Data Transfer Policy

1.0 Purpose

Establish requirements for all computers connected to Waybetter Marketing, Inc. (Waybetter) network while transmitting data in, out and within the network.

3.0 Scope

This policy applies to all Waybetter computers and services used during the transmission of company and client confidential data to and from clients, external vendors, or individuals. Special attention is given to personally identifiable data.

4.0 Policy

1. Waybetter will only transfer sensitive data to external parties if the owner of the data explicitly approves its transfer. For most prospect data, the client is the owner. For other sensitive data, the owner is the highest level figure that would have direct authority over and full responsibility for the data — not necessarily the internal users of that data.

2. This data must be encrypted during transfer. Waybetter transfer service uses SFTP secured by a SSL certificate with a 2048 bit private key, employing TLS v1.2. Other approaches are possible, including client HTTPS, encrypted ZIP files or a client provided service.

3. The complex key to the encrypted data must be transferred out of bounds. That is it cannot be transferred using the same mechanism as the data. For instance, if the data is sent via email, the key must be exchanged outside of emails, e.g., via phone or letter.

4. Every transfer should be logged

   1. Waybetter transfer service logs every transaction by every user is recorded - upload, download, move, copy, rename, share, delete & more. The audit logs are immutable, no one may change or delete them.

   2. The external party must acknowledge receipt of the data. Some example approaches:

      1. Send an email receipt when a file is dropped off on SFTP server or picked up by the a CRM.

      2. Create a CD with the encrypted data on it and then to use an overnight shipping company to send it, requesting a return receipt.

5. The data must be verified as secure before the transfer occurs. The IS security officer or designates can provide this service.

6. The data must be securely archived so that in event of an issue Waybetter can verify the exact contents of the data at issue.

7. To use the transmitting server securely, each authorized user must have a logon ID and password with a designated directory. Users should not have access to shared directories unless required for business reasons. Anonymous FTP is not permitted.

8. All accounts and keys must be managed by Waybetter personnel from within Waybetter's corporate network.

9. Plain FTP does not provide encrypted transmission and should not be used on any Internet-facing systems or where confidential data is being transmitted.

5.0 Physical Security

Our transfer service is housed in best-in-class carrier-grade data centers. Each data center is SOC 2 Type 1/2 Compliant and ISO 27001 Certified, and has a bevy of infrastructure and on-site security features.

6.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.