Information security policy.

Rise Vision, Inc. (“Rise Vision”, “we”, “us”, “our”) is committed to protecting all confidential information in its possession, custody, and control while respecting the legal rights, privacy and trust of all individuals with whom it deals including its customers, suppliers, business contacts and employees.

As part of its operations, Rise Vision gathers, receives, holds, and processes confidential information about individuals including customers, suppliers, business contacts, employees, and other people we have a relationship with or may need to contact. We need such information to be complete and accurate in order to provide services to our customers.

This policy describes how Confidential Data should be collected, handled, and stored to meet Rise Vision’s data protection standards and to comply with the law. The procedures described in this policy should be followed at all times by Rise Vision’s employees, agents, contractors, or other parties working on behalf of Rise Vision.

Any questions concerning this Policy should be directed to the Privacy Officer, Alan Clayton, at support@risevision.com.

Definitions

Capitalized terms defined in this Policy apply to these Terms:

• Privacy Officer means the Rise Vision employee responsible for understanding, administering and ensuring compliance with Rise Vision’s rights and responsibilities regarding Confidential Data. Currently, the Rise Vision Privacy Officer is Alan Clayton.
• Legal shall mean the internal Rise Vision legal department and/or an outside law firm representing Rise Vision responsible for providing Rise Vision with counseling regarding Confidential Data and Rise Vision’s rights and responsibilities regarding the same.
• Operations shall mean the Rise Vision department for controlling and directing the everyday business operations of Rise Vision.
• Protected Health Information (PHI) means any information, whether oral or recorded in any form or medium, that:
  Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  Relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
• Personally Identifiable Information (PII) refers to any information about an individual maintained by Rise Vision, including (1) any information that can be used to distinguish or trace an individual’s identity, such as a name, Social Security number, date, and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
• Confidential Information means all technical and non-technical information including patent, trade secret, and proprietary information, techniques, sketches, drawings, models, inventions, know-how, processes, apparatus, equipment, algorithms, software programs, software source documents, and formulae disclosed in writing or orally and includes, without limitation, information concerning research, experimental work, development, design, details, and specifications, engineering, financial information, procurement requirements, purchasing, manufacturing, customer lists, business forecasts, sales, and merchandising, and marketing plans and information disclosed by Rise Vision, Rise Vision affiliates, business partners of Rise Vision or their respective employees, contractors or agents that are designated as confidential or that, given the nature of the information or circumstances surrounding its disclosure, reasonably should be understood to be confidential. The term “Confidential Information” does not apply to: (1) information that is or becomes public knowledge; (2) information that is received from a third party who is under no obligation to keep the information confidential; or (3) information that is individually developed.
• Trade Secret refers to any confidential business information which provides Rise Vision a competitive edge. Trade secrets encompass manufacturing or industrial secrets and commercial secrets.
• Critical Data refers to data that is necessary for Rise Vision to maintain or continue its business operations, regardless of whether it is Confidential Data.
  Confidential Data refers to all PII, PHI, Trade Secrets, Critical Data, and Confidential Information.
• IT System all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, paging systems/devices, distributed processing systems, cloud-computing environments, Internet-of-Things (IoT) devices, network attached and computer controlled equipment (i.e., embedded technology), telecommunications resources, audio/visual resources, network environments, telephones, printers, etc. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
• Incident Response Team means the team of Rise Vision employees responsible, as defined in the Incident Response Plan, for responding to Security Events affecting Rise Vision Data.
• Incident Response Plan means the written plan describing the individuals and their corresponding responsibilities for responding to Security Events affecting Rise Vision Data.
• Security Event means any security issue, incident, or event, including, but not limited to actual or suspected unauthorized access, exfiltration, copying, use, or transfer of any Confidential Data, involving or potentially impacting Rise Vision, its operations, its information, or its clients/customers.

Policy Structure

This Policy is based on ISO 27001 and ISO 27002 guidelines. The federal Health Insurance Portability and Accountability Act of 1996 and its implementing regulations found at 45 CFR Parts 160 to 164 (HIPAA) may apply to some information held by Rise Vision.

This Policy attempts to provide general guidance and guidelines for those accessing or using Confidential Data. Rise Vision operating procedures provide more detailed policies and guidelines relating to specific security controls and are detailed in related documents.

Through these policies, Rise Vision attempts to account for and comply with all applicable laws and regulations. In the event of a perceived conflict between this Policy and any law or regulation, the law or regulation should be followed. In the absence of any applicable local law or regulation, this Policy should be complied with.

