Data Security Incident and Personal Data Protection Policy

---

DGS DATA GOVERNANCE SYSTEMS LLC ("DGS") is committed to ensuring the highest standards of data security and personal data protection. This policy establishes the framework for preventing, detecting, responding to, and mitigating security incidents related to personal data. It also defines the responsibilities of employees and third parties, outlines disciplinary measures for non-compliance, and ensures compliance with global data protection regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and local data protection laws.

This policy applies to:

• All employees, contractors, and third parties handling personal data on behalf of DGS.
• All data processing activities, including data collection, storage, transfer, and deletion.
• All systems and environments used to process or store personal data.

DGS has implemented a structured Incident Response Plan to address any security breaches or unauthorized access to personal data. The response process includes:

• Identification and Detection: Continuous monitoring for unauthorized access, data breaches, or anomalies in data processing.
• Incident Classification: Evaluating the severity of the incident based on its potential impact on individuals and business operations.
• Immediate Containment and Mitigation: Applying countermeasures to minimize damage and prevent further unauthorized access.
• Forensic Analysis and Remediation: Conducting a root-cause investigation and implementing corrective actions to strengthen security controls.
• Regulatory Reporting and Notification: If required by law, DGS will notify relevant authorities and affected individuals within the established legal timeframe.
• Documentation and Learning: Maintaining a log of all security incidents to analyze trends and improve future security practices.

DGS enforces mandatory training programs for all employees and third parties handling personal data. These training programs cover:

• Understanding personal data protection principles and legal requirements.
• Recognizing phishing, social engineering, and other cyber threats that may lead to data breaches.
• Best practices for secure data handling, including encryption, access control, and data minimization.
• Incident reporting procedures to ensure that breaches are addressed promptly.
• Annual refresher courses to update employees on evolving cybersecurity threats and regulatory changes.

Non-compliance with this policy will result in disciplinary actions, including but not limited to:

• Formal warnings or retraining for minor infractions.
• Suspension or termination of employment or contracts for severe violations.
• Legal consequences if non-compliance results in regulatory penalties or reputational damage to DGS.
• Sanctions against third parties that fail to adhere to contractual data protection obligations.

DGS has established procedures to ensure that personal data is only retained for the duration necessary to fulfill contractual and regulatory obligations. Once data is no longer needed, the following measures apply:

• Secure Deletion: Data is permanently erased using industry-standard techniques (e.g., cryptographic erasure, secure overwriting).
• Data Return Upon Request: Clients may request the return of their data before its deletion.
• Certification of Secure Erasure: Upon data deletion, DGS provides a certificate or documented proof confirming the secure destruction of personal data.

To further strengthen our data protection framework, DGS ensures:

• Access Control: Only authorized personnel have access to personal data, based on the principle of least privilege.
• Encryption: All personal data is encrypted during storage and transmission.
• Third-Party Risk Assessment: Vendors and partners handling personal data must comply with DGS’s security standards.
• Regular Audits: Periodic assessments are conducted to verify compliance with data protection regulations.

This policy is subject to annual review to ensure it remains aligned with regulatory requirements and industry best practices. Any updates will be communicated to all relevant stakeholders.

For further inquiries or requests related to data security incidents and personal data protection, please contact the Compliance Office at DGS DATA GOVERNANCE SYSTEMS LLC.