Privacy Policy

PURPOSE

Sedulous Consulting Services, LLC (Sedulous) recognizes the importance of protecting the confidentiality of information it collects about its employees, its clients and their Depositors. The purpose of this Privacy Policy is to provide guidance as to the manner in which information related to identified or identifiable individuals, clients and their Depositors is collected, used, retained, disclosed and destroyed. Awareness of and compliance with this policy is the responsibility of every Sedulous Authorized Person. Enforcement of this Data Privacy Policy is the responsibility of management at all levels. This policy may be supplemented or amended from time to time to ensure compliance with laws governing specific geographical regions or specific categories of information.

SCOPE

This policy covers all Sedulous Authorized Persons, Sedulous web site visitors, Information Assets and Information Technology Assets as defined in Sedulous Cyber Security Policy.

DEFINITIONS

As used in this Privacy Policy, the Privacy-related Information Assets covered include:

  • Personally Identifiable Information (PII): Personal financial or medical information or other personal information of a confidential nature about an individual in combination with a known personal identifier such as the individual’s name, address, telephone number, or social security number. PII does not include information that is publicly accessible, such as information in public records, or information that does not identify an individual person, such as aggregate information or blind data that does not contain personal identifiers from which the person’s identity can be determined

  • Employee information: Any Personally Identifying Information of a Sedulous employee that is not subject to disclosure for a legitimate business purpose.

  • Depositor Information (sometimes referred to as Non-Public Financial Information): Any and all client data, or customer data of our clients, relating to and identified with a Depositor beyond Personally Identifying Information. Examples include account types, account balances and credit rating information gathered during account opening

  • Non-Public Supervisory Information (NPSI): Any information collected, maintained, produced or issued which relates to the supervision of or enforcement action between regulatory agencies and institutions or persons associated with the regulated industry

  • Protected Health Information (PHI): Health information, including demographic information, collected from an individual that: (a) is created or received by a health care provider, health plan, employer, or health care clearinghouse; (b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (c) identifies

the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual1.

1 PHI does not include information (x) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USC 1232g; (y) in employment records held by a health care provider, health plan, employer or health care clearinghouse in its role as employer; or (z) regarding a person who has been deceased for more than 50 years.

REQUIREMENTS

The following requirements have been developed to ensure the privacy of covered information assets.

Accountability

Sedulous Senior Management must ensure that an individual is clearly identified as the responsible party for administering all privacy-related processes at all times. Accountability is currently assigned to  the Chief Technical Officer and the term “Privacy Officer” will apply.

Notice to clients

Sedulous will be responsible for providing notice to its clients and Sedulous site visitors covering their Privacy-related Information Assets that is collected, used, retained, disclosed and destroyed by Sedulous.

Choice and Consent

Sedulous will communicate the privacy choice to the clients and Sedulous site visitors and seek their consent before accessing their Privacy-related Information Assets, in any form.

Collection

Sedulous will communicate and seek the consent of the clients and Sedulous site visitors before collecting any additional Privacy-Information Assets on such client in any form.

Use and Retention

Sedulous will be responsible for communicating the usage of any client Privacy-related Information Assets. It will also be responsible for communicating the retention period established pursuant to policy or contractual obligations with clients, as appropriate, and safeguards put in place to ensure the confidentiality of this information.  Data subject to litigation hold shall not be destroyed.

Access

Sedulous will be responsible for controlling and monitoring the access to any Privacy-related Information Assets and the access will be controlled on “Need-to-know” and “Least Privilege” principles. Procedures will be implemented to ensure that there is no unauthorized access to Highly-Confidential information. Electronic mechanisms will be implemented to corroborate that Highly-Confidential information has not been altered or destroyed in an unauthorized manner.

Destruction

The destruction of Privacy-related Information Assets will be performed based on the classification of the data. There will be a process to securely erase the data on the servers, workstations and any portable media that contains any of Sedulous’s or its clients’ data. The company will work with third party vendors to destroy the data storage media using degauss techniques and eradication of data. Data subject to litigation hold shall not be destroyed.

