PURPOSE 

In the course if its business, it is necessary for Presults to record, store, process, transmit, and  otherwise handle private information about individuals. Presults takes these activities seriously  and provides fair, secure, and fully-legal systems for the appropriate handling of this private  information. All such activities at Presults are intended to be consistent with both generally  accepted privacy ethics and standard business practices. 

MANAGEMENT RESPONSIBILITIES  

Management must take reasonable efforts to ensure that all private information maintained by  Presults is accurate, timely, relevant, and complete. Management also must make reasonable  efforts to ensure that all private information is used only as intended, and that precautions  preventing misuse are both effective and appropriate. Management is responsible for  establishing appropriate controls to ensure that private information is disclosed only to those  who have a legitimate business need for such access. Management must establish and  maintain sufficient controls to ensure that all Presults information is free from a significant risk of  undetected alteration. 

Data Classification Labels – Management, specifically information Owners, must consistently  apply a standard data classification label indicating that information is private. For example, this  label must appear on computer screens when private information is displayed, and it must also  

be stamped on hardcopy versions of private information. This label must follow private  information no matter what form it takes, what technology is used to handle it, who handles the  information, and where the information resides. 

DISCLOSURE OF PRIVATE INFORMATION 

Revealing Information About Policies and Procedures – As a general rule, information  security policies and procedures should be revealed only to Presults workers and selected  outsiders, such as auditors, who have a legitimate business need for this information. A notable  exception involves the policies that deal with private information about individuals. All involved  individuals have a right to receive an officially-approved statement of Presults policies and  procedures regarding the handling of information about them. In addition, Presults must disclose  the existence of systems containing private information and the ways that this information is 

used. With the exception of criminal and policy-violation investigations, there must be no system  of personnel records within Presults whose very existence is kept secret from the people  described therein. 

Handling Private Information Requests – All requests for private information coming from a  person or organization outside Presults must be forwarded to the Presults chief legal counsel.  All requests for private information that fall outside normal business procedures and that come  

from a Presults insider must be forwarded to the director of the Human Resources department.  These managers will decide whether the requests will be granted. 

APPROPRIATE HANDLING OF PRIVATE INFORMATION 

Collect Only Necessary Information – In general, Presults may collect, process, store,  transmit, and disseminate only that private information that is necessary for the proper  functioning of its business. For example, Presults management must not collect information  about worker activities during non-work hours unless these activities are highly likely to  influence the involved worker’s performance, or unless they could adversely affect the  reputation of Presults. 

Destruction Of Private Information – When private information is no longer needed, it must be  destroyed by shredding, or by other destruction methods approved by the Information Security  department. Destruction of private information resident on computer disks and other magnetic  media must be accomplished with an overwriting process. A simple erase process is not  sufficient. To assure the proper destruction of private or confidential information, disposal of  computers with embedded hard disk drives or other data storage systems must proceed according to procedures issued by Information Security. 

Removal Of Private Information – Private or confidential information must not be removed  from Presults offices. Permission to take such information offsite may be granted by a  departmental manager provided the involved worker has completed the information security  segment of telecommuter training, and passed the associated test. Signed third-party non disclosure agreements may additionally be required when private information is removed from  Presults offices. Private information must not be moved to another country unless the  permission of the manager of the Information Security department is obtained. 

Preventing Inadvertent Disclosure by Hardcopy – Whenever a worker is handling private  information, if a person who is not authorized to view that information enters the immediate  area, steps to conceal the information must promptly be taken. If the information is in physical  form, the information can be covered with other material. If the information is displayed on a  computer screen, the worker can invoke a screen saver or log off. 

PRIVATE INFORMATION ON COMPUTER AND COMMUNICATION SYSTEMS 

Expectation Of Privacy – All messages sent over Presults internal computer and  communications systems are the property of Presults. Management reserves the right to  examine all information transmitted through these systems. Examination of such information  may take place without prior warning to the parties sending or receiving such information. 

Because the Presults computer and communications systems must be used for business  purposes only, workers must have no expectation of privacy associated with the information  they store in or send through these systems. 

Examination Of Stored Information – At any time and without prior notice, Presults management reserves the right to examine archived electronic mail, private file directories, hard  disk drive files, and other information stored on Presults information systems. Such  examinations are typically performed to assure compliance with internal policies, support the  performance of internal investigations, and assist with the management of Presults information  systems. 

Manager Involvement In Monitoring – Whenever a worker’s computer or communications user  ID is monitored for investigative or disciplinary purposes, the involved worker’s manager must  be informed of this activity promptly. All worker monitoring must itself be logged for subsequent  management review and possible use in disciplinary or legal actions. 

