Information Management Policy

Guidance and direction on information management and to clarify the Employee responsibilities.

Purpose

The purpose of this Policy is to provide guidance and direction on information management and to clarify the Employee responsibilities.

The List of the EClaims Group’s Confidential information shall be enclosed to this Policy as Annex and constitute an integral part of this Policy.

Scope

This Policy applies to all EClaims Group Employees and Third parties that handle, manage, store, or transmit the EClaims Group’s information.

Information Classification

All EClaims Group’s information is classified into three levels:

Confidential Information - restricted and must remain confidential. This is EClaims Group’s most sensitive information and access to it should be considered privileged and must be explicitly approved. Exposure of this information to unauthorized parties could cause extreme loss to the EClaims Group and/or its customers or break contractual obligations, and/or adversely impact the EClaims Group, its partners, Employees, contractors, and customers. In the gravest scenario, exposure to this information could trigger or cause a business extinction event.

Internal Use Information - information that is created and used in the normal course of business and should not be made publicly available. Unauthorized access or disclosure could cause minimal risk or harm and/or adversely impact the EClaims Group, its partners, Employees, contractors, and customers.

Public Information - information that is publicly shareable and does not expose the EClaims Group or its customers to any harm or material impact.

Information level is set by the information owner (in some cases - the information creator) according to this Policy.

A list of the EClaims Group’s Confidential information is determined and approved by the Board.

Information Labeling

Confidential Information - must include the label “CONFIDENTIAL”, in the header of each page, however, failure to mark Confidential Information with a label does not disqualify it from being Confidential Information.

Internal Use Information – does not need to be labeled unless it is likely to be accessed by Third Parties.

Public Information – no labeling requirements.

Roles and Responsibilities

Employees are required to review and understand this Policy, and to handle the information according to the classification scheme above and requirements in this Policy unless otherwise noted.

Information Owner shall determine the classification of information in accordance with this Policy.

Company Board must approve the List of EClaims Group’s Confidential Information and have an overall responsibility for the effective operation of this Policy.

Training

The EClaims Group must ensure that all Employees are familiarized with this Policy.

The Employees shall be properly informed about the relevant information management requirements and legal obligations through regular training, awareness campaigns, and instructions.

Information Asset Identification

Information is created, processed, stored, transmitted, and deleted with the help of Information Systems and Assets.

The EClaims Group’s Information Systems and Assets must be identified, registered, and managed according to the Information Asset Management Standard.

Information Use and Disclosure

All Employees and Third parties must protect the EClaims Group’s Confidential Information and Internal Use Information to which they have access.

Access to the EClaims Group’s Confidential Information and Internal Use Information is given by the need-to-know principle - access to such information is given only for the Permitted Purpose.

Documents in the EClaims Group are registered and managed according to the Documented Information Management.

Confidential Information may be available in full scope for the Employees or based on to the Permitted Purpose (i.e., Employees’ contracts only available to the human resource team).

Confidential Information Use and Disclosure

The Employees shall:

  1. Use Confidential Information only for the Permitted Purpose. The Employees shall not use Confidential Information for purposes other than the Permitted Purpose, shall not transmit, publish, or otherwise disclose it to Third parties or other Employees, without access to the specific Confidential Information described in this Policy or approved by the order or other documents of the EClaims Group. The Employees shall not engage in any commercial, political or other activity using available Confidential Information of the EClaims Group without the written consent of the EClaims Group.

  2. Use Confidential Information only for the Permitted Purpose. The Employees shall not use Confidential Information for purposes other than the Permitted Purpose, shall not transmit, publish, or otherwise disclose it to Third parties or other Employees, without access to the specific Confidential Information described in this Policy or approved by the order or other documents of the EClaims Group. The Employees shall not engage in any commercial, political or other activity using available Confidential Information of the EClaims Group without the written consent of the EClaims Group.

  3. Protect Confidential Information entrusted to them and take all reasonable measures to prevent Third parties from having access to it. The Employees shall be considered to have breached this Policy in case Confidential Information is disclosed to the Third-Parties due to negligence, i.e., by leaving the computer not turned off, leaving documents containing Confidential Information in an unprotected place, etc.

  4. Not carry outside the EClaims Group’s premises documents, electronic documents as well as any other media that may contain Confidential Information or references thereto (in any form – digital, hardcopy, oral and etc.) except for a laptop, mobile phone or in case it is necessary to attain the Permitted Purpose, however in such cases the Employees shall ensure that no Third parties shall be able to access such Confidential Information and that such Confidential Information shall not be left unattended. In case of a failure by the Employees to comply with this obligation, regardless of whether the Confidential Information has been disclosed to the Third parties, not entitled to access this information, the Employees shall be deemed to have breached this Policy and may be subject to disciplinary or other liability under this Policy.

