Information Security Policy

This policy describes how Privion protects and manages information assets for Privion, its clients, partners, and the public. It guides Privion personnel, contractors, and other authorized users in the responsible handling, use, and disposal of information within a secure environment.

This public summary supports procurement and security reviews. The complete policy document, including operational procedures and evidence references, is available under NDA.

1. Purpose

Privion is committed to the following security objectives:

• Protect information against unauthorized access, disclosure, and misuse.
• Maintain confidentiality of sensitive information for those with proper authorization.
• Preserve integrity and accuracy of information used in service delivery.
• Maintain availability of information and systems needed for operations.
• Support business continuity for Privion Intranet and PAnalytics, and consulting delivery.
• Meet applicable regulatory, contractual, and legal obligations.
• Maintain physical, logical, and communications security across platforms Privion operates.
• Require reporting and investigation of information security incidents through defined channels.
• Dispose of information that is no longer required in a secure and appropriate manner.

Applicability

This policy applies to all forms of information Privion processes, including electronic systems (software, cloud services, and endpoints), Privion networks and data stores, paper records where used, and information handled when Privion personnel access client Microsoft 365 tenants under engagement terms.

The program covers Privion Intranet and PAnalytics (hosted in Azure West US 2), Privion corporate systems, and partner-delegated administrative access to client tenants. Client Microsoft 365 tenants remain under client control; Privion's obligations in those environments focus on how Privion personnel access and operate within them.

2. Information security requirements

All authorized users must exercise a duty of care when operating Privion information systems so that confidentiality, integrity, and availability are preserved.

2.1 Authorized users

Only individuals formally authorized by Privion — employees, contractors, or partners with a documented need — may access Privion information systems. Authorization is granted by management with security program oversight.

Each authorized user receives a unique identity. Passwords, keys, and other credentials must remain confidential and must not be shared. Privion requires multi-factor authentication for personnel and administrative accounts; FIDO2 hardware keys are required for tenant-admin operations.

• Confidential, personal, or sensitive information must not be copied, transferred, or stored outside approved systems without authorization from the information owner or engagement lead.
• Before transporting information, users must assess risks such as loss or unauthorized access in transit and at the destination.
• Encryption and other approved protections must be used when moving or storing sensitive data outside primary systems.
• Consulting work is performed in client Microsoft 365 tenants where practicable; client content is not stored on Privion endpoints for that work.

2.2 Acceptable use

Authorized users must use Privion systems lawfully, ethically, and for legitimate business purposes. Use must respect the rights of others and align with Privion values and subsidiary policies.

• Activities must support authorized engagements and must not infringe on client or Privion rights.
• Users must not abuse resources through excessive consumption, unauthorized software, or illegal activity.
• Users must not share credentials, circumvent security controls, or use client environments for non-engagement purposes.

• Acceptable Use Policy — Detailed rules for Privion systems and client tenant access.
• Access Control Policy — MFA, GDAP, PIM, and access lifecycle requirements.

2.3 Information system owners

Information system owners, under security program guidance, are responsible for the security and effective management of systems in their scope. For hosted services, this includes Privion Intranet and PAnalytics on Privion-managed Azure infrastructure.

• Access control: Protect systems against unauthorized access through least privilege, MFA, and periodic access reviews.
• Physical and logical security: Protect systems against theft, damage, and misuse using cost-effective controls appropriate to the environment.
• Business continuity: Maintain and test continuity and recovery plans for critical hosted services.
• Backup and recovery: Nightly MySQL dumps to Azure Blob Storage in Azure West Central US (30-day retention). Documented restore procedure; quarterly recovery test per documented procedure.
• Data accuracy: Maintain reliable configuration and operational data for hosted services.
• Proper usage: Ensure systems are used only for intended purposes; address misuse promptly.
• Retention: Retain logs and records only as long as required for operations, law, or contract, then dispose securely.
• Third parties: Ensure subprocessors that process client personal data meet contractual security and privacy obligations.
• Threat protection: Apply approved measures against malware and abuse, including platform monitoring on hosted workloads.

• Business Continuity & Disaster Recovery — Backup, recovery, and continuity for hosted services.
• Vendor Management Policy — Subprocessor evaluation and contractual requirements.

2.4 Personal information and privacy

Privion processes personal information in hosted services (for example, website analytics via PAnalytics) and in corporate operations. Where Privion acts as a processor, processing follows customer instructions and applicable data protection agreements.

Privion may monitor use of company systems to the extent permitted by law and policy to protect assets, investigate incidents, and verify compliance. Monitoring is limited to what is necessary for those purposes.

Breaches of this policy may result in disciplinary action, termination of access, contract remedies, and referral to law enforcement where appropriate.

• Data Classification Policy — Handling tiers for public, internal, client-confidential, and regulated data.
• Privacy policy (website) — How Privion handles personal data on priviontech.com.

3. Ownership and governance

The Privion security program owner is responsible for maintaining this policy, aligning it with emerging threats and regulatory expectations, and ensuring it is communicated to authorized users.

3.1 Security program owner

• Maintain and review this policy at least annually, or sooner when business, technology, or regulatory conditions change materially.
• Provide guidance and resources so users and system owners can comply with security requirements.
• Oversee reporting and investigation of information security incidents, including coordination with affected customers for hosted-service and processor scenarios.
• Manage the SOC 2 readiness program and track remediation of identified gaps.

3.2 Information system owners

• Implement policy requirements within assigned systems and ensure users understand their obligations.
• Monitor systems for compliance and address non-compliance promptly.
• Support security awareness training and role-appropriate guidance for users in their domain.
• Identify and treat risks for their systems, including controls and mitigation plans.
• Participate in audits and report significant risks or incidents to the security program owner without delay.

3.3 Policy review

This policy is reviewed at least annually, or more frequently when warranted by changes in services, technology, regulation, or threat landscape. System owners and leadership provide input during review.

4. Related policies

The following subsidiary policies provide detailed requirements. Together they form Privion's documented security program for the Trust Center:

• Access Control Policy — Authentication, authorization, GDAP, and access reviews.
• Data Classification Policy — Classification and handling requirements.
• Incident Response Policy — Detection, response, notification, and post-incident review.
• Acceptable Use Policy — Permitted and prohibited use of systems and client access.
• Vendor Management Policy — Third-party and subprocessor security expectations.
• Business Continuity & Disaster Recovery — Continuity, backups, and restoration for hosted services.

Reporting incidents

Report information security concerns to security@priviontech.com. For urgent matters affecting hosted services, clients with active engagements may also use the emergency contact channels established during onboarding. Phone: +1 (888) 600-2236.