This Policy sets out the Rise Vision’s approach to managing information security. This Policy should be approved by management and communicated to all staff, employees, contractual third parties, and agents of Rise Vision. The security requirements of Rise Vision should be reviewed at least annually by the Privacy Officer and approved by Operations. Formal requests for changes will be reviewed and approved in the same manner.

Guiding Principles

The following principles should be applied to the collection, processing, use, handling, or transfer of Confidential Data by Rise Vision:

FAIRNESS AND LAWFULNESS
Whenever Rise Vision collects, accesses, processes, uses, handles, or transfers any Confidential Data, Rise Vision should protect the individual rights of those associated with the Confidential Data. Confidential Data should be collected and processed in a legal and fair manner.

RESTRICTION TO A SPECIFIC PURPOSE
Confidential Data should only be processed for the purpose that was identified when the Confidential Data was collected. Any change in the use of collected Confidential Data should be disclosed to and approved by the Privacy Officer.

TRANSPARENCY
Anyone who provides Confidential Data to Rise Vision should be provided a copy of Rise Vision’s Privacy Policy informing them of how that Confidential Data came into Rise Vision’s possession, how Rise Vision uses that Confidential Data, whether Rise Vision discloses or sells that Confidential Data to anyone else and, if so, to whom.

DATA REDUCTION AND DATA ECONOMY
Before collecting, accessing, processing, using, storing, handling, or transferring Confidential Data, Rise Vision should consider whether and to what extent such activity is necessary. Anonymized or de-identified Confidential Data should be used where possible instead of Confidential Data.

DELETION
Once collected, Confidential Data that no longer serves the purpose for which it was collected should be deleted. Any requested exceptions should be approved by the Privacy Officer.

FACTUAL ACCURACY OF DATA
The Confidential Data collected, processed, used, stored, handled, or transferred by Rise Vision should be correct, complete, and, if necessary, up to date. Steps should be taken to allow inaccurate or incomplete data to be deleted, corrected, supplemented, or updated.

CONFIDENTIALITY AND DATA SECURITY
Rise Vision should take steps to treat all Confidential Data as confidential and to secure such Confidential Data with appropriate administrative, technical, and physical measures to prevent unauthorized access, loss, modification, or destruction.

Chief Privacy Officer Responsibilities

1. The Privacy Officer is the designated custodian of the Policy and is responsible for the maintenance and review of the same.
2. The Privacy Officer is responsible for ensuring that all staff and employees, contractual third parties, and agents of Rise Vision are made aware of and comply with the Policy and its processes and procedures as appropriate.
3. The Privacy Officer and other members of Rise Vision management, should review and make recommendations on the Policy, Policy standards, directives, procedures, incident management, and security awareness education.
4. Regulatory, legislative, and contractual requirements should be incorporated into the Policy and its processes and procedures.
   Guidance should be provided to Rise Vision and those subject to this Policy on what constitutes a Security Event.
5. Specialist external advice will be drawn upon, where necessary, to maintain the Policy, and its processes and procedures, to address new and emerging threats and standards.
   Training should be compulsory and the Privacy Officer should keep records reflecting the completion of training.
6. Any exception to this Policy should be approved ahead of time by the Privacy Officer and documented, stored, and annually reviewed.
7. Anyone accessing Personal Information on behalf of Rise Vision should receive training on this Policy when first hired. They should also receive training on a periodic basis, no less than once per year, or (i) whenever there is a change in the law or this Policy, or (ii) after a Security Event.
8. The Privacy Officer should maintain a database of all contracts with third-parties having access to Confidential Data indicating:
   1. What data those third-parties have access to;
   2. Why the third-party has access;
   3. For how long the third-party has access; and
   4. Any notification requirements associated with that access;

Human Resources Security

1. Information security education and training should be made available to all staff and employees.
2. Rise Vision’s Policy should be communicated to all employees, contractors, and third parties accessing Rise Vision information to ensure that they understand their responsibilities.
3. All management, staff and employees of Rise Vision, contractual third parties, and agents of Rise Vision accessing Rise Vision information are required to adhere to the Policy. Failure to comply with the Policy may result in disciplinary or remedial action.
4. Security responsibilities should be included in job descriptions and in terms and conditions of employment or engagement.
5. Rise Vision should verify and authenticate all new employees, contractors, and third parties accessing Confidential Data as appropriate. 

