Policy for Protection of Personally Identifiable Information PII 

POLICY

The Information Security Management System (ISMS) of iFactum - Highweb & Page Group Inc. is aimed at protecting the confidentiality, integrity and availability of the Company's information, as well as that entrusted to it by employees and/or contractors, suppliers and customers in the development of the provision of services; to this end, it defines clear guidelines, aligned with business objectives and technological changes.

iFactum - Highweb & Page Group Inc. is committed to meeting and continually improving the privacy protection requirements applicable to customer assets and therefore presents the following PII Privacy Policy, the purpose of which is to inform the treatment of Personally Identifiable Information (PII) collected through its various processes, applications and existing platforms at iFactum - Highweb & Page Group Inc. The company's privacy policy, in compliance with the Personal Data Protection Act and as part of its framework for establishing privacy objectives and compliance.

iFactum - Highweb & Page Group Inc. as responsible for the Storage, Custody and Management of Digital Information, shall ensure that these are duly protected against unauthorized access through access control mechanisms.

OBJECTIVES

The specific objectives of this policy are:

To establish the correct treatment of PII that the company and its employees and/or contractors have access to in the course of their daily operations.

Safeguard the PII of our employees and/or contractors.

DEFINITIONS

For the understanding of this policy, the following is defined as follows:

• Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data.
  
  
• Customer Asset: Organized set of personal or non-personal data, which are delivered by the customer to be kept or stored by iFactum - Highweb & Page Group Inc. It can be physical or digital documentation, database or images.
  
  
• Account Manager: It is the person responsible on behalf of the client for authorizing the users who use the assets for storage, custody and transmission of personal information that they handle. Likewise, the account administrator is the person responsible for requesting the Access, Return, Transfer and/or Disposal of personal information that is held or stored by iFactum - Highweb & Page Group Inc. The data processed must be accurate, adequate, timely and must be observed during the collection and further processing of the data. From this, in turn, three basic data principles can be derived:
  
  
• Adequate Data: whereby personal data must be used only for the purposes for which they were collected.
  
  
• Accurate Data: by which personal data must be accurate, updated and truthful to the real situation of its owner. As a consequence of this principle, and with respect to the personal data of the collaborators of iFactum - Highweb & Page Group Inc. shall, without the request of the owner of the data, delete outdated data and data beyond its competence; block personal data whose accuracy cannot be established or whose validity is doubtful; and modify inaccurate, misleading or incomplete data. In the case of data provided by customers, it shall be the customer's responsibility to maintain the accuracy of the data, without any liability. iFactum - Highweb & Page Group Inc. in maintaining Accurate Data.
  
  
• Timely Data: whereby only such data may be collected as are necessary to achieve the purposes justifying their collection and not excessive in relation to the purpose for which they have been obtained, in the sense that there is no other more moderate measure for the achievement of such purpose with equal effectiveness.
  
  
• Communication or transmission of data: Refers to any physical or digital means that supports personal information related to the stipulated in the previous point; and that is transmitted between two people within the organization, as well as to a person outside the organization, being any of the stakeholders defined for the Integrated Management System. The transmission or sending of information can be physical or digital and may or may not be, according to the daily operation of the organization. iFactum - Highweb & Page Group Inc.
  
  
• Personal data: Relating to any information concerning identified or identifiable natural persons.
  
  
• Sensitive data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data.
  
  
• Public data: It is data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the civil status of individuals, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.
  
  
• Identifiable person: is any person whose identity can be determined, directly or indirectly, either by means of an identification number or one or more specific and characteristic elements of his physical, physiological, psychological, economic, cultural or social identity.
  
  
• Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

SCOPE OF APPLICATION

This policy of protection of personally identifiable information PII, is generally applicable to all areas and products developed (Marquet, customer loyalty platform, document management platform, among others) by iFactum - Highweb & Page Group Inc.

GENERAL CRITERIA

iFactum - Highweb & Page Group Inc. complies with ISO 27018, a code of conduct designed to protect personal data in the cloud. 

ISO 27001 extends the information security standard of ISO 27001 to meet the regulatory requirements for the protection of personally identifiable information (PII) or personal data in the public cloud computing environment and specifies implementation guidance based on ISO 27002 controls that apply to PII processed by public cloud service providers.

Purpose

The Privacy Policy published on the website of iFactum - Highweb & Page Group Inc. describes the purposes for which we collect and use personally identifiable information from our customers' accounts. We understand the concerns about how account information is used, and we are mindful of the trust our customers place in us to do so carefully and confidentially.

Processing of Personal Data of Individuals

With respect to the treatment of personally identifiable information, the following obligations and criteria are established:

• Personal data provided as customer assets, for the purposes of this policy, are considered to have the written authorizations of the owners of the data to be stored and safeguarded by iFactum - Highweb & Page Group Inc. 