Disclosure to third parties

Sedulous may use the services of qualified third-party providers in the course of providing the contracted services to our clients. Where applicable, Sedulous will include Sedulous policy compliance and indemnification in all third-party provider contracts and agreements.

Sedulous will seek the consent of the clients, when they are the owners of the Privacy-Related Information Assets, before sharing it with any third parties. As part of this consent for disclosure, Sedulous will provide as to what information will be shared and with whom. It will also provide any additional details on the third party, if required by the client. It will proceed with the disclosure of information to third parties, only once the consent has been obtained from the clients or depositors.

Monitoring and enforcement

Sedulous will have monitoring controls for Privacy-related Information Assets It will also enforce these controls by monitoring them on a real-time basis. Any violations to these controls will be treated as a “Security Incident” and will be handled as per the “Incident Management Policy”.

Quality

Sedulous will ensure the quality of the Privacy-related Information Assets it collects or maintains and ensure that this information is accurate, complete, and relevant personal information for the purposes identified in the Notice. It will employ techniques to guarantee the quality of the Privacy-related Information Assets during the storage and communications with its clients, employees or any other third parties.

Review

This policy must be reviewed at least annually by the Information Technology Manager for relevancy and accuracy.  Duly noted revisions must be maintained within 4.13 of this document.

Regulatory requirements

This document must conform to all state and federal privacy regulations governing Sedulous. It is also based on the privacy guidelines and requirements of any Compliance certification, which Sedulous seeks or maintains.

Communication and training

Sedulous provides a process and mechanism with which to handle periodic communication of policies and standards regarding privacy-related information to the internal organization and external owners. This communication will be achieved through the following means:

  • Periodic release and update notification via email

  • Availability in the common Intranet location, which is accessible to all of the employees and contractors

  • Sending periodic notification of update and availability to the external owners

  • Performing Security Awareness and Training for all appropriate parties, at least once a year

External communication – Sedulous Web site privacy statement

Sedulous will maintain a publicly accessible privacy policy statement regarding information collected during   interaction   with   www.sedulousconsulting.com.  This policy statement must have an identified owner. Ownership is currently assigned to the Information Technology Manager.

This policy also will be provided, upon request, to clients/customers and any other third party which directly or indirectly engages in business with Sedulous.

Internal communication

Sedulous shall ensure the current Data Privacy Policy is available on the corporate Intranet and readily available to all employees and consultants. Sedulous shall communicate the requirement to adhere to the policy

Training

Privacy-related training and education material must be provided to employees, consultants and the third- party provider upon the beginning of employment or access to information. Training and education materials must be incorporated into an overall security awareness campaign, reviewed on an annual  basis and signed by all the employees, contractors and third parties.

Contractual

Third-party providers must contractually agree to securely protect data and demonstrate the capability to do so before Sedulous can share Privacy-related Information Assets with them after obtaining consent of the owner of this information, as appropriate. Third-party provider must have an established privacy policy that provides controls commensurate with Sedulous policy. Third-party provider may not be information brokers.

Due diligence

Information Security team must exercise due diligence for prospective third-party providers prior to contracting with the vendor to handle or process Privacy-related Information Assets. The team must review the ability of the third-party provider to meet privacy obligations at least annually.

Incident management

Sedulous recognizes the need to react quickly to a possible exposure of privacy information to unauthorized parties and must maintain an incident response plan designed to mitigate, minimize, and manage any suspected or confirmed breach.

The Sedulous Computer Security Incident Response Team (CSIRT) will be responsible for accepting incident reports, investigation of incident reports, and all internal and external communications according to legal and other contractual obligations. The Information Technology Manager must give an explicit sign-off approval that all internal privacy laws have been reviewed.

COMPLIANCE

Compliance with this policy is mandatory and all the employees, contractors and third parties will be required to accept them. Refer to the Sedulous Cyber Security Policy for details regarding non-compliance. Failure to comply can result in disciplinary actions up to and including termination.