Security and Confidentiality Information and Privacy Policy Information 

1. Purpose

The purpose of this Privacy Policy is to establish Clear Winds Technologies, Inc.’s commitment to protecting the privacy, confidentiality, integrity, and security of personal, client, employee, and business information. This policy establishes privacy controls aligned with the organization’s internal control framework to ensure information is collected, used, stored, and shared in a secure and compliant manner.

2. Scope

This policy applies to:

• All employees, contractors, and third-party vendors
• All systems, applications, and devices owned or managed by Clear Winds Technologies, Inc.
• All personal, client, employee, and business information collected, processed, stored, or transmitted by the company
• All business operations involving data handling and information management

3. Policy Statement

Clear Winds Technologies, Inc. is committed to protecting personal and sensitive information from unauthorized access, disclosure, alteration, or destruction. The company shall implement administrative, technical, and physical safeguards to protect privacy and ensure compliance with applicable laws, regulations, and contractual obligations.

Privacy controls shall be integrated into the company’s internal control framework, risk management processes, and information security program.

4. Information Collection

Clear Winds Technologies, Inc. may collect information including, but not limited to:

• Name, address, phone number, and email address
• Employment and payroll information
• Client business information
• System access and login information
• Device and network usage information
• Security logs and monitoring data
• Billing and financial information

Information shall only be collected for legitimate business purposes and shall be limited to the minimum necessary to perform business operations.

5. Use of Information

Collected information may be used for:

• Providing IT services and support
• Business operations and administration
• Billing and financial processing
• Security monitoring and incident response
• Compliance with legal and regulatory requirements
• Communication with clients, employees, and vendors

Information shall not be used for unauthorized purposes or shared without proper authorization.

6. Data Protection and Security Controls

Clear Winds Technologies, Inc. implements security controls to protect private and sensitive information, including:

• Access controls and user authentication
• Encryption of sensitive data where appropriate
• Endpoint protection and mobile device security
• Network security controls and firewalls
• Security monitoring and logging
• Backup and disaster recovery procedures
• Vendor security reviews
• Data retention and secure disposal procedures

Access to sensitive information will be restricted based on job responsibilities and least privilege principles.

7. Information Sharing and Disclosure

Clear Winds Technologies, Inc. may share information with:

• Authorized employees
• Approved vendors and service providers
• Legal, regulatory, or law enforcement agencies when required
• Clients as part of service delivery

All third parties must agree to protect information and maintain confidentiality through contracts, non-disclosure agreements, or data protection agreements.

8. Data Retention and Disposal

Information will be retained only for as long as necessary to:

• Meet business and operational requirements
• Comply with legal and regulatory requirements
• Support audits and financial reporting
• Maintain security logs and incident records

When information is no longer required, it shall be securely deleted or destroyed.

9. SMS and Text Messaging Security

Clear Winds Technologies, Inc. recognizes that Short Message Service (SMS) and text messaging may be used for business communication. Because SMS messages are not inherently encrypted and may be susceptible to interception, spoofing, or social engineering attacks, additional security controls are required.

9.1 Approved Use of SMS

• SMS messaging shall only be used for business communications when approved by management or the IT Department.
  • SMS shall not be used to transmit confidential, regulated, financial, client, or sensitive company information.
  • Employees shall use company-approved messaging applications when secure messaging is required.

9.2 Prohibited Activities

The following activities are prohibited:
• Sending passwords via SMS
• Sending confidential company data via SMS
• Sending client information via SMS unless using approved secure messaging tools
• Clicking links from unknown or suspicious text messages
• Responding to SMS phishing (“smishing”) messages
• Installing applications from links received via SMS messages
• Using personal messaging apps for company data without approval

9.3 SMS Phishing Protection

Users must be aware of SMS phishing attacks that attempt to steal credentials, install malware, or trick users into transferring funds or data.

Users shall:
• Verify unknown messages before responding
• Report suspicious text messages to the IT Department immediately
• Not provide passwords, MFA codes, or sensitive information via SMS
• Not click suspicious links or download attachments from SMS messages
• Delete suspicious messages after reporting them

9.4 Multi-Factor Authentication via SMS

When SMS is used for multi-factor authentication:
• Users shall not share authentication codes with anyone
• Authentication codes must be entered only into approved company login systems
• Users must report unexpected MFA text messages immediately, as this may indicate an attempted account compromise
• Where possible, authenticator applications shall be used instead of SMS for MFA due to increased security

9.5 Retention and Monitoring

• Business-related SMS messages may be subject to company record retention, monitoring, and audit requirements.
  • Company-issued mobile devices may be monitored in accordance with company security and monitoring policies.
  • SMS communications related to business operations may be retained where required for legal, regulatory, or business purposes.

9.6 Reporting Security Incidents

Users must immediately report the following to the IT Department or Security Officer:
• Suspected SMS phishing messages
• Requests for passwords or MFA codes via text
• Suspicious links received via SMS
• Lost or stolen devices containing SMS business communications
• Any suspected compromise related to SMS communications

Failure to follow SMS security requirements may result in disciplinary action and revocation of mobile device access privileges.

10. Employee Responsibilities

Employees are responsible for:

• Protecting confidential and private information
• Following security and privacy policies
• Reporting data breaches or privacy incidents
• Using company systems responsibly
• Not sharing sensitive information without authorization
• Locking devices and securing workstations when not in use
• Following mobile device and remote work security requirements

Failure to comply with this policy may result in disciplinary action.

11. Privacy Incident and Breach Response

Any suspected or confirmed data breach or privacy incident must be reported immediately to management or the IT/security department.

The company shall:

• Investigate the incident
• Contain and remediate the issue
• Notify affected parties when required
• Document the incident
• Implement corrective actions to prevent recurrence

12. Monitoring and Review

Clear Winds Technologies, Inc. reserves the right to monitor systems, networks, devices, and data usage to ensure:

• Compliance with company policies
• Protection of company and client data
• Detection of security threats
• Proper use of company resources

Privacy and security controls shall be reviewed periodically as part of the company’s internal control and risk management processes.

13. Compliance

This policy supports the organization’s internal control framework and risk management practices by:

• Protecting sensitive information
• Reducing data privacy risks
• Supporting regulatory compliance
• Ensuring proper information governance
• Supporting audit and monitoring activities

All employees, contractors, and vendors must comply with this policy.

14. Policy Review

This Privacy Policy will be reviewed at least annually and updated as necessary based on:

• Changes in laws or regulations
• Changes in technology or business operations
• Security incidents or risk assessments
• Internal control or audit findings

15. Approval

This policy is approved by management and is effective immediately.