• Employees and/or contractors of iFactum - Highweb & Page Group Inc. must be informed of the personal data that will be kept by the company and its use.

• Everyone has the right to demand from iFactum - Highweb & Page Group Inc. information about the data relating to your person, its source and recipient, the purpose of storage and the identification of the persons or organizations to whom your data is regularly transmitted. If the personal data is erroneous, inaccurate, misleading or incomplete, you have the right to have it corrected. Without prejudice to certain legal exceptions, you may also demand the deletion of your personal data if there is no legal basis for storing them or if they are out of date.

• Everyone has the right to demand from iFactum - Highweb & Page Group Inc. the deletion or blocking of your personal data when you have provided them voluntarily or when these data are used for commercial communications and you no longer wish to be included in the respective registry, either temporarily or permanently.

• iFactum - Highweb & Page Group Inc. undertakes not to transmit or transfer data considered customer assets to third parties not authorized by the account manager.

Rights of the data subject

iFactum - Highweb & Page Group Inc. have as purpose the custody and storage of digital information of its customers, considering it as an asset of the same, where they are responsible and owners of the information provided. 

iFactum - Highweb & Page Group Inc. is responsible for the storage and custody, being impossible and strictly forbidden the transfer of information to third parties not authorized by the account manager.

It is for this reason that iFactum - Highweb & Page Group Inc. the administration area so that it can channel the requirements for the Access, Return, Transfer and/or Disposal that they have about the treatment of personally identifiable information.

Means of exercising your rights

Persons and/or Customers

Persons applying for the Access, Return, Transfer and/or Disposal of personally identifiable information contained in the customer's assets may do so through the following channels 

1. Send e-mail to admin at ifactum.com.
   
   
2. Send an email to your account representative.
   
   
3. If you are a Marquet customer enter the following support portal https://support.marquet.cloud
   
   
4. If you are not a Marquet customer enter the following support portal http://support.ifactum.com/
   
   
5. Website of iFactum - Highweb & Page Group Inc. Home in the section "Contact Us" and within the form in the section "How can we help?" select the option "Personally Identifiable Information (PII)." indicating which right you are requesting (Access, Return, Transfer and/or Disposal).

The requirements are received by the administration area, which contacts the applicant and generates the respective request, being the only area authorized to receive the request. Access, Return, Transfer and/or Disposal of personally identifiable information present in the client's assets.

The administration area will keep a record of requests for follow-up and status of the requests regarding the Protection and Privacy of Personal Information in client's assets through the support portal designed for these tasks.

Data Protection Officers

iFactum - Highweb & Page Group Inc. has an administration area responsible for the safekeeping of the information present in the client's assets, where the area ensures compliance with the Information Security Management System regulations, comprising the international standards ISO/IEC 27001 complemented with ISO/IEC 27017, ISO/IEC 27018, with procedures for the management of security incidents.

Likewise, the cybersecurity and compliance area ensures the implementation and updating of the different policies of the Information Security Management System through training actions and periodic audits, thus ensuring that the people who have access to the information contained in the client's assets are treated by the appropriate people according to their position, as well as the safeguarding of information leaks and access control.

iFactum - Highweb & Page Group Inc. It also has an IT area that safeguards the systemic information and user profiling in the systems that have access to the information of the client's assets. The human resources area safeguards the Personal Identification Information of employees and/or contractors and candidates to work in the company.

Information Security Documentation

iFactum - Highweb & Page Group Inc. has an Information Security Management System certified with ISO/IEC 27001 and complemented with ISO/IEC 27017, ISO/IEC 27018 standards, so it has different policies and procedures to safeguard the security of information, especially personally identifiable information, both contained in the company's assets and the personal information of employees and/or contractors of the company.

We declare the present obligations for the treatment of personally identifiable data, which will be explicitly stated at the contractual level with our customers and the safeguarding of the information will be explicitly stated in the confidentiality clause in the contracts with our collaborators: through the following policies and procedures that impact on the safeguarding and custody of the information:

PO-CC-22-001 INFORMATION SECURITY ORGANIZATIONAL POLICY

PO-CC-22-002 ACCESS CONTROL POLICY

PO-CC-22-003 PHYSICAL AND ENVIRONMENTAL SECURITY POLICY

PO-CC-22-004 EQUIPMENT SAFETY POLICY

PO-CC-22-005 CLOUD SERVICE USAGE POLICY

PO-CC-22-006 OPERATIONS SAFETY POLICY

PO-CC-22-007 ENCRYPTION POLICY

PO-CC-22-008 COMMUNICATIONS NETWORK SECURITY POLICY

PO-CC-22-009 INFORMATION TRANSFER POLICY

PO-CC-22-010 INFORMATION SECURITY INCIDENT MANAGEMENT POLICY

PO-CC-22-011 SECURE DELETION POLICY

PO-CC-22-012 POLICY FOR USE OF E-MAIL, INSTANT MESSAGING AND SOCIAL NETWORKS

PO-CC-22-013 SECURE DEVELOPMENT POLICY

PO-CC-22-014 INFORMATION SECURITY POLICY

PO-CC-23-015 POLICY FOR THE PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION PII

