Privacy Policy

FactorCloud, LLCPrivacy Policy Manual

PURPOSE OF PRIVACY POLICY MANUAL FactorCloud, LLC's Privacy Policy Manual collects the Company's information and data privacy and security notices, policies, and procedures applicable to the Company's customers, employees, and contractors. The Customer Privacy Notice will be provided to all customers. The Employee Privacy Notice will be provided to all employees and independent contractors. All of FactorCloud's employees, contractors, and vendors are required to comply with FactorCloud's Internal Privacy Practices.

CUSTOMER PRIVACY NOTICE Last Updated: December 16, 2021.

Purpose of Notice

‍FactorCloud, LLC (the "Company") is committed to protecting the privacy and security of the personal and business information we collect, use, share, store, and otherwise process as part of our business practices.

We also believe in transparency, and we are committed to informing you about how we treat the information we collect, use, share, store, and process.

This Consumer Privacy Notice describes our practices regarding your personal and business information when you use the Company's ledger-based, electronic factoring system. When we interact with business or personal information on behalf of a customer, we adhere to the standards set forth in our contract with them and the terms set forth in this Notice.2. Application of NoticeThis Notice applies to personal and business information collected through the Company's website, software, electronic communications, and mobile or desktop applications.

Please read this Notice carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, you should not use the Company's services or use any of its platforms. Your use of the Company's services or use of any of its platforms expressly indicates that you agree to the terms and conditions set forth in this Notice.3. Information CollectedThe Company strives to only collect the information it needs to perform its services. The information we receive about you depends on the context of your interactions with the Company, how you configure your account, how you use the Company's services and platforms, and the choices that you make in connection with your User Agreement with the Company. The Company may collect the following categories of information:Category

Collection Process

‍We collect the types of information covered by this Notice from:

You when you provide it directly to us;
With your consent, automatically when you navigate through or upload to the Company's platforms; and
With your consent, from third-party business partners such as financial intuitions and credit bureaus.

Information Retention

‍We retain and use your information for as long as is necessary to fulfill the purposes for which it was collected, to comply with our business requirements and legal obligations, to resolve disputes, to protect our assets, to operate our business, and to enforce our agreements. We may delete your information if we believe it is incomplete, inaccurate, or that our continued storage of it is contrary to our objectives or legal obligations. When we delete data, it will be removed from our active cloud based servers and databases, but it may remain in our electronic archives for a period of time pursuant to our contractual obligations or when it is not practical or possible to delete it. To the extent permitted by law, we may retain and use anonymous, de-identified, or aggregated information for performance reporting, benchmarking, and analytic purposes and for operational improvement.6. Information UseWe collect and process the information contained in this Notice only in the following circumstances:

Operate and improve our operations, business, software, services, and platforms;
Provide you with services, content, customer service, and functionality;
Honor our terms of service and contracts;
Manage our relationship with you;
Maintain our databases and back-ups, including records of our communications with you;
Ensure the privacy and security of our platforms and services;
Detect fraud and prevent loss;
Support and improve the Company's service platforms, including evaluations of functionality, features, and software;
Improve our customer service;
Communicate with you and respond to your feedback, requests, questions, or inquiries;
Promote our services;
Contact you about other products and services;
Improve our marketing efforts, including by providing more tailored advertising;
Assess the success of marketing campaigns;
Analyze use of the Company's platforms and our services and prepare aggregate traffic information;
Recognize your device and remember your preferences and interactions;
Provide you with a more personal and interactive experience on the Company's platforms;
Determine and track user interests, trends, needs, and preferences;
Facilitate corporate mergers, acquisitions, reorganizations, dissolutions, or other transfers;
Obtain and maintain insurance coverage, manage risks, and obtain professional advice;
Accomplish any other purpose related to and/or ancillary to any of the purposes and uses described in this Notice for which your information was provided to us;
Accomplish another purpose described to you when you provide the information, for which you have consented, or for which we have a legal basis under law;
Comply with federal, state, or local laws;
Comply with a civil, governmental, or regulatory inquiry, order, subpoena, summons, or process;
Cooperate with law enforcement agencies;
Exercise or defend legal rights or claims; and
Create, use, retain, or disclose de-identified or aggregated data.

Information Sharing

‍We may disclose the information governed under this Notice:

To anyone with your express consent;
To our corporate parents, subsidiaries, and affiliates;
To our professional advisors including our accountants and attorneys;
To our officers, directors, employees, and agents;
To contractors, service providers, and other third-parties we use to support our business and provide customers with the Company's services;
To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Company's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding;
To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
To enforce, remedy, or apply our User Agreements or other agreements; and/or
To protect the rights, property, or safety of the Company, our customers, or others.To the extent permitted by law, we may retain and use anonymous, de-identified, or aggregated information for performance reporting, benchmarking, and analytic purposes and for operational improvement.

Information Security

‍The Company uses physical, electronic, technical, and organizational safeguards designed to protect your information from accidental loss and from unauthorized access, use, alternation, and disclosure. However, we cannot guarantee that your information will remain secure in all circumstances.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your information, we cannot guarantee the security of your information transmitted via the internet or other electronic means. Any transmission of information via the internet or other electronic means is at your own risk.

All information you provide to us is stored on our secure cloud-based servers behind secure firewalls. There are two versions stored in different locations for redundancy and disaster recovery. The Company's customers can request a mirrored third-copy version.