  5. Disclose the Confidential Information or parts thereof only to those of the EClaims Group’s Employees who are entitled to receive such Confidential Information and only if this is necessary for the respective Employees and (or) the Permitted Purpose. In case the Employees do not know or doubt whether other Employees have such rights, the Employees shall contact the EClaims Group for information.

  6. Obtain written consent from the EClaims Group before providing Confidential Information to the advisors, consultants or other Third parties, other than the Employees of the EClaims Group.

  7. Prior to legally disclosing Confidential Information to Third parties under the requirements of this Policy, make sure that the Third parties sign a confidentiality obligation, as well as inform them in advance that this information is Confidential Information and can only be used for the purposes of such disclosure, demand for all of the necessary measures of protection of Confidential Information to be taken, in order for such to not be disclosed to the Third parties not entitled to access Confidential Information

  8. Not make copies in any form of the documents, electronic documents as well as information stored in any other media (including, but not limited to audio and video recordings), except in cases when this is necessary for carrying out the Permitted Purpose. In case of breaching this obligation, regardless of whether the Confidential Information has been disclosed to Third parties not entitled to access this information, the Employees shall be deemed to have breached this Policy and shall be subjected to disciplinary or other action in line with this Policy.

  9. Not communicate or make any announcements in any mass media related to the disclosure of the Confidential Information, as well as not to disclose, reference or post any Confidential information on social media platforms without a written consent of the EClaims Group or its authorized representative.

  10. Promptly notify the EClaims Group in writing about an event of any actual or alleged improper storage, misuse or unauthorized release or disclosure of any Confidential Information which constitutes, or is likely to constitute, a breach of any of the provisions of this Policy, and, without prejudice to any rights or remedies of the EClaims Group, the Employees shall take such steps as the EClaims Group may reasonably require to remedy or mitigate the effects of such an actual or potential breach.

  11. In case of doubt as to whether the information provided to the Employees is Confidential Information, consult with the EClaims Group regarding the status of such information and do not perform any actions with the respective information until receiving a written response from the EClaims Group on the respective information’s status.

  12. Take all of the necessary measures to prevent unauthorized disclosure and use of Confidential Information and comply with the information security policies of the EClaims Group, including immediately informing the EClaims Group in case of finding out or suspecting that the Confidential Information has been or may be disclosed to persons who are not entitled to access it and to inform the EClaims Group of all circumstances that threaten the security and secrecy of such information.

  13. Perform any other necessary actions that the EClaims Group shall reasonably request to ensure security and confidentiality of Confidential Information.

In case it is necessary for the Permitted Purpose to copy Confidential Information, the Employees shall have the right to make copies only of such Confidential Information, which is essential for the purpose. The copies shall be clearly marked with a stamp “Confidential” or another stamp of the same meaning.

In the event of any request for legal disclosure under this Policy, the Employees shall not be entitled to disclose more Confidential Information than is necessary for the conditions and purposes of the disclosure and shall take all reasonable measures to prevent excessive disclosure of information as well as to protect the Confidential Information from further disclosure.

Internal Use Information Use and Disclosure

The provisions stipulated in Confidential Information Use and Disclosure apply to Internal Use Information.

Security and Privacy Controls

#
Public information
Internal Use Information
Confidential Information

Risk degree

LOW

MEDIUM

HIGHT

Description

Information that can be either freely disclosed to the public or has no big influence on the Corporate Group in case it gets published.

Information of medium importance, typically created for internal use only, not meant for public disclosure.

Highly sensitive information concerning either customers or corporate individuals, absolutely not meant for public disclosure

Potential impact

The negative impact from this information type getting into the wrong hands or being published ranges from nonexistent to inconvenient at most.

The negative impact from this information type getting into the wrong hands or being published is on a moderate rate, meaning concerning, but not business critical.

The negative impact from this information type getting into the wrong hands or being published is highly destructive, capable of creating both financial and legal problems to the Corporate Group.

Access rights

Low or nonexistent limitations

Moderate access, available to Employees on a need-to-know basis (in case someone needs this information to do their job properly) approved by an information owner.

Highly selective case-by-case approved access by a manager and an information owner. Logging and monitoring of access required.