Changing Information Resident on Systems – Management reserves the right to delete,  summarize, or edit any information posted to Presults computers or communication systems.  These facilities are privately-owned business systems, and not public forums, and as such do  not provide free-speech guarantees. 

Routine Usage of Backup Systems – All files and messages stored on Presults systems are  routinely copied to tape, disk, and other storage media. This means that information stored on  Presults information systems, even if a worker has specifically deleted it, is often recoverable  

and may be examined at a later date by system administrators and others designated by  management. 

Remote Computer Monitoring – Presults routinely scans the personal computers connected to  its networks. These scans ensure that remote computers are operating only with approved and  licensed software, are free from viruses and worms, and have been used only for approved  business purposes. 

Encryption Of Electronic Mail – Workers must consider electronic mail to be the computerized  equivalent of a postcard. Unless material sent by electronic mail is encrypted, workers must  refrain from sending credit card numbers, passwords, research and development information,  medical histories, computer programming source code, and other private or confidential  information through electronic mail. 

Links Between Separate Types Of Private Data – Without advance consent from the manager  of the Information Security department, Presults information systems must not be configured to  support new links between private information and other types of information related to the  same individual. 

Testing With Sanitized Data – Unless written permission is obtained from the Information  Security department manager, all software testing for systems designed to handle private data  must be accomplished exclusively with production information that no longer contains specific  details that might be valuable, critical, or sensitive.

ACTIVITY MONITORING 

Personal Effects and Private Communications – All personal effects brought to Presults premises are subject to search at any time without advance notice. Workers wishing to keep  certain aspects of their personal life private must not bring related personal effects to Presults premises. To keep these matters private, workers must not communicate about such matters  using Presults telephones, electronic mail systems, or other communications systems that may  be monitored and which are intended to be used for business purposes only. 

Pretext Requests – Presults believes that all business activities must be conducted in a  forthright and honest manner. However, in certain circumstances authorized by the director of  Information Security, the organization may utilize investigators who pose as other persons in  order to test customer service, test security policies, or investigate alleged wrongdoing. 

HANDLING PERSONNEL INFORMATION 

Access to Own Personnel File – Upon written request, every worker must be given access to  his or her own personnel file. Employees must be permitted to both examine and make one  copy of the information appearing in their personnel file. If employees object to the accuracy,  relevance, or completeness of information appearing in their personnel file, each year they may  add a supplementary statement of up to 200 words. 

Disclosure To Third Parties – Disclosure of private information about Presults workers to third  parties must not take place unless required by law or permitted by explicit consent of the  worker. Presults must not disclose the names, titles, phone numbers, locations, or other contact  particulars of its workers unless required for business purposes. Exceptions will be made when  such a disclosure is required by law or when the involved persons have previously consented to  the disclosure. The reason for termination of workers must not be disclosed to third parties. Two  permissible exceptions are the prior approval of a Presults senior manager or if the disclosure is  required by law. Every disclosure of private information to third parties must be recorded by the  Human Resources department and these records must be maintained for at least five years. 

Summary Of Disclosures – If they request it, workers must be provided with a summary of all  disclosures of their private information to third parties. In addition, workers must be given  sufficient information to permit them to contact such third parties to rectify errors or supply  additional explanatory information. 

Change Of Status Information – Detailed worker change of status information is strictly  confidential, and must not be disclosed to anyone except those people who have a genuine  need to know. Detailed change of status information includes the reasons for terminations,  retirements, resignations, leaves of absence, leaves of absence pending the results of an  investigation, inter-departmental transfers, relocations, and changes to consultant or contractor  status. 

PRIVATE INFORMATION ABOUT CUSTOMERS

Consent For Collection Required – The collection of private information on prospects,  customers, and others with whom Presults does business, is customary and expected.  However, Presults workers must not collect private information from prospects or customers  without having obtained their knowledge and consent. 

Consent For Uses Required – Before a customer places an order or otherwise discloses  private information, all Presults representatives must inform the customer about the ways that  this private information will be used, and the third parties, if any, to whom the information will be  disclosed. 

Collection Of Unnecessary Information – Presults workers or information systems must never  require the provision of prospect or customer private information that is unnecessary for the  provision of information, for the completion of a transaction, or for the delivery of products or  services. No product or service provided by Presults may be denied to any person if they refuse  to provide unnecessary private information. All disputes about necessary private information will  be resolved by the Presults chief legal counsel. 

Opting Out From Unsolicited Contacts – Presults customers must be given an opportunity to  inform Presults that they do not wish to be contacted through unsolicited direct mail,  telemarketing, and related promotions. Presults staff must faithfully observe and act on these  customer requests. Presults workers must diligently observe the unconditional right of  individuals to block data about them from being included in mailing lists or calling lists, block the  sale of data about them to third parties, and to have data about them erased from direct  marketing lists. 