PPM-CC-22-001 ASSET CLASSIFICATION POLICY, PROCEDURE AND MATRIX

PP-CC-22-001 DATA BACKUP AND RESTORE POLICY AND PROCEDURE

PO-RH-22-001 HUMAN RESOURCES SECURITY POLICY

PO-RH-22-002 DISCIPLINARY PROCESSES POLICY

PR-CC-21-001 PROCEDURE FOR THE CONTROL OF DOCUMENTS AND RECORDS

PR-CC-22-002 PROCEDURE FOR CREATING AND MODIFYING PASSWORDS

PR-CC-22-003 PROCEDURE FOR THE EVALUATION AND METHODOLOGY OF RISK TREATMENT

PR-CC-22-004 DATA LABELING PROCEDURE

PR-CC-22-005 PROCEDURE ASSIGNMENT OF PRIVILEGES TO APPLICATIONS

PR-CC-22-006 PROCEDURE FOR THE MANAGEMENT OF REGISTRATION RECORDS

PR-CC-22-007 PROCEDURE FOR INTERNAL AUDIT PLAN

PR-CC-22-008 PROCEDURE FOR CORRECTIVE AND PREVENTIVE ACTIONS

PR-CC-22-009 PROCEDURE FOR CONTACTING AUTHORITIES AND SPECIAL INTEREST GROUPS

PR-CC-22-010 PROCEDURE FOR THE MANAGEMENT OF TECHNICAL VULNERABILITIES

PR-CC-22-011 PROCEDURE FOR THE RETURN OF INFORMATION ASSETS IN THE CLOUD

PR-CC-23-012 SGSI TRAINING PROCEDURE

PR-AD-22-001 PROCEDURE FOR THE IDENTIFICATION OF LEGAL, REGULATORY, TECHNICAL AND OTHER REQUIREMENTS

PR-AD-22-002 MANAGEMENT REVIEW PROCEDURE

PR-AD-23-003 PROCEDURE FOR THE ACQUISITION OF SOFTWARE SOLUTIONS

PR-AD-23-004 PROCEDURE FOR DATA LIFECYCLE MANAGEMENT

PR-AD-23-005 KNOWLEDGE MANAGEMENT PROCEDURE

PR-RH-23-001 LEGAL AND DISCIPLINARY BACKGROUND CHECK PROCEDURE

PR-AD-23-006 PROJECT PLANNING PROCEDURE

Clause in contracts with third parties for the rendering of services

For iFactum - Highweb & Page Group Inc. is considered to have the authorizations of the owners of the data to be stored and kept by the company and it will be the responsibility of the third party to have the authorizations for the provision of the service delivered by the company. iFactum - Highweb & Page Group Inc. However, iFactum - Highweb & Page Group Inc. will safeguard the confidentiality of the data and the information will be considered as an asset for the Information Security Management System.

We declare the present obligations for the treatment of personally identifiable data, which will be explicitly stated at the contractual level with our customers and the safeguarding of the information will be explicitly stated in the confidentiality clause in the contracts with our employees and/or contractors:

• iFactum - Highweb & Page Group Inc. will process the personal data in accordance with the instructions and purposes for which they were obtained.

• It will not communicate, not even for conservation, to other persons or entities, unless expressly authorized by the holders of the personal data or the account administrator designated by the third party.

• The information and documentation provided by the client will be considered as an Asset for the Information Security Management System, subject to the security controls included in the same.

• That upon termination of the contractual relationship, the data will be destroyed or returned to the entity, as stipulated in the contract annex.

• The third party shall rely on and ensure compliance with PII laws as far as the approval of the data owners is required for the data to be stored and held by iFactum - Highweb & Page Group Inc.

Likewise, iFactum - Highweb & Page Group Inc. shall have an updated inventory of contracts of those entities that may have access to personal data and of those entities to which it provides services that may have personal data.

Security measures with respect to personal information

For the safekeeping and protection of personally identifiable information, iFactum - Highweb & Page Group Inc. will have the control mechanisms of the Integrated Management System, considering the following controls:

• Maintenance and adequate management of the access and user profiles to the different systems with access to personal data in accordance with the PO-CC-22-002 ACCESS CONTROL POLICY 

• PO-CC-22-010 INFORMATION SECURITY INCIDENT MANAGEMENT POLICY y PR-CC-22-008 PROCEDURE FOR CORRECTIVE AND PREVENTIVE ACTIONS  that allow to have an updated record of incidents where the loss, alteration or destruction of personal data or devices that store personal data is registered.