Reproduction

No special requirements

May be reproduced for Internal Use only

All copies of Confidential information outside of approved system(s) must be pre-approved by both Legal and Information Security Teams

Distribution/ Disclosure

No special requirements

NDA required before disclosing to Third parties. Information sharing with non-Employees is not allowed unless explicitly approved by an information owner.

NDA required if disclosed to the Third-parties. Sharing with non-Employees is not allowed unless explicitly approved by both Legal and Information Security Teams

Storage

No special requirements

Information must be encrypted at rest if stored using Third parties’ resources

Information must be encrypted at rest and in motion. Information may be encrypted in use.

Disposal

No special requirements

Information in paper and electronic storage media must be irretrievably erased, degaussed and/or disposed of in a secure fashion

Information in paper and electronic storage media must be irretrievably erased, degaussed and/or disposed of in a secure fashion

Transmission

No special requirements

Information must be encrypted in motion.

Information must be encrypted in motion.

Exceptions

The obligations under this Policy do not apply to Confidential Information or Internal Use Information:

  • That is in or comes into the public domain by any means other than as a result of a breach of this Policy.

  • That was lawfully in the possession of an Employee before entering into the employment contract, and not subject to any obligation of confidence.

  • That the Employees are required to disclose required by law, or to comply with a lawful and mandatory instruction of the competent courts, state authorities, and other authorized Third parties. However, the Employees shall take all of the necessary measures to disclose the information only to the legally required extent and comply with the security measures intended to ensure confidentiality of the Confidential Information or Internal Use Information as provided in this Policy. Upon receiving such a request to disclose Confidential Information or Internal Use Information, the Employees shall always promptly, and before any disclosure takes place, inform the Corporate Group in writing.

Before getting disposed, documentation required by the HIPAA (Health Insurance Portability and Accountability Act) regulation, despite of its classification, is retained for 6 years from the date of its creation or the date when it was last in effect, whichever is later.

Liability

The disclosure of Confidential Information and Internal Use Information to Third parties and other violations of this Policy shall be considered a gross violation of the Corporate Group’s work regulations and may result in disciplinary actions, including dismissal.

The Employees suspected of committing a breach of this Policy shall be required to cooperate with the Corporate Group’s investigation.

The Employees may be required to remove any social media content that the Corporate Group considers a breach of this Policy. Failure to comply with such a request may result in a disciplinary action.

Review and Familiarization

This Policy shall be reviewed regularly, at least once a year.

The Employees shall be familiarized with this Policy in a written form (including in an electronic form) by providing the Corporate Group with their confirmation on the familiarization.

In case of amendments, the Employees shall be familiarized with the Policy again.

Annex

List of the company‘s confidential information

Information in italics is a commercial secret of the Company and/or the Group.

Commercial secrets are information that: a) is non-public, i.e. the information is generally not known to third parties or is not readily accessible in the environment in which such information is normally handled; b) has actual or potential commercial value because it is not publicly available to third parties; c) the Company and/or the Group shall take reasonable steps to protect this information.

#
Area
Scope of information

1

Finance

Accounting and financial information, including but not limited to companies' profit, loss, revenue and expenses, gains and losses for all periods as well as detailed turnover data and budgets

Information on assets held on any basis, loans, any terms and conditions of specific transactions entered into, the monetary or other targeted value of the transactions and assets held

Information on credit limits

Information on loans granted, their amounts and conditions

Information on bank account balances

Information on the Company's bank accounts, their managers and other persons with access to them and the rights granted to those persons

2

Sales

Lists of existing and potential customers, partners and related persons, their representatives and contact details of such representatives, correspondence information

Methods of sales execution and organisation, methods of working with customers and partners, negotiation techniques

Sales pricing data, cost data, discount policy

All terms and conditions of contracts and orders with customers and partners under preparation, concluded and under execution, the history of the organisation and execution of the sales process, the results of negotiations

Sales plans and indicators

Data on market research conducted, experimentation, implemented and tested innovations in relation to sales promotion, customer attraction or retention and related matters

3

Procurement

Information on existing and potential suppliers and contracting parties and all the terms and conditions of contracts and orders under preparation, concluded with them and under execution and of negotiations conducted with them

Lists of suppliers, contracting parties and related parties, their representatives and contact details of such representatives

Information on procurement budgets

Detailed information on planned volumes of purchases of goods and services for future periods

4

Business management and continuity

Methods of developing and managing the Company's business

Short-term strategic business plans and other non-public strategic plans (including current and future business plans), planned transactions, investment or other projects (including information on project scope, significance, financial data, etc.), operations development plans

Information on negotiations in which the Company and/or the Group participated or participates

The organisational structure of the Company and the Group, including information on shareholders, members of the management bodies, links between affiliated undertakings, final beneficiaries

Background and content of decisions of the management bodies

Marketing and communication strategies and methods

Templates for the legal documents used, including contracts of any kind, orders, etc.