The Company's employees and contractors are provided with unique login credentials to access the Company's systems, networks, clouds, and servers. The Company requires that all passwords must be strong and updated on a quarterly basis. To protect against password guessing and other brute force attacks, The Company will deactivate user accounts after three failed login attempts. Reactivation may be based on a timeout or manual reset according to risk and technical feasibility.

The Company also employs two-factor user authentication to protect the information stored on its systems, networks, clouds, and servers. The Company monitors access to its systems, networks, clouds, and servers and may deactivate a user's credentials and access ability if the Company detects in unusual, suspicious, inappropriate, unlawful, or unauthorized access or activity.

The Company's employees and contractors are only authorized to access the Company's systems, networks, clouds, and servers on Company-owned and Company-issued devices and/or devices that have been approved and registered with the Company. To access each device, the Company provides its employees and contractors with unique login credentials. The Company requires that all passwords to access each device must be strong and updated on a quarterly basis. These devices are equipped with anti-virus programs that are updated on a regular basis.

The Company also limits which employees and contractors can access specific systems, networks, clouds, and servers based on whether the employee and/or contractor has a specific business-based need for such access. Customers only have access to their information contained within the Company's systems, networks, clouds, and servers and will not, under any circumstances, be granted access to any other information contained on the Company's systems, networks, clouds, and servers.

The safety and security of a customer's information also depends on the Company. Where you use a username and password to access the Company's platforms, you are responsible for keeping that information confidential. Do not share your username or password with anyone. To the extent that you provide access to the Company's platforms to others not associated with the Company, you provide such access at your own risk and are responsible for ensuring that such users only access the Company's platforms consistent with this Policy.

The Company also use reasonable security measures when transmitting personal information to consumers in response to requests under the California Consumer Privacy Act. We have implemented reasonable security measures to detect fraudulent identify-verification activity and to prevent the authorized access to or deletion of personal identifiable information.

If a data breach compromises your personal information, we will notify you and any applicable regulator when we are required to do so by applicable law. The Company's customers should provide the name, number, and email address of the individuals who should be contacted if a data breach occurs. 9. Third-PartiesThis Notice only applies to the Company, and it does not apply to any third-parties. The Company's third-party service providers have their own privacy policies. The Company cannot and does not: (1) guarantee the adequacy of the privacy or security practices employed by or the content and media provided by any third parties, their websites, or their mobile applications; (2) control third parties’ independent collection or use or your information; or (3) endorse any third-party information, products, services or websites. Any information provided by you or automatically collected from you by a third party will be governed by that party’s privacy policy and terms of use. If you are unsure whether a platform is controlled, affiliated, or managed by us, you should review the privacy policy and practices applicable to each platform. 10. Rights & Choices Regarding PrivacyPlease use the “Contact Us” details provided at the end of this Notice to exercise your rights and choices concerning the handling of your information. We honor such requests when we are required to do so under applicable law.

Email Opt-OutWe may send you emails about our services and other updates. If you no longer wish to receive communications from us via email, you may opt-out by clicking the “unsubscribe” link at the bottom of our emails, if applicable, or by submitting a request via the “Contact Us” details at the end of this Notice and providing your name and email address so that we may identify you in the opt-out process. Once we receive your instruction, we will promptly take corrective action.
Accuracy and Updating Your InformationOur goal is to keep your information accurate, current, and complete. If any of the information you have provided to us changes, please let us know via the “Contact Us” details at the end of this Notice. For instance, if your email address changes, you may wish to let us know so that we can communicate with you. If you become aware of inaccurate personal or business information about you, you may want to update your information. We are not responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal or business information that you provide to us.
ComplaintsIf you believe your rights relating to your personal or business information have been violated, please contact us via the “Contact Us” details provided at the end of this Notice.
The Children’s Online Privacy Protection Act (“COPPA”) COPPA as well as other data privacy regulations, restrict the collection, use, or disclosure of personal information from and about children on the Internet. Our platforms and services are not directed to children aged 13 or younger, nor is information knowingly collected from children under the age of 13. No one under the age of 13 may access, use, or provide any information to the Company or the Company's platforms. If you are under 13, please do not use or provide any information to the Company. If we learn that we have collected or received personal information from a child under the age of 13 without a parent’s or legal guardian’s consent, we will take steps to stop collecting that information and delete it. If you believe we might have any information from or about a child under the age of 13, please contact us via the “Contact Us” details provided at the end of this Notice.
Contact UsYou may direct questions or comments about this Notice, access or correct the personal information we hold about you, or make a complaint about how we have handled your personal information by contacting us using the information below, and we will do our best to assist you:

Greg EganDirector of Engineering3490 Piedmont Rd., Suite 1350Atlanta, GA 30305, US

‍hello@factorcloud.com

‍678.896.0569

Specific State Rights

‍Depending on your state of residence in the United States of America, you may have other rights regarding the collection, use, storage, and deletion of your personal information.

Vermont

‍We will not disclose information about your creditworthiness to our affiliates and will not disclose your personal information, financial information, credit report, or health information to nonaffiliated third parties to market to you, other than as permitted by Vermont law, unless you authorize us to make those disclosures.

California

‍The California law provides California residents with specific rights regarding their personal information. This section describes those rights and explains how to exercise those rights.