• Any employee and/or contractor who violates the provisions of the Confidentiality Clause with respect to the treatment of Personally Identifiable Information will knowingly take the punitive measures that the Law allows for the misuse, disclosure or loss of personally identifiable information outside the scope of their duties.

• In case of any security incident affecting personally identifiable data, this will be immediately reported to the third party involved.

• PP-CC-22-001 DATA BACKUP AND RESTORE POLICY AND PROCEDURE to maintain an updated inventory of the databases.

GEOGRAPHIC LOCATION OF THE PII

Our SaaS services run on the Amazon Web Services (AWS) infrastructure. While we do not have specific physical data center locations, AWS meets the highest standards for data security and confidentiality.

We comply with U.S. privacy and data protection laws, such as PIPA and DPPA.

The Database Engineers and the Technology Leader keep an updated record of the countries where the IIP is stored LI-TECH-23-003 LIST OF INFRASTRUCTURE GEOGRAPHICAL LOCATIONS. The administration area in charge of communication with clients provides this information, ensuring transparency and regulatory compliance. 

This implementation ensures security and compliance with data protection regulations, giving our customers confidence in the geographic location of their data.

Justification of Compliance:

1. AWS complies with global security regulations and standards, including those set by the European Union (GDPR) and other jurisdictions. https://aws.amazon.com/en/compliance/resources/
   
   
2. AWS maintains industry-recognized security certifications, such as ISO 27001, which ensure that rigorous security controls are implemented in its infrastructure. https://aws.amazon.com/en/compliance/iso-27001-faqs/
   
   
3. AWS uses advanced security practices, such as encryption of data in transit and at rest, multi-factor authentication and granular access controls.  https://aws.amazon.com/en/compliance/data-privacy-faq/ 

Regulatory Compliance:

IFactum demonstrates compliance with Canadian data protection regulations, including PIPEDA, and international standards such as ISO 27001. Our practices encompass privacy policies, secure data handling and regular audits to ensure data security. Our commitment to regulatory compliance ensures robust data protection at our sites.

Documentary Evidence:

We provide documentation supporting the choice of AWS as our infrastructure provider. This includes AWS security certifications, descriptions of security controls implemented, and details on cloud security practices.

• https://aws.amazon.com/en/compliance/iso-certified/ 

• LI-CC-22-004 STATEMENT OF APPLICABILITY 

• https://aws.amazon.com/en/compliance/resources/ 

•  iFactum’s Trust and Compliance Program

CUSTOMER DATA STORAGE SPACE

Each customer's information is securely stored and measures are implemented to ensure privacy and data protection. The methods used are described below:

• Database servers: Data is mainly stored on database servers on AWS. Each customer has its own isolated database on SQL Server, which guarantees the separation of data. This configuration ensures that a customer cannot access or view information from other customers or former customers.

In addition, the information is organized in separate folders for each customer, ensuring data separation and isolation. Clients do not have direct access to the bucket to manage it, which prevents any unauthorized attempts at data manipulation.

NON-COMPLIANCE

Failure to comply with this policy will have the legal consequences applicable to the company's regulations. iFactum - Highweb & Page Group Inc, and that are determined within the PO-RH-22-002 DISCIPLINARY PROCESSES POLICY including those established in the regulations of Canada, the United States, the United Kingdom, the European Union and Australia. The company's information security and privacy policy.

RELATED DOCUMENTS

PO-CC-22-002 ACCESS CONTROL POLICY 

PO-CC-22-003 PHYSICAL AND ENVIRONMENTAL SECURITY POLICY 

EQUIPMENT SAFETY POLICY 

DOCUMENT ARCHIVING POLICY 

PO-CC-22-006 OPERATIONS SAFETY POLICY 

PO-CC-22-007 ENCRYPTION POLICY 

PO-CC-22-010 INFORMATION SECURITY INCIDENT MANAGEMENT POLICY 

PO-CC-22-013 SECURE DEVELOPMENT POLICY 

PO-CC-22-014 INFORMATION SECURITY POLICY 

PP-CC-22-001 DATA BACKUP AND RESTORE POLICY AND PROCEDURE 

PPM-CC-22-001 ASSET CLASSIFICATION POLICY, PROCEDURE AND MATRIX 

PR-CC-22-003 PROCEDURE FOR RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY 

PR-CC-22-008 PROCEDURE FOR CORRECTIVE AND PREVENTIVE ACTIONS