START.IO INFORMATION SECURITY

Start.io Inc. and its affiliates (“Start.io”) takes information security seriously. This information security overview and policy (“Security Policy”) applies to the safeguarding of users Personal Data (as defined by applicable legislation, including the EU General Data Protection Regulation) processed or collected in connection with the delivery of Start.io’s various services, apps, advertising network and platforms (“Service(s)”).

Start.io has established a comprehensive information and cyber security program which all employees and personal need to comply with, including Start.io’s customers and business partners. Start.io has implemented the below technical and organizational measures to protect the Personal Data processed by it against loss, unlawful acts and destruction, alteration, unauthorized disclosure or access, etc.

Start.io has prepared this Security Policy to provide you with a summary of the security measures and policies it obtains when providing the Services and thereafter.

PHYSICAL AND SYSTEM ACCESS CONTROL

Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place.

Start.io secures any physical access to facilities that contain Personal Data, such as Start.io’s offices and server centers. Start.io secures access to its offices using advanced biometric technology to ensure that solely authorized persons have access. Further, an alarm system is installed in the premises which is activated at all times during non-working hours. Start.io’s servers are located in a protected facility in which the physical access is controlled by professional security staff. The data collected by us is stored in the Amazon data servers, for more information regarding the data security provided by Amazon, please see: https://aws.amazon.com/security/.

When Personal Data is transferred to the applicable servers it is always done in a secured and encrypted manner and solely authorized employees may access the systems by using a designated password.

Start.io balances its approach towards physical security by considering elements of control that include architecture, operations, systems, performance, compatibility and interoperability

DATA ACCESS CONTROL

The access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to the Personal Data is secured by VPN and is highly managed by access control policies. Start.io uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. Start.io audits any and all access to the database and any authorized access is immediately reported and handled.

ORGANIZATIONAL AND OPERATIONAL SECURITY

It is the responsibility of the individuals across the organization to comply with these practices and standards. Start.io educates its employees and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing is done on a regular basis.

Start.io’s IT team ensures security of all hardware and software available within Start.io, such as: install anti-malware software on computers to protect against malicious use and malicious software (additional controls may be implemented based on risk), virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc.

TRANSFER CONTROL

The goal of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. Start.io prevents from any unneeded creation of copies and has incorporated prevention of non-digital output transmission of the data sets (including the Personal Data). Further, any access to the Personal Data from beyond Start.io network is solely possible by means of a secured VPN access.

EMPLOYEES

Employees and data processors are all signed on applicable and binding agreements all of which include applicable data provisions and data security obligations. Further, as part of the employment process, employees undergo a screening process applicable per regional law. Employees are bound to follow Start.io’s policies and procedures and breaking or not following these will result in disciplinary actions up to and including termination based on local law. In addition, Start.io hold annual compliance training which include data security education.

THE INFORMATION SECURITY, LEGAL, PRIVACY AND COMPLIANCE DEPARTMENTS WORK TO IDENTIFY REGIONAL LAWS, REGULATIONS APPLICABLE TO START.IO’S COMPLIANCE. MECHANISMS SUCH AS THE INFORMATION SECURITY PROGRAM, PRIVACY COUNCIL, INTERNAL AND EXTERNAL REVIEW OR ASSESSMENTS, INTERNAL AND EXTERNAL LEGAL COUNSEL CONSULTATION, INTERNAL CONTROLS ASSESSMENT, INTERNAL PENETRATION TESTING AND VULNERABILITY ASSESSMENTS, CONTRACT MANAGEMENT, SECURITY AWARENESS, SECURITY CONSULTING, POLICY EXCEPTION REVIEWS AND RISK MANAGEMENT COMBINE TO DRIVE COMPLIANCE WITH THESE REQUIREMENTS.

This Security Policy may be updated from time to time by Start.io, pursuant to any applicable legislation, internal policies or otherwise. Most updated version is available at: https://www.start.io/start-io-computer-policy/.

Last Updated: November 7, 2021