changes to PlusPlus’s sensitive data environment. The Policy Approver retains approving authority over this Policy. 

5.2. Monitoring and Enforcement 

PlusPlus periodically monitors adherence to this Policy to help ensure compliance with applicable laws, requirements, and contractual agreements that apply to Client & Consumer Data. PlusPlus may also establish enforcement mechanisms, including disciplinary actions, to help ensure compliance with this Policy.