Right to Know and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of your personal information every year. (the "right to know"). Once we receive your request and confirm your identity, we will disclose to you:

The categories of personal information we collected about you.
The categories of sources for the personal information we collected about you.
Our business or commercial purpose for collecting or selling that personal information.
The categories of third parties with whom we share that personal information.
If we sold or disclosed your personal information for a business purpose, two separate lists disclosing: sales, identifying the personal information categories that each category of recipient purchased; and disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
The specific pieces of personal information we collected about you (also called a data portability request).

Right to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the "right to delete"). Once we receive your request and confirm your identity will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

Exercising Your Rights to Know or Delete

‍To exercise your rights to know or delete described above, please submit a request to:
Greg Egan
Director of Engineering
3490 Piedmont Rd., Suite 1350
Atlanta, GA 30305, US
‍hello@factorcloud.com
‍678.896.0569

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in the request to verify the requestor's identity or authority to make it. Response Timing and FormatWe will confirm receipt of your request within fourteen (14) business days. We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Changes to this Notice

‍We may add to, change, update, or modify this Notice to reflect any changes to how we treat your information or in response to changes in law. Should this Notice change, we will provide the updated version to you. Any such changes, updates, or modifications will be effective immediately upon posting. The date on which this Notice was last modified is identified at the beginning of this Notice.

You are expected to, and you acknowledge and agree that it is your responsibility to, carefully review this Notice prior to using the Company's services or its platforms, and from time to time, so that you are aware of any changes. Your continued use of the Company's services and platforms after the “Last Updated” date will constitute your acceptance of and agreement to such changes and to our collection and sharing of your information according to the terms of the then-current Notice. If you do not agree with this Notice and our practices, you should not use the Company's services or platforms.

Limited Use

‍FactorCloud’s use and transfer to any other app of information received from Google’s APIs will adhere to Google API Services User Data Policy, including the Limited User requirements.

EMPLOYEE PRIVACY NOTICE

‍Last Updated: December 16, 2021.

Purpose of Notice

‍FactorCloud, LLC (the "Company") is committed to protecting the privacy and security of the personal information we receive or collect from its employees. We also believe in transparency about how we handle your personal information. This Notice is intended to provide the Company's employees with information concerning the Company's practices regarding the personal information about its employees that it collects, uses, and stores. PLEASE READ THIS NOTICE CAREFULLY, TOGETHER WITH ANY OTHER PRIVACY NOTICES THAT WE MAY PROVIDE TO YOU AT TIMES WHEN WE ARE SPECIFICALLY COLLECTING OR PROCESSING INFORMATION ABOUT YOU, TO UNDERSTAND HOW WE TREAT YOUR PERSONAL INFORMATION, AND WHAT CHOICES AND RIGHTS YOU HAVE IN THIS REGARD.

Information Collected

‍The Company collects, processes, and stores the following personal information from its employees for the purposes described below. Category

Data Collection Process

‍We collect information from you relevant to your employment in a variety of ways, including directly from you (in writing, verbally, or electronically), in conversations, in reviews and evaluations, and through the use of office computer and telephony equipment.

Refusal to Provide Personal Information

‍You may object to our collection of data requested during your employment with us. However, if you do not provide the information, we may not be able to perform certain activities necessary to maintain your employment or comply with legal obligations.

Collection Purpose

‍We collect, use, process, and store your personal information for the following purposes related to your employment:

To Carry Out Our Legitimate Interests

‍We collect, use, process, and store information that is necessary for the purposes of our pursuit of our legitimate interests in managing your employment, in our ongoing assessment and verification of your suitability for working with us, and in keeping records of your employment. We also have a legitimate interest in processing data to deal with complaints, claims, and lawsuits made against us. For our legitimate interests, we may also share your personal information with our corporate parents, subsidiaries, and affiliates. In addition, we may disclose your personal information in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our company assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our website users is among the assets transferred.

To Carry Out Our Legal Obligations and Perform a Contract

‍We collect, use, process, and store information that is necessary to comply with our legal obligations in the field of employment law, such as the performance of your employment relationship with us, and our performance of any employment agreement., Notably, we also collect, use, process, and store information to process the payroll, withhold taxes and social security charges; to maintain and improve security systems; to prepare reports for public authorities (e.g. company register); and to comply with applicable legal and regulatory obligations, notably employment laws and regulations.

Use of Personal Identifiable Information

The information you provide to us during your employment will be used for the following purposes:

Personnel and Human Resources Management, including, but not limited to, ordinary business practices related to the establishment, maintenance and termination of employment relationships, personnel management and administration generally (including both during and after your employment), personnel verification, administering benefits, conducting disciplinary proceedings, and addressing labor relations issues.
Operations Management including, but not limited to, establishment, performance, and management of business activities of the company, such as maintaining internal networks and IT systems.
Security Management including, but not limited to, ensuring the security of our premises and information held by the company as well as the safety of our personnel.
Legal and Regulatory Compliance including, but not limited to, obtaining and releasing personal information as required by law (e.g., tax, health and safety, anti-discrimination laws) or judicial authorization and to maintain records that can include personal information, such as government identifiers, information relating to sickness, maternity or parental leave, pension and retirement.