Sharing Of Customer Information – Presults does not disclose specific information about  customer accounts, transactions, or relationships to unaffiliated third parties for their  independent use, except under certain circumstances. These circumstances are limited to the  disclosure of information to a reputable information reporting agency such as a credit bureau,  when performing its own due diligence related to a customer’s request to perform a certain  action such as extend the amount of an existing line of credit, those circumstances when the  customer requests the disclosure, the disclosure is required by or permitted by law, or the  customer has been informed about the possibility of such a disclosure for marketing or similar  purposes, and has been given an opportunity to decline. 

Change Of Business Structure – Should Presults go out of business, merge, be acquired, or  otherwise change the legal form of its organizational structure, Presults may need to share  some or all of its customer information with another entity in order to continue to provide  products and services. If such a change and associated information transfer takes place,  customers must be promptly notified. 

Use Of Outsourcing Organizations – Presults may outsource some or all of its information  handling activities, and it may be necessary to transfer prospect and customer information to  third parties to perform work under an outsourcing agreement. In all such cases, the third  parties involved must sign a confidentiality agreement prohibiting them from further  dissemination of this information and prohibiting them from using this information for  unauthorized purposes.

Device permissions for Personal Data access

Depending on the User’s specific device, this Application may request certain permissions that allow it to access the User’s device Data as described below.

By default, these permissions must be granted by the User before the respective information can be accessed. Once the permission has been given, it can be revoked by the User at any time. In order to revoke these permissions, Users may refer to the device settings or contact the Owner for support at the contact details provided in the present document.
The exact procedure for controlling app permissions may be dependent on the User’s device and software.

Please note that the revoking of such permissions might impact the proper functioning of this Application.

If User grants any of the permissions listed below, the respective Personal Data may be processed (i.e accessed to, modified or removed) by this Application.

Camera permission

Used for accessing the camera or capturing images and video from the device.

Contacts permission

Used for accessing contacts and profiles on the User’s device, including the changing of entries.

Microphone permission

Allows accessing and recording microphone audio from the User’s device.

VIOLATIONS 

Any violation of this policy may result in disciplinary action, up to and including termination of  employment. Presults reserves the right to notify the appropriate law enforcement authorities of  any unlawful activity and to cooperate in any investigation of such activity. Presults does not  consider conduct in violation of this policy to be within an employee’s or partner’s course and  scope of employment, or the direct consequence of the discharge of the employee’s or partner’s  duties. Accordingly, to the extent permitted by law, Presults reserves the right not to defend or  pay any damages awarded against employees or partners that result from violation of this  policy. 

Any employee or partner who is requested to undertake an activity which he or she believes is  in violation of this policy, must provide a written or verbal complaint to his or her manager, any  cust 

DEFINITIONS 

Confidential Information (Sensitive Information) – Any Presults information that is not  publicly known and includes tangible and intangible information in all forms, such as information  that is observed or orally delivered, or is in electronic form, or is written or in other tangible form.  Confidential Information may include, but is not limited to, source code, product designs and  plans, beta and benchmarking results, patent applications, production methods, product  roadmaps, customer lists and information, prospect lists and information, promotional plans,  competitive information, names, salaries, skills, positions, pre-public financial results, product  costs, and pricing, and employee information and lists including organizational charts.  Confidential Information also includes any confidential information received by Presults from a  third party under a non-disclosure agreement. 

Electronic Messaging System – Any device or application that will provide the capability of  exchanging digital communication between two or more parties. Examples are electronic  messaging, instant messaging, and text messaging. 

Information Asset – Any Presults data in any form, and the equipment used to manage,  process, or store Presults data, that is used in the course of executing business. This includes,  but is not limited to, corporate, customer, and partner data. 

Objectionable Information or Material – Anything that is considered offensive, defamatory,  obscene, or harassing, including, but not limited to, sexual images, jokes and comments, racial  or gender-specific slurs, comments, images or jokes, or any other comments, jokes, or images  that would be expected to offend someone based on their physical or mental disability, age,  religion, marital status, sexual orientation, political beliefs, veteran status, national origin, or  ancestry, or any other category protected by national or international, federal, regional,  provincial, state, or local laws. 

Partner – Any non-employee of Presults who is contractually bound to provide some form of  service to Presults. 

Password – An arbitrary string of characters chosen by a user that is used to authenticate the  user when he attempts to log on, to prevent unauthorized access to his account. 

User – Any Presults employee or partner who has been authorized to access any Presults electronic information resource.

REFERENCES 

ISO 27002 – 15.1.4 Data protection and privacy of personal information. RELATED DOCUMENTS 

REVISION HISTORY 

August 2022 

January 2023

January 2024