Annexure 2:

Technical and Organizational Measures (TOMs) – Security Services

This document describes technical and organizational security measures and controls implemented by Clearout, or Clearout affiliates (hereafter Clearout), to protect personal data and ensure the ongoing confidentiality, integrity and availability of Clearout’s products and services.

This document is a high-level overview of Clearout’s technical and organizational security measures. More details on the measures we implement are available upon request. Clearout reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for personal data that Clearout processes in providing its
various services. In the unlikely event that Clearout does materially reduce its security, Clearout shall notify its customers.

Clearout shall take the following technical and organizational security measures to protect personal data:

1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Clearout’s information security program.

2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the Clearout organization, monitoring and maintaining compliance with Clearout policies and procedures, and reporting the condition of its information security and compliance to senior internal management.

3. Maintain Information security policies and make sure that policies and measures are regularly reviewed and where necessary, improve them.

4. Communication with Clearout applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.

5. Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.

6. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

7. Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords.

8. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

9. Physical and environmental security of data centre, server room facilities and other areas containing client confidential information designed to:
(i) protect information assets from unauthorized physical access,
(ii) manage, monitor and log movement of persons into and out of Clearout facilities, and
(iii)guard against environmental hazards such as heat, fire and water damage.

10. Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Clearout possession.

11. Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Clearout technology and information assets.

12. Incident / problem management procedures designed to allow Clearout investigate, respond to, mitigate and notify of events related to Clearout technology and information assets.

13. Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

14. Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

15. Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

16. Formal Vendor Management program, including vendor security reviews for critical vendors to ensure compliance with Clearout Information Security Policies.

17. A Data Protection Officer (DPO) who is independent, regularly reviews data protection risks and controls.