Privacy Policy (Last updated May 18, 2023)

Overview

This policy and applicable supporting procedures are designed to provide ARMS Cyber

Defense with a documented and formalized process for protecting individuals’ privacy. Respect

for the privacy of personal and other information is fundamental to us. This privacy policy

describes our collection of personally identifiable information from users of our Web site

("Website" or "Site"), our Platform, as well as all related applications, widgets, software, tools,

and other services provided by us and on which a link to the Policy notice is displayed

(collectively, together with the Website, our "Service"). This Policy also describes our use and

disclosure of such information. Consumer personal information that ARMS Cyber Defense

receives from corporate customers is processed in our capacity as a service provider pursuant

to the contractual terms with our corporate customers.

In accordance with mandated organizational security requirements set forth and approved by

management, ARMS Cyber Defense has established a formal privacy policy.

The Security Officer owns this Policy and is responsible for reviewing the Policy on an annual

basis and following any major changes to ARMS Cyber Defense sensitive data environment, to

ensure that it continues to meet its organizational goals.

ROLES AND RESPONSIBILITIES

The following roles and responsibilities are to be developed and subsequently assigned to

authorized personnel within ARMS Cyber Defense regarding privacy practices:

● Security Officer: Responsibilities include providing overall direction, guidance,

leadership, and support on methods and tools for the implementation of a security and

privacy-related program.

● Risk Committee: Responsibilities include approving and monitoring adherence to this

policy, analyzing the organization’s environment, and the legal requirements with which

it must comply. Additional responsibilities include:

● Execute the privacy operations of the firm, including monitoring the system used to

solicit, evaluate, and respond to individual privacy complaints and problems.

● Evaluate implemented privacy controls;

● Assessing existing policies and procedures that address privacy areas;

● Working with appropriate departments to ensure

compliance with privacy policies and procedures;

● Recommending and monitoring, in conjunction with the relevant departments, the

development of internal systems and controls to carry out the organization’s privacy

objectives;

● Report to the Security Officer and ARMS Cyber Defense Management on the

effectiveness of the privacy controls/program in meeting applicable regulatory

requirements and standards.

The organization must formally document and make privacy policies readily available to data

subjects, internal personnel, and third parties who need them. Privacy policy notices will be

documented to include security practices for privacy as well as all areas covered below.

Management will review and approve privacy policy on an annual basis.

Authority to Process Personally Identifiable Information

The organization will determine and document the authority permitting the organization to

process personally identifiable information. The organization will restrict processing of

personally identifiable information not authorized.

Personally Identifiable Information Processing Purposes

The organization will restrict processing of personally identifiable information to only that which

is compatible with the identified purposes. If information that was previously collected is to be

used for purposes not previously identified in the privacy notice, the organization will document

the new purpose, and obtain implicit or explicit consent prior to such new use or purpose.

The organization will monitor changes in processing personally identifiable information and

implement mechanisms to ensure that any changes are made in accordance with defined

requirements.

Collection

The organization will limit the collection of personally identifiable information to what is

necessary to meet the organization’s objectives. The methods of collecting personally

identifiable information will be reviewed by management prior to implementation to confirm

personally identifiable information is obtained fairly and without intimidation or deception as well

as lawful, adhering to all relevant rules of law.

Use and Retention

The organization uses personally identifiable information only as is authorized and only at the

minimum necessary level required by the organization to meet service level obligations,

contractual obligations, or regulatory requirements.

The organization will retain personally identifiable information

for only as long as required or according to the organization’s retention schedule as may be

required by regulatory or contractual obligations.

Disclosure

The organization will disclose personally identifiable information to third parties only for the

purposes for which it was collected or created and only when implicit or explicit consent has

been obtained from the data subject or provider, unless a law or regulation specifically requires

otherwise.

Choice and Consent

The organization informs data subjects about the choices available to them with respect to the

collection, use, and disclosure of their personally identifiable information. The organization must

require implicit or explicit consent to collect, use, and disclose personally identifiable

information. The organization will obtain and document implicit or explicit consent from data

subjects at or before the time personally identifiable information is collected (or soon thereafter).

The individual will confirm and implement the individual’s preferences expressed in their

consent. The organization obtains consent before personally identifiable information is

transferred to or from an individual’s computer or other similar device.

The organization will implement tools or mechanisms for individuals to consent to the

processing of their personally identifiable information prior to its collection facilitating individuals’

informed decision-making. Where possible, the organization will provide mechanisms to allow

individuals to tailor processing permissions to selected elements of personally identifiable

information. The organization will present consent mechanisms to individuals at the time of

processing. The organization will implement a mechanism for individuals to revoke consent to

processing.

Privacy Notice

The organization must make the organization’s latest privacy policy notice publicly available on

the organization’s website.

The organization will also provide notice to individuals about the processing of personally

identifiable information that:

● Is available to individuals upon first interacting with an organization, and subsequently

upon changes in the notice;

● Is clear and easy-to-understand, expressing information about personally identifiable

information processing in plain language;

● Identifies the authority that authorizes the processing of personally identifiable

information;

● Identifies the purposes for which personally

identifiable information is to be processed; and

● Includes specific information related to the organization’s regulatory or contractual

obligations.

The organization will present notice of personally identifiable information processing to

individuals at a time and location where the individual provides personally identifiable

information or in conjunction with a data action, or annually if or when the notice changes.

asaf