GRIN Technologies Inc.
Data Security Policy

Programs and Policies
a. Security Program. Grin maintains and enforces a security program that addresses the management of security and the security controls employed by Grin. The security program includes:
i.   documented policies that Grin formally approves, internally publishes, communicates to appropriate personnel and reviews at least annually;
ii.  documented, clear assignment of responsibility and authority for security program activities;
iii. policies covering, as applicable, acceptable computer use, information classification, cryptographic controls, access control, removable media, and remote access; and
iv.  regular testing of the key controls, systems and procedures.
b. Privacy Program. Grin maintains and enforces a privacy program and related policies that address how data is collected, used and shared.
 
2. Risk and Asset Management
a. Risk Management. Grin performs risk assessments and implements and maintains controls for risk identification, analysis, monitoring, reporting, and corrective action.
b. Asset Management. Grin maintains and enforces an asset management program that appropriately classifies and controls hardware and software assets throughout their life cycle.
 
3. Worker Education
a.  Workers. All Grin employees, agents, and contractors (collectively “Workers”) acknowledge their information security and privacy responsibilities under Grin’s policies.
b.  Worker Controls. For Workers who will create, process, receive, access, transmit or store (“Handle” or “Handling”) data, Grin:
i.   conducts security and privacy training;
ii. implements disciplinary processes for violations of information security or privacy requirements; and
iii.  upon termination or applicable role change, promptly removes or updates Worker access rights and requires the return or destruction of data.
 
4. Network and Operations Management
a.  Policies and Procedures. Grin implements policies and procedures for network and operations management. Such policies and procedures address: hardening, change control, segregation of duties, separation of development and production environments, technical architecture management, network security, virus protection, media controls, protection of information in transit, data integrity, encryption, audit logs, and network segregation.
b.  Vulnerability Assessments. Grin performs periodic vulnerability assessments and testing on systems and applications that Handle data.
 
5. Access Control
a.  Access Control. Grin implements access controls designed to maintain the confidentiality of data. Such controls include:
i. authorization processes for physical, privileged, and logical access to facilities, systems, networks, wireless networks, operating systems, mobile devices, system utilities, and other locations containing data; and
ii. granting access only if it is logged, strictly controlled, and needed for a Worker or third party to perform their job function.
b.  Authentication. Grin authenticates each Worker’s identity through appropriate authentication credentials such as strong passwords, token devices, or biometrics.
 
6. Information Security Incident Management
a.  Incident Management Program. Grin implements an information security incident management program that addresses management of information security incidents including a loss, theft, misuse of or unauthorized access, disclosure or destruction of any data (“Incident”).
b.  Incident Reporting. Grin will promptly, and no less than within 48 hours, notify Customer of any Incident affecting customer data.
c.  Response. Grin agrees to partner with Customer to respond to the Incident. Response may include: identifying key partners, investigating the Incident, providing regular updates, and determining notice obligations. Except as may be required by law, Grin may not notify Customer’s affected customers about an Incident without first consulting Customer.