Information about existing and potential disputes and other legal proceedings (including judicial and extrajudicial) in which the Company and/or the Group is involved, including the content of all legal documents (claims, demands, court proceedings, etc.), the progress of the proceedings, the negotiations and their terms and conditions, and any other relevant information

Data of evaluation of the reliability of business partners

5

Technology

Products developed by the Company and the Group, including but not limited to: (i) the algorithms used; (ii) applications; (iii) codes (application codes, code elements subject to Open Source Licence conditions, etc.); (iv) information on the frequency of product testing, vulnerabilities discovered, testing entities and other relevant information; (v) the technical design of the product; (vi) the product's functionality settings; (vii) the software used in the development of the code; (viii) the plans for the development of the products and any changes to the products; (ix) the databases; and (x) the know-how

Geographical location of IT infrastructure, suppliers of servers and other infrastructure, terms and conditions of contracts with them

Passwords, security keys and e-signatures and their algorithms for the Company's computers, tablets, servers, telephones, internet and local databases and other technical devices and virtual accesses

Non-public information on patents held, patent applications in preparation and pending but not yet published, and information on their examination

Existing trademarks, designs, discoveries, models, inventions and all other intellectual property of the Company and the Group, as well as any new trademarks under development, product names, designs, marketing or any information and materials not yet publicly available relating to new products or changes to existing products

Information on licences held and to be obtained and their conditions

Plans for changing the geographical accessibility of companies and/or products (including areas planned for the extension of intellectual property protection)

Technological information and technical parameters of the equipment used or planned to be used in operation

6

HR policy

The terms and conditions of remuneration of the Company and the Group, the terms, conditions, procedures and amounts of employee bonuses and other incentives, severance payments and other benefits and compensations

The internal organisational structure of the Company and the Group, the scope of responsibilities of employees

Personnel loyalty and retention programmes and schemes, human resources strategy, personnel incentives and promotion schemes

Personnel training methodology and methods, information on personnel performance and appraisal, recruitment strategy and methodology

Any contracts or agreements between the Company (and/or the Group) and its employees, the fact and circumstances in which they were entered into, and the terms and conditions of the agreements, including agreed remuneration, fringe benefits, etc.

Planned personnel changes

7

Know-how

Any know-how relating to the Company and/or the Group [1]

8

Personal data

Any personal data of shareholders, managers, employees, partners, customers and other third parties held by the Company and/or the Group (e.g. personal identification numbers, addresses, etc.)

Usernames, passwords and other security codes used by the Company's and the Group's customers or directly by an employee

Information about the users of the products, the relationship with them

Data captured by CCTV cameras

9

Work organisation

Internal procedures and other internal management documents, orders, instructions, notices, processes

Codes and passwords for security systems and other systems used by the Company's and the Group's offices (e.g. IT systems)

10

Inspections

All information on inspections, reviews (their purpose, objective, nature and duration) currently or already conducted, or planned by governmental and municipal authorities and law enforcement agencies in relation to the Company, its shareholders, employees, independent representatives, partners or customers

11

Other information

Information which the Company and/or the Group shall mark with a confidentiality label (regardless of the wording used) or otherwise seek to keep confidential

Any information in respect of which the Company and/or the Group has entered into confidentiality obligations

Other information the disclosure of which may adversely affect the Company, the Group or their customers and partners

[1] For the sake of clarity, it should be noted that if the relevant information becomes an integral part of the employee's skills and knowledge, the employee shall, after the termination of the employment relationship, be required to strictly keep confidential the information about the know-how of the Company and/or the Group to the extent that the information relates to the Company and/or the Group. For example, if an employee has acquired practical negotiation skills during his/her employment with the Company, he/she may continue to use these skills, but is prohibited from disclosing information about the negotiation methods, process, etc. used by the Company and/or the Group.

Revision History

Version
Author
Approved By
Revision date
Approval date

0.1

GK

2023-05-20

2023-05-23

0.2

DM

2023-11-02

2023-11-02

0.3

GK

DM

2024-09-10

2024-09-10

PreviousInformation Security PolicyNextAccess Control Policy

Last updated