Disclosure of Personal Information

‍We may share your personal information as follows:

Internally. Your information may be shared internally for human resources purposes. This includes members of our HR and recruitment teams, managers in relevant business areas, and IT staff (if access to the data is necessary for the performance of their roles).
Attorneys and Advisors. We may disclose your information to our legal counsel, including our attorneys, law firms, and advisors to obtain guidance, advice, and counsel related to your employment. We may also disclose your information to our legal counsel in the event of a complaint or litigation.
Related Companies. We may share your personal information with our corporate parents, subsidiaries, and affiliates, where such entities need to process that personal information for business or business efficiency purposes.
Agents and Contractors. Your data will be shared with third party agents and contractors that supply services to the company which require the processing of that personal information, such as payroll services. We will only transfer your personal information where the agent or contractor has provided written assurances to us that it will protect any personal information disclosed to it in accordance with the provisions of this Notice. If we learn that an agent or contractor is processing personal information in a manner contrary to this Notice, we will take all reasonable steps to prevent or stop the processing.
Other Disclosures. We may disclose your personal information in response to subpoenas, warrants, court orders or other legal process, or to comply with relevant laws. We may also share your personal information in order to establish or exercise our legal rights, to defend against a legal claim, to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property (such as by providing your health information to a doctor in a medical emergency), or a violation of a contract regarding your employment.

Your Rights

‍Please use the “Contact Us” details at the end of this Notice to exercise your rights and choices. If you would like to manage, change, limit, or delete your personal information, such requests may be submitted via the “Contact Us” details at the end of this Notice.

Right of Access and Portability

If required by law, upon request, we will grant reasonable access to the personal information that we hold about you. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure that ensures your personal information is not disclosed to any person who has no right to receive it. You may request us to transfer the data that we hold about you for your own purposes.2. Accuracy and AmendmentOur goal is to keep your personal information accurate, current, and complete. You are responsible for contacting us if you believe your personal information is not current, if you become aware of any inaccuracies, or if any of your personal information changes. We are not responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.

Right to Object or Restrict the Processing of Your Data

‍In certain circumstances, as permitted under applicable law, you have the right to object to processing of your personal information and to ask us to erase or restrict our use of your personal information. If you would like us to stop using your personal information, please contact us and we will let you know if are able to agree to your request.

Right to Erasure and Deletion of Your Personal Information

‍You may have a legal right to request that we delete or stop processing your personal information when, for example, it is no longer necessary for the purposes for which it was collected, or when, among other things, your personal information has been unlawfully processed. All deletion requests should be sent to the address noted in the “Contact Us” section of this Notice. We may decide to delete your personal information if we believe it is incomplete, inaccurate or that our continued storage of your personal information is contrary to our legal obligations or business objectives. When we delete personal information, it will be removed from our databases, but it may remain in our archives when it is not practical or possible to delete it. We may also retain your personal information as needed to comply with our legal obligations, resolve disputes, or enforce any agreements.

Right to Withdraw Consent

‍If you have provided your consent to the collection, processing and transfer of your personal information, you have the right to fully or partially withdraw your consent. To withdraw your consent, please notify us using the information in the “Contact Us” section of this Notice. Once we have received notice that you have withdrawn your consent, in whole or in part, we will no longer process your information for the purpose(s) to which you originally consented and have since withdrawn unless there are compelling, legitimate grounds for further processing that override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Right to Complain

‍If you believe that your rights relating to your personal information have been violated, you have a right to lodge a complaint with the applicable enforcement authority or to seek a remedy through the courts. You should notify the local Human Resources Department or use the information provided in the “Contact Us” section of this Notice. Any submitted complaints will be resolved in accordance with formal complaint procedures. If your efforts to resolve a concern with us are unsatisfactory, you may lodge a complaint with the local data protection or regulatory authority.

Changes

‍We reserve the right to update this Notice at any time, and we will provide you with a new privacy notice.

Contact Us

You may direct questions or comments about this Notice, access or correct the personal information we hold about you, or make a complaint about how we have handled your personal information by contacting us using the information below, and we will do our best to assist you:

Greg Egan

Director of Engineering

3490 Piedmont Rd., Suite 1350

Atlanta, GA 30305, US

‍hello@factorcloud.com

‍678.896.056911.

Consent

‍By signing the Consent form located on the next page, you provide you explicit consent to the collection, processing, storage, and use of the personal information covered by the Company's Employee Privacy Notice.

I affirm that I have read the Company's Employee Privacy Notice in its entirety and fully understand the same. I affirm that I give my express and explicit permission for FactorCloud, LLC to collect, process, store, and use my personal data as set forth in the Company's Employee Privacy Notice.

FACTORCLOUD'S INTERNAL PRIVACY PRACTICES AND PROTOCOLS

‍Last Updated: December 16, 2021.

PurposeThis Policy seeks to promotes an effective balance between information security practices and business needs. The Policy helps the Company meet its legal obligations and its customers' expectations. From time to time, the Company may implement different levels of security controls for different information assets, based on risk and other considerations. The Company may change this Policy at any time for any reason. When such changes occur, the Company will notify its Employees and Contractors.

All of the Company's employees and contractors are expected to read, understand, and follow this Policy. However, no single policy can cover all the possible information security issues you may face. You must seek guidance from your manager or the Company's Director of Engineering before taking any actions that create information security risks or otherwise deviate from this Policy's requirements. The Company may treat any failure to seek and follow such guidance as a violation of this Policy. Any violation of this Policy may result in discipline up to and including termination of employment for employees and termination of contract for contractors.

Do not share this Policy outside of the Company unless authorized in writing by the Company's Director of Engineering or the Company's Chief Executive Officer. The Company's customers, employees, and others rely on us to protect their information. An information security breach or cyber incident could severely damage our credibility. Security events can also cause loss of business and other harm to the Company. Strong information security requires diligence by all workforce members, including employees, contractors, volunteers, and any others accessing or using our information assets.2. AcknowledgmentAll employees and contractors must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire. The Company will retain acknowledgment records.

