Scivantage Data Security Policy & Acceptable Use Policy V1.1

1.     Purpose

This document defines the data security policy of Scivantage and its clients. Scivantage takes the privacy of our employees and clients very seriously. To ensure that we are protecting our corporate and client data from security breaches, this policy must be followed and will be enforced to the fullest extent.

2.     Intent

The goal of this policy is to inform employees, clients and contractors at Scivantage of the rules and procedures relating to data security compliance.

The data covered by this policy includes, but is not limited to, all electronic information found in e-mail, databases, applications and other media; paper information, such as hard copies of electronic data, employee files, internal memos, and so on.

3.     Audience

This policy applies to all employees, management, contractors, vendors, business partners and any other parties who have access to company data.

4.     Data Types

Scivantage deals with two main kinds of data:

1.Company-owned data that relates to such areas as corporate financial information, employment records, payroll and related items.

 2.Private data that is the property of clients and/or employees, such as social security numbers, credit card      information, contact information, etc.

5.     Data Classifications

Scivantage data is comprised of four (4) classifications of information:

1.Public/Unclassified. This is defined as information that is generally available to anyone within or outside of the company. Access to this data is unrestricted, may already be available and can be distributed as needed. Public/unclassified data includes, but is not limited to, marketing materials, company policies relating to dealing with external persons and organizations, new releases and other data as applicable.

Employees may send or communicate a public/unclassified piece of data with anyone inside or outside of the company.

2.Private. This is defined as corporate information that is to be kept within the company. Access to this data may be limited to specific departments and cannot be distributed outside of the workplace. Private data includes, but is not limited to, work phone directories, organizational charts, company financial information, company policies (except for those specifically identified as Public/Unclassified) and other data as applicable.

All information not otherwise classified will be assumed to be Private.

Employees may not disclose private data to anyone who is not a current employee of the company.

3.Confidential. This is defined as personal or corporate information that may be considered potentially damaging if released and is only accessible to specific groups (e.g. payroll, human resources, member support, etc.) Confidential data includes, but is not limited to, social security numbers, contact information, accounting data, security procedures and other data as applicable. Scivantage considers it a top priority to protect the privacy of its clients and employees.

Employees may only share confidential data within the department or named distribution list.

4.Secret/Restricted. This is defined as sensitive data which, if leaked, would be harmful to Scivantage, its employees, contractors and other parties as applicable. Access is limited to authorized personnel and third parties as required. Secret/Restricted data includes, but is not limited to, audit reports, legal documentation, business strategy details and other data as applicable.

Secret/Restricted data cannot be disclosed by anyone other than the original author, owner or distributor.

It is the responsibility of everyone who works at Scivantage to protect our data. Even unintentional misuse of classified data will be considered punishable in accordance with the extent and frequency of the misuse.

6.     Responsibilities

All employees are responsible for adhering to the policy and reporting any activities that do not comply with this policy.

Management is responsible for ensuring that their direct reports understand the scope and implications of this policy. Human Resources must also ensure that all employees have a signed copy of this policy in their file.

Security staff will be monitoring data for any unauthorized activity and are responsible for updating access requirements as needed.

Any employee who authors or generates corporate or client data must classify that data according to the criteria outlined above.

7.     Review

Management is responsible for keeping this policy current. This policy will be reviewed annually or as circumstances arise.

Also annually, a full security audit will be performed by a Security Team to ensure that the policy is properly aligned with company directives, third party security requirements and legislated security requirements.

8.     Enforcement

Employees found to be in violation of this policy by either unintentionally or maliciously stealing, using or otherwise compromising corporate or personal data may be subject to disciplinary action up to and including termination.