INFORMATION SECURITY POLICY

[Last Updated: ]

7104189 Canada, Inc. known as “LULU Software” (“Company”, “we” or “us”) takes information security seriously and has created this security overview and policy (“Security Policy”) to disclose its practices in safeguarding Personal Data processed through our services, products and websites (“Service(s)”). We have implemented the technical and organizational measures below to protect the Personal Data, processed by us, against loss, unlawful acts and destruction, alteration, unauthorized disclosure or access, etc.

As part of our General Data Protection Regulation (“GDPR”) compliance process we have prepared this Security Policy to provide you with a summary of the security measures and policies it obtains; furthermore, we require our partners and employees to comply with these standards and implement the same security measures when working with us.

THIS SECURITY POLICY OUTLINES THE COMPANY’S CURRENT SECURITY PRACTICES AS OF THE “LAST UPDATED” DATE INDICATED ABOVE. WE WILL KEEP UPDATING THIS POLICY FROM TIME TO TIME, AS REQUIRED BY APPLICABLE LAWS AND OUR INTERNAL POLICIES.

System Access Control

The Company’s database is accessible only by a minimal amount of Company employees and personnel, all accessible only from within the Company office. Access to systems is restricted and is based on procedures to ensure appropriate approvals are provided solely to the extent required. In addition, remote access and wireless computing capabilities are restricted and require both user and system safeguards. The systems are also protected and solely authorized employees may access the systems by using a designated password and user name protections.

Physical Access Control-

The Company secures any and all physical access to its offices. The Company secures access to its offices and ensures that solely authorized persons, such as employees, have access.. All visitors and non-company persons which visit the Company facilities are accompanied by the Company employees at all times. The Company works with iWeb Web Services datacenter as its main storage processor, therefore if you need more information, the Company recommends that you review https://iweb.com/legal/gdpr. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner. Further, the Company has entered in to applicable and binding data processing agreements with its vendors and customers.

Data Access Control

All access to a database, system or storage is solely with authorization and password protection. Further, the access to the Personal Data is restricted solely to the employees who “need to know” and is protected by passwords and user names. Access to the Personal Data is secured and highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company audits any and all access to the database and any authorized access is immediately reported and handled. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, the Company conducts ongoing reviews of which employees have authorizations, to assess whether access is still required. The Company revokes access immediately upon termination of employment. Authorized individuals can only access Personal Data that is established in their individual profiles.

Organizational and Operational Security

The Company educates its employees, service providers, consultants and contractors, raises awareness, and conducts risk assessments with regards to any processing of Personal Data. Internal security testing is done on a regular basis. The Company’s IT team ensures security of all hardware and software by installing anti-malware software on computers to protect against malicious use and malicious software as well as virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc. It is the responsibility of the individuals across the Company to comply with these practices and standards.

Transfer Control

The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of the data or during the transport or storage in the applicable data center. Further, any and all transfers of the data (either between the servers, from client side to server side and between the Company’s designated partners) is secured (HTTPS) and encrypted.

Availability Control

The Company’s servers include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are performed to determine if the backups have occurred. The Company has ensured all documents, including without limitations, agreements, privacy policies, online terms, etc. are compliant with the GDPR. Our legal team has ensured our legal documentation is updated to reflect any changes and to include the mandatory provisions required by the GDPR.

Data Retention

Personal Data and raw data are all deleted as soon as possible or legally applicable.

Job Control

Employees, customers and applicable processors are all signed on binding agreements all of which include applicable data provisions and data security obligations. As part of the employment process, employees undergo a screening and are provided with access to the database solely upon training to ensure they are well educated and responsible to handle the Personal Data. Employees are bound to comply with this Security Policy in addition to internal security policies and procedures, and breaking or not complying with such shall result in disciplinary actions. To ensure the employees stay educated and up to date with applicable policies and legislation the Company holds annual compliance training which includes data security education.

DISCLAIMER: THIS POLICY IS NOT LEGAL ADVICE FOR YOUR COMPANY TO USE IN COMPLYING WITH EU DATA PRIVACY LAWS LIKE THE GDPR. INSTEAD, IT PROVIDES BACKGROUND INFORMATION TO HELP YOU BETTER UNDERSTAND HOW WE, AT LULU SOFTWARE, HAVE ADDRESSED SOME IMPORTANT LEGAL POINTS. THIS LEGAL INFORMATION IS NOT THE SAME AS LEGAL ADVICE, WHERE AN ATTORNEY APPLIES THE LAW TO YOUR SPECIFIC CIRCUMSTANCES, SO WE INSIST THAT YOU CONSULT AN ATTORNEY IF YOU’D LIKE ADVICE ON YOUR INTERPRETATION OF THIS INFORMATION OR ITS ACCURACY. YOU MAY NOT RELY ON THIS PAPER AS LEGAL ADVICE, NOR AS A RECOMMENDATION OF ANY PARTICULAR LEGAL UNDERSTANDING.