Policy Review

‍The Company has granted its Director of Engineering the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes, as they may deem necessary and appropriate. On at least an annual basis, the Director of Engineering will initiate a review of this Policy, engaging stakeholders such as individual business units, including Human Resources and outside legal counsel, as appropriate.

Training

‍Employees must complete information security training within two weeks after initial hire. All workforce members must complete information security training on at least an annual basis. Failure to participate in required training a violation of this Policy. The Company will retain attendance records and copies of security training materials delivered.

Protected Information

‍This Policy is intended to protect all personal identifiable information, the confidential information and trade secrets of the Company, and the confidential information of the Company's customers.

Personal identifiable information means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.

Confidential information is information that may cause harm to the Company, its customers, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Harms may relate to an individual's privacy, the Company's marketplace position or that of its customers or legal or regulatory liabilities. Examples of confidential information include, but are not limited to:

The Company's or its customers' financial data;
The Company's customer lists;
The Company's revenue forecasts and budgets;
The Company's strategic plans;
The Company's financial results;
The Company's programs;
The Company's intellectual property;
The Company's business, operational, or marketing plans;
Data, information, and intellectual property belonging to the Company's customers;
The Company's contracts with its vendors or customers;
Communications or records involving the Company's operations, assets, liabilities, ownership, audits, legal obligations, or legal liabilities;
The Company's policies, procedures, standards, and processes;
Any information designated as "confidential" or some other protected information classification by an external party and subject to a current non-disclosure or other agreement;
Any information regarding the personal identifiable information of the Company's customers, employees, owners, vendors, or contractors;
Any drafts, summaries, reports, or other documents that contain Confidential Information. Trade Secrets are generally defined as any formula, pattern, compilation, program, device, method, technique, or process that provides a competitive edge to the Company and from which the Company derives independent economic value, actual or potential, from the information not being generally known to the public and that the Company uses efforts that are reasonable under the circumstances to maintain the information's secrecy. The Company's Trade Secrets include many of the types of information listed above as Confidential Information. If you have any questions concerning the definitions of personal identifiable information, confidential information, or trade secrets, you should contact the Director of Engineering.

Physical Security

The Company uses physical safeguards to avoid theft, intrusions, unauthorized use, or other abuses of its information assets. All employees and contractors must:

Only allow authorized personnel to enter the Company's office space;
Safeguard all keys, keycards, or access codes that would allow unauthorized individuals to enter the Company's office space;
Position computer or mobile device screens where information on the screens cannot be seen by unauthorized parties;
Not display any personal identifiable information, confidential information, or trade secrets on a computer or mobile device screen where unauthorized individuals can view it;
Log off or shut down your work-related devices when the devices are to be left unattended for any period of time; or at the end of your workday;
Do not leave devices or the bags containing them visible in a parked car or check them as baggage on airlines or other public transportation.

Role-Based Access Controls

The Company restricts access to specific systems, networks, clouds, and servers to only those employees and contractors with a business need for such access. Any requests for access must be submitted to the Director of Engineering. At least once a year, the Director of Engineering will review user accounts and access levels to confirm that a legitimate business need for the access still exists.

When an employee or contractor stops working for the Company, the Director of Engineering will deactivate the individual's account on the employee's or contractor's last day of work. 8. Device and End-User Controls Employees and contractors may only access the Company's networks using end-user devices that have been approved by and registered with the Director of Engineering that are equipped with the Company's required information security applications and software including, but not limited to, protective controls and specific configurations, such as anti-virus software, patching levels, and required operating system or other software versions. Company-owned machines may be configured to automatically receive upgrades. You may be denied remote access using non-Company owned devices that do not meet current standards.

To protect the Company's information and data, including personal identifiable information, confidential information, and trade secrets from being lost or becoming public, all employees and contractors must immediately report any device used for the Company's business that is lost, stolen, accessed by unauthorized persons, or otherwise compromised to the Director of Engineering so that the Director of Engineering can assess the risk and, if necessary, remotely wipe all of the Company's information and/or data and/or the entire contents of the device, including your personal content, in Director of Engineer's sole discretion. You must also promptly provide the Company with access to the device when requested or required for the Company's legitimate business purposes, including in the event of any security incident or investigation.

This Policy applies to all devices used to conduct the Company's business regardless of whether the device is owned by the Company, the employee, and/or the contractor.

Employees and contractors must abide by the following:

Ensure that the Company's security software and applications are installed on each device used to conduct Company business;
Consent to the Company's efforts to manage all devices and secure the Company's data and information on those devices by promptly providing any information necessary to access the devices.
Comply with the Company's device configuration requirements.
Comply with the Company's password requirements;
Maintain the device's settings such that the device locks itself and requires a password if it is idle for five minutes or more;
Maintain the device's settings so that use of the device is suspended after three failed login attempts;
Keep the device current with all information security applications, programs, software, patches, and updates;
Do not download or install any unauthorized software, applications, or programs unless specifically authorized in writing by the Director of Engineering.
Prohibit use of the device by anyone not authorized by the Company, including your family, friends, and business associates.
Do not locally download, transfer, or save work product or business information to your device. You must erase any such information that is inadvertently downloaded, transferred, or saved to your device.
Do not connect the device to any unsecured or public WiFi networks;
Use your own Company-provided unique identifier and password to access the Company's networks, systems, programs, applications, clouds, and servers;
When you are not actively using your device to conduct business on behalf of the Company, you must lock the device; and
Deactivate your device's wireless networking interface when it is not in use.