Physical Security

1. Critical Data or Confidential Data processing facilities should be housed in secure areas that are capable of logging the identity of all visitors.
2. Secure areas should be protected by defined security perimeters with appropriate security barriers and entry controls.
3. Critical and Confidential Data should be physically protected from unauthorized access, damage and interference.

Environmental Security

1. No alteration to hardware configuration of the IT system should take place without the prior express written permission of the Privacy Officer.
2. A formal user registration and deregistration procedure should be implemented and updated regularly for access to the IT System. The disposal of any storage media should be subject to specific security controls defined by the Privacy Officer.
3. A constantly-running anti-virus software package should be installed on the IT System and, where reasonably possible, set to auto update to the latest virus signatures. Employees and staff should still continue checking any externally sourced media for viruses before downloading any data or application to the Rise Vision IT System.
4. No Rise Vision equipment should be logged onto and left unattended. Users leaving their workstation are to log off the IT System or lock the screen to prevent unauthorized access.
5. All software in use by Rise Vision must be licensed and networked applications may be subject to a limited number of users. Legal or the Chief Operating Officer should ensure that the software is used correctly pursuant to its corresponding license. Software is not to be loaded onto any system or PC without the express authority of the Privacy Officer. This Policy is also to be reflected in the employee's terms and conditions of employment as appropriate.
6. Multi-factor authentication should be utilized for local and remote authentication for any privileged user account with access to server operating systems.

Access Control

1. Access to all information on the IT System should be controlled (whether Sensitive, Critical, or otherwise).
2. Access should be grated or arrangements made for employees, clients, and/or vendors, contractors, or other contractual third parties according to their role, to a level that will allow them to carry out their official duties.
3. Access to information and the IT System should be driven by business requirements.
4. All user accounts should follow Rise Vision password policies and practices. All users should have an individual user name for logon. All passwords are to be changed on a schedule specified by Rise Vision management. Additionally, users should change their password at any time that they feel their password has been compromised.
   1. Passwords should be given values that are not associated with personal characteristics (e.g., children’s names, telephone numbers, car registration numbers, etc.). Simple and obvious strings of characters and numbers should not be used. A combination of alphabetic, numeric, upper and lower cases and special characters should be used.
   2. Passwords should not be written down. Passwords are not to be revealed to or shared with other users. System administrator passwords should be maintained by password vault tool.
5. Any third-party entities accessing Confidential Data:
   1. Should only be allowed where it furthers Rise Vision’s business interests and is approved by the Privacy Officer;
   2. Access should be limited to the least amount of Confidential Data possible; and
   3. Access should be granted only under a contract requiring that the third-party entity seeking access to Confidential Data maintain the security and confidentiality of Confidential Data at least to the same extent as this Policy.

Development and Maintenance

1. Before developing any new IT System, or changes to existing IT System, proposed changes should be peer reviewed and assessed for privacy and data security risks.
2. The information security requirements for the IT System should be defined during the development of business requirements for new information systems or changes to existing information systems.
3. Information stored by Rise Vision will be appropriate to the business requirements.
4. Material risks identified during assessments should be addressed by policy or procedural changes where reasonably appropriate.

Security Incident Management

1. All employees, contractors, and contractual third-party users will be made aware of the procedures for reporting the different types of Security Incidents, or vulnerabilities that might have an impact on the security of Rise Vision’s IT System and Confidential Data as appropriate.
2. Security Incidents and vulnerabilities should be reported as quickly as reasonably possible to the Incident Response Team pursuant to the Incident Response Plan.

Business Continuity Management

1. Rise Vision should put in place arrangements to protect critical business processes from the effects of major failures of the IT System or disasters and to ensure their timely resumption.
2. A business continuity plan should be implemented to minimize the impact on Rise Vision and recover from loss of the IT System, or portions thereof, or any Confidential Data. Critical business processes should be identified.
3. Rise Vision should conduct analyses of the consequences of disasters, security failures, loss of service, and lack of service availability.
4. Data backup of servers should be automated and occur according to business requirements on a schedule specified by the IT Department. Users are responsible for the backup of data held on their PC hard disk and are encouraged to save data to secure, network-based locations provided by Rise Vision.

Compliance

1. Rise Vision should abide by any law, statutory, regulatory, or contractual obligations affecting its IT System.
2. The design, operation, use and management of the IT System should comply with all known statutory, regulatory and contractual security requirements.