Privacy Policy

Overview

This policy and applicable supporting procedures are designed to provide ARMS Cyber  Defense with a documented and formalized process for protecting individuals’ privacy. Respect  for the privacy of personal and other information is fundamental to us. This privacy policy  describes our collection of personally identifiable information from users of our Web site  (“Website” or “Site”), our Platform, as well as all related applications, widgets, software, tools,  and other services provided by us and on which a link to the Policy notice is displayed  (collectively, together with the Website, our “Service”). This Policy also describes our use and  disclosure of such information. Consumer personal information that ARMS Cyber Defense  receives from corporate customers is processed in our capacity as a service provider pursuant  to the contractual terms with our corporate customers.  In accordance with mandated organizational security requirements set forth and approved by  management, ARMS Cyber Defense has established a formal privacy policy.  The Security Officer owns this Policy and is responsible for reviewing the Policy on an annual  basis and following any major changes to ARMS Cyber Defense sensitive data environment, to  ensure that it continues to meet its organizational goals. 

ROLES AND RESPONSIBILITIES 

The following roles and responsibilities are to be developed and subsequently assigned to  authorized personnel within ARMS Cyber Defense regarding privacy practices:

• Security Officer: Responsibilities include providing overall direction, guidance,  leadership, and support on methods and tools for the implementation of a security and  privacy-related program.
• Risk Committee: Responsibilities include approving and monitoring adherence to this  policy, analyzing the organization’s environment, and the legal requirements with which  it must comply. Additional responsibilities include:
• Execute the privacy operations of the firm, including monitoring the system used to  solicit, evaluate, and respond to individual privacy complaints and problems.
• Evaluate implemented privacy controls;
• Assessing existing policies and procedures that address privacy areas;
• Working with appropriate departments to ensure  compliance with privacy policies and procedures;
• Recommending and monitoring, in conjunction with the relevant departments, the  development of internal systems and controls to carry out the organization’s privacy  objectives;

Report to the Security Officer and ARMS Cyber Defense Management on the  effectiveness of the privacy controls/program in meeting applicable regulatory  requirements and standards. 

The organization must formally document and make privacy policies readily available to data  subjects, internal personnel, and third parties who need them. Privacy policy notices will be  documented to include security practices for privacy as well as all areas covered below.  Management will review and approve privacy policy on an annual basis. 

Authority to Process Personally Identifiable Information  The organization will determine and document the authority permitting the organization to  process personally identifiable information. The organization will restrict processing of  personally identifiable information not authorized.  Personally Identifiable Information Processing Purposes  The organization will restrict processing of personally identifiable information to only that which  is compatible with the identified purposes. If information that was previously collected is to be  used for purposes not previously identified in the privacy notice, the organization will document  the new purpose, and obtain implicit or explicit consent prior to such new use or purpose.  The organization will monitor changes in processing personally identifiable information and  implement mechanisms to ensure that any changes are made in accordance with defined  requirements. 

Collection

The organization will limit the collection of personally identifiable information to what is  necessary to meet the organization’s objectives. The methods of collecting personally identifiable information will be reviewed by management prior to implementation to confirm  personally identifiable information is obtained fairly and without intimidation or deception as well  as lawful, adhering to all relevant rules of law. 

Use and Retention 

The organization uses personally identifiable information only as is authorized and only at the  minimum necessary level required by the organization to meet service level obligations,  contractual obligations, or regulatory requirements.  The organization will retain personally identifiable information  for only as long as required or according to the organization’s retention schedule as may be  required by regulatory or contractual obligations. 

Disclosure 

The organization will disclose personally identifiable information to third parties only for the  purposes for which it was collected or created and only when implicit or explicit consent has  been obtained from the data subject or provider, unless a law or regulation specifically requires  otherwise. 

Choice and Consent 

The organization informs data subjects about the choices available to them with respect to the  collection, use, and disclosure of their personally identifiable information. The organization must  require implicit or explicit consent to collect, use, and disclose personally identifiable  information. The organization will obtain and document implicit or explicit consent from data  subjects at or before the time personally identifiable information is collected (or soon thereafter).  The individual will confirm and implement the individual’s preferences expressed in their  consent. The organization obtains consent before personally identifiable information is  transferred to or from an individual’s computer or other similar device.  The organization will implement tools or mechanisms for individuals to consent to the  processing of their personally identifiable information prior to its collection facilitating individuals’  informed decision-making. Where possible, the organization will provide mechanisms to allow  individuals to tailor processing permissions to selected elements of personally identifiable  information. The organization will present consent mechanisms to individuals at the time of  processing. The organization will implement a mechanism for individuals to revoke consent to  processing. 

Privacy Notice 

The organization must make the organization’s latest privacy policy notice publicly available on the organization’s website.  The organization will also provide notice to individuals about the processing of personally identifiable information that:

• Is available to individuals upon first interacting with an organization, and subsequently upon changes in the notice;
• Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;
• Identifies the authority that authorizes the processing of personally identifiable information;
• Identifies the purposes for which personally identifiable information is to be processed; and
• Includes specific information related to the organization’s regulatory or contractual  obligations. 

The organization will present notice of personally identifiable information processing to  individuals at a time and location where the individual provides personally identifiable  information or in conjunction with a data action, or annually if or when the notice changes.