Unique Identifier and Access Management

‍The Company will assign each individual subject to this policy with a unique identifier to access its devices, systems, networks, clouds, and servers. Each specific identifiers must be linked to an accountable individual. The Company will then assign each unique identifier a unique password. You can then change your password to something that you will remember. However, the password must be strong, hard to guess, and meet the character requirements imposed by the Company. You must not share your account or password with others. You will be prompted to change your password quarterly and must comply.

Best practices for passwords is as follows:

Be at least 8 characters;
Be comprised of a mix of letters (upper and lower case), numbers, and special characters (punctuation marks and symbols);
Not be comprised of or use only words that can be found in a dictionary;
Not be comprised of an obvious keyboard sequence or common term (i.e., "qwerty," "12345678," or "password"); and
Not include easily guessed or obtained data such as personal information about yourself, your partner, your pet, your children, birthdays, addresses, phone numbers, locations, etc.Employees and contractors must treat passwords as highly confidential information. You must protect your password at all times by:
Not disclosing your passwords to anyone, including anyone who claims to be from the Company or the Company's customers. The only individual whom you may disclose your password to is the Director of Engineering;
Not sharing your passwords with others (including co-workers, managers, customers, or family);
Not writing down your passwords or otherwise recording them in an unsecure manner;
Not using save password features for applications, unless provided or authorized by the Company;
Not using the same password for different systems or accounts, except where single sign-on features are automated; and
Not reusing passwords.If you have reason to believe that your password has been compromised for any reason, please immediately report the incident to the Director of Engineering. The Company will deactivate user accounts after three failed login attempts. Reactivation may be based on a timeout or manual reset according to risk and technical feasibility.

Acceptable Use Policy

‍The Company provides networks, systems, servers, clouds, computers, software, hardware, electronic resources, and physical resources for business purposes only. Do not use the Company's resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with the Company or its customers. Do not use the Company's resources in a manner that negatively impacts your job performance or impairs others' abilities to do their jobs. Do not use the Company's resources for activities that may be deemed illegal under applicable law. If the Company suspects illegal activities, it may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved.

Prohibited Activities‍

The Company prohibits using its resources to engage in activities such as (but not necessarily limited to) the following:

Hacking, spoofing, or launching denial of service attacks;
Gaining or attempting to gain unauthorized access to others' networks or systems;
Sending fraudulent email messages;
Distributing or attempting to distribute malicious software (malware);
Spying or attempting to install spyware or other unauthorized monitoring or surveillance tools;
Committing criminal acts of any kind including, but not limited to, criminal acts of terrorism, fraud, cybercrime, or identity theft;
Downloading, storing, or distributing child pornography or other obscene materials;
Downloading, storing, or distributing materials in violation of another's copyright;
Creating undue security risks or negatively impacting the performance of the Company's network, systems, clouds, and/or servers;
Causing embarrassment, loss of reputation, or other harm to the Company or its customers;
Uploading, downloading, or disseminating defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene, or otherwise inappropriate or offensive messages or media;
Distributing joke, chain letter, commercial solicitations, or hoax emails or other messages (spamming);
Disrupting the workplace environment, creating a hostile workplace, or invading the privacy of others;
Using encryption or other technologies in an attempt to hide illegal, unethical, or otherwise inappropriate activities; and
Installing or distributing unlicensed or pirated software.

Technology Development. Employees and contractors who are involved in the development of the Company's technology must avoid any undue or unexpected impact to the Company's production information and technology environment.

Development activities, including system testing, must take place in reasonably segmented environments. Maintain segregation of duties between development and operations. Developers may be granted limited access to production environments where personnel and expertise availability is limited, but only for specific troubleshooting or support purposes. Software and technology development can only be performed by individuals authorized by the Director of Technology and must only take place in environments authorized by the Director of Technology.

Developers should identify potential information security risks and resolve them early in the development process. Developers should seek advice and assistance from the Director of Engineering to identify best practices and avoid application-level security risks. Developers should use defensive coding techniques and regular code review and application-level scanning to identify and remediate any information security issues before releasing software or other application.

Information Handling

‍Employees and contractors must properly handle, store, and securely dispose of the Company's information. You are responsible for any personal identifiable information, confidential information, or trade secrets that you access or store. Do not allow others to view, access, or otherwise use any such information unless they have a specific business need to know.Store files or other data critical to the Company's operations on regularly maintained (backed up) servers or other storage resources. Do not store business critical data only on end-user devices such as desktops, laptops, smartphones, or other mobile devices.Physically secure any media containing the Company's information, including hard drives, CDs, disks, paper, voice recordings, removable drives (such as thumb drives, flash drives, or USB drives), or other media in a locked area. When the Company determines that any personal identifiable information, confidential information, or trade secrets are no longer required to meet business needs or contractual obligations, you must shred all such information prior to disposal and delete any electronic versions of such information pursuant to the direction of the Director of Engineering.

Remote Access

If you have a business need to access the Company's network, systems, clouds, and/or servers from home, while traveling, or at another location, you must use a private network connection. Employees and contractors are expressly forbidden to conduct any Company business using a public network or an unsecured private network.

Internet Safe Use & Threat Awareness

The Company may block or limit access to particular services, websites, or other internet-based functions according to risks and business value. Recognize that inappropriate or offensive websites may still be reachable and do not access them using the Company's resources or on any personal device used to access the Company's resources. Limit your web browsing and access to streaming media (such as videos, audio streams or recordings, and webcasts) on Company-owned devices or personal devices used to access the Company's networks, systems, clouds, applications, and/or servers to business purposes or as otherwise permitted by this Policy.

Never use internet peer-to-peer file sharing services. Do not disclose personal identifiable information, confidential information, or trade secrets to unauthorized parties on blogs or social media or transmit it in unsecured emails or instant messages.

Never open an email attachment that you did not expect to receive, click on links, or otherwise interact with unexpected email content. Attackers frequently use these methods to transport viruses and other malware. Be cautious, even if messages appear to come from someone you know, since attackers can easily falsify (spoof) email senders. The Company may block some attachments or emails, based on risk.

Do not respond to an email or other message that requests personal identifiable information, confidential information, or trade secrets unless you have separately verified the request and the requestor.

If you have any doubts regarding the authenticity or risks associated with an email or other message you receive, contact the Director of Engineering immediately and before interacting with the message.

Do not reply to suspicious messages, including clicking links or making unsubscribe requests. Taking those actions may simply validate your address and lead to more unwanted or risky messages.

Do not make postings or send messages that speak for the Company or imply that you speak for the Company unless you have been authorized to do so by the Company's Chief Executive Officer.

Use good professional judgment when drafting and sending any communications. Remember that messages may be forwarded or distributed outside your control, and your professional reputation is at stake. Email signatures should be professional and appropriate for your business role. 16. Monitoring You should have no expectation of privacy when using the Company's network or systems, including, but not limited to, transmitting and storing files, data, and messages. The Company reserves the right to monitor any use of its network and systems to the extent permitted by applicable law. By using the Company's systems, you agree to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, access attempts, traffic, key strokes, activity, emails, or other messages or data sent or received and inspecting data stored on individual file directories, hard disks, or other printed or electronic media including, but not limited to, the Company's services and cloud-based networks. 17. Security Incident Reporting Immediately notify the Director of Engineering if you discover a security incident or suspect a breach in the Company's information security controls. The Company maintains various forms of monitoring and surveillance to detect security incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to the Company.

Treat any information regarding security incidents as highly confidential and do not share it, internally (except with the Director of Engineering or one of the Company's officers) or externally.

Security Incident Examples. Security incidents vary widely and include physical and technical issues. Some examples of security incidents that you should report include, but are not limited to:

loss or suspected compromise of user credentials or physical access devices (including passwords, tokens, keys, badges, smart cards, or other means of identification and authentication);
suspected malware infections, including viruses, Trojans, spyware, worms, or any anomalous reports or messages from anti-virus software or personal firewalls;
loss or theft of any device that contains the Company's information (other than public information), including computers, laptops, tablet computers, smartphones, USB drives, disks, or other storage media;
suspected entry (hacking) into the Company's network, systems, clouds, or servers by unauthorized persons;
any breach or suspected breach of personal identifiable information, confidential information, or trade secrets;
any attempt by any unauthorized person to obtain passwords, personal identifiable information, confidential information, or trade secrets in person or by phone, email, or other means (sometimes called social engineering, or in the case of email, phishing); and
any other any situation that appears to violate this Policy or otherwise create undue risks to the Company's information assets.

Compromised Devices.

If you become aware of a compromised computer or other device you should immediately deactivate (unplug) any network connections, but do not power down the equipment because valuable information regarding the incident may be lost if the device is turned off; and immediately contact the director of engineering.

Change Management

‍Change Management refers to a formal process for making changes to the Company's network, systems, clouds, applications, devices, software, databases, and/or servers. A change is defined as the addition, modification, or removal of approved, supported, or baselined hardware, network, software, application, environment, system, or associated documentation. The goal of change management is to increase the understanding of proposed changes across the Company and ensure that all changes are made in a way that minimize negative impact to services and customers.

Change Management Process Change management generally includes the following steps:

Plan the change, implementation, design, testing, schedule, and communication plan.
Evaluate the change, including determining the risk and the nature of the proposed change.
Review change plan with Director of Engineering and Chief Executive Officer.
Obtain approval of change by Director of Engineering and Chief Executive Officer.
Communicate about changes with the appropriate parties.
Implement the change.
Document the change and any review and approval information.

Process Documentation The Change Management Process will be documented on the Process Log and will include the following information:

Details of proposed change;
Reason(s) change is needed;
Identification of any risk to network, systems, cloud, servers, applications, and/or processes;
Plan to mitigate/minimize risk;
Testing of change and results;
Implementation plan;
Communication plan;
Date of change approval; and
Date of change implementation.

The individual requesting the change is responsible for the preparation of the Process Log and responsible for submission of the final process log to the Director of Engineering at the conclusion of each Change Management Process.

Change Documentation

‍All changes will be documented on the Change Log and will include the following information:

Who made the change?
What was changed?
Why the change was made (Reason/Comment)?
When was the change made?

The Change Log will be maintained by the Director of Engineering.

Data Breach Laws

‍Various information security laws, regulations, and industry standards apply to the Company and the data we handle. The Company is committed to complying with applicable laws, regulations, and standards.

Various laws protect individuals' personal identifiable information, such as government-assigned numbers, financial account information, and other sensitive data.

Many states have enacted data breach notification laws that require organizations to notify affected individuals if personal information is lost or accessed by unauthorized parties. Some locations have data protection laws that require organizations to protect personal information using reasonable data security measures or more specific means. These laws may apply to personal information about the Company's employees, customers, business partners, and others.

When a data breach occurs, the Company must follow the specific laws of the state where each affected individual resides. If you become aware that any of the following information about a Company's employees, customers, business partners, or others has been comprised due to unauthorized access or disclosure, you must immediately notify the Company's Director of Engineering.

First name or initial and last name;
Social Security Number;
Passport Number;
Driver's License Number;
State or Federal Identification Number;
Financial or bank account number or information;
Credit card number or account information;
Debit card number or account information;
Tax identification number;
Information on an individual's credit history, credit score, or credit worthiness;
Information concerning an individual's medical history, condition, or diagnosis;
Information concerning an individual's biometric data;
Health insurance or subscriber information;
An individual's unique login information or password information used to access any of the Company's services, platforms, servers, clouds, or networks;
An individual's unique private key that is used to authenticate or sign an electronic record;
An individual's license plate number or vehicle registration number;
An individual's username or email address, in combination with a password or security question and answer that would permit access to an online account that may contain personal or private information.

Acknowledgment of the Company's Internal Privacy Practices and Protocols

I affirm that I have read the Company's Internal Privacy Practices and Protocols Policy in its entirety and fully understand the same. I affirm that I will abide by this Policy. I understand that failure to abide by this Policy may result in the termination of relationship with the Company.

DATA & INFORMATION INCIDENT RESPONSE PLAN

Last Updated: December 16, 2021.

The purpose of FactorCloud, LLC's (the "Company") Data & Information Incident Response Plan is to outline the Company's strategy for responding to and recovering from the exploitation of threats, attacks, risks, and vulnerabilities posed against the Company's network, systems, clouds, applications, software, hardware, or servers.

Incident Response Team

The Incident Response Team includes the Director of Engineering, the Chief Executive Officer, and the Vice President of Information Technology. The Incident Response Team is responsible for the maintenance and implementation of the Company's Data & Information Incident Response Plan. The Incident Response Team is also responsible for coordinating with other stakeholders such as outside counsel.

Data & Information Incidents Situations that will be classified as an incident include but are not limited to:

Access Violation;
Breach of physical security arrangement;
Breach or loss of conﬁdentiality;
Denial of service;
Detection of unauthorized wireless access points;
Errors resulting from incompetent or inaccurate business data;
Human error;
Loss of service;
Malfunction of software or hardware;
Malware activity (virus, worms, trojans);
Non-compliance with policy or guidelines;
Physical asset loss or theft;
System exploits;
Unauthorized physical or logical access;
Unauthorized user of system resources; and
Uncontrolled system change.

Incident Response Plan: The core tenants of the Incident Response Plan are:

PREPARATION: Preparation not only includes creating this Data & Information Incident Response Plan, but also includes implementing robust prevention mechanisms to reduce the likelihood of an incident occurring.
DETECTION AND ASSESSMENT: Detection includes having mechanisms in place to monitor for and report potential incidents and incidents. Potential incidents are assessed to determine whether or not the incident qualiﬁes to kick oﬀ the incident response process.
The following are mechanisms deployed to aid in detecting the existence of security vulnerabilities:
Alerts from ﬁrewalls;
Automatic access blocking from unauthorized users;
Alerts from Intrusion Prevention Systems (IPS) —including, but not limited to, network-based IPS, host-based IPS, ﬁle integrity monitoring (FIM) systems;
Vulnerability and patch reports provided by software vendors;
Vulnerabilities identiﬁed via manual inspection and analysis of internal system processes.
RESPONSE AND RECOVERY: Once detection and assessment has occurred, the incident must be contained as quickly and eﬀectively as possible to respond to and recover from the incident.
Each incident should be logged into the Incident Response Team's “Incident Response” repository.
The Incident Response repository is the tracking mechanism for all incidents and is used to collect information related to the event or vulnerability. Each issue in the Incident Response repository logs the individual, time stamps and related decisions along the process.
The Incident Response Team will work to immediately respond to all incidents as quickly as possible using their collective best judgment and seeking professional advice when necessary. To the extent possible, the Incident Response Team will follow the Change Management policies. If immediate action is needed to mitigate or respond to the incident, the Incident Response Team will retroactively follow the Change Management policies.
Evidence of each incident will be stored securely such that artifacts may be used for legal prosecution or internal disciplinary action as needed.
LESSONS LEARNED: Once the incident is contained, a root cause analysis is conducted to determine the root cause(s) for the incident and corrective actions to put in place in order to protect against a recurrence.

Incident Communications

Communication with external parties (including customers, general public, law enforcement entities, and others) will be approved by the Incident Response Team.

Legal Requirements

‍If an incident has an impact on customers, the Incident Response Team will be according to agreed-upon contracts with customers, aﬀected customers of unauthorized access to or disclosure of nonpublic personal information, as soon as is practical, after conﬁrmation of such an event. This notiﬁcation to customers and partners is coordinated with assistance from outside legal counsel and will be performed in conformance with applicable legal requirements.

Forensic Evaluation

‍During the response phase, all data required to conduct a thorough forensic investigation are collected and stored securely in order to conduct a thorough evaluation in conformance with accepted forensic standards.

‍