Introduction: This Information Security and Data Privacy Policy ("Policy") is issued by Plasma POS, Inc. ("Company", "we", "us", or "our") and applies to all users ("User", "you", or "your") of our licensed PlasmaPOS software ("Software"). The Company is committed to protecting your privacy, as well as the privacy of your customers, and ensuring compliance with all applicable data protection laws and regulations. This Policy is designed to help the Company fulfill its legal obligations and meet the expectations of our clients and their customers.

  1. Guiding Principles: The Company follows these guiding principles when developing and implementing information security controls. We are committed to protecting the confidentiality, integrity, and availability of the Company's information assets and those of our clients and their customers. We comply with applicable information security, privacy, and data protection laws. We balance the need for business efficiency with the need to protect sensitive information from undue risk. We grant access to sensitive information only to those with a need to know and at the least level of privilege necessary. We provide security training opportunities and expert resources to help individuals meet their information security obligations.

  1. Data Privacy Policy

    1. Compliance with Applicable Laws: The Company collects, uses, maintains, and discloses information in strict adherence to all applicable laws, regulations, and standards, including global data protection and privacy laws. This includes compliance with laws such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.

    2. Data Collection: The Company may collect and process the following categories of data about you and your customers. Personal Data includes identifiable information such as your name, email address, and payment information that you provide when registering for and using our Software. Customer Data includes identifiable data you collect from your customers (businesses and retailers) and provide to us for using our Software. The Company processes this data on your behalf and in accordance with our agreement with you. Usage Data includes non-identifiable information about how you and your customers use our Software, such as the features used, time spent using them, and transactions performed. Transaction Data includes identifiable details of the transactions you and your customers carry out through our Software, including time, date, amount, and customer details.

    3. Data Use: The Company uses the data collected for the following purposes. For Software Improvement, we analyze Usage Data to understand user behavior and preferences, identify potential improvements, and enhance the user experience. For Customer Support, we use Personal Data to provide customer support, respond to inquiries, and address issues. For Transaction Processing, we use Transaction Data to facilitate payment processing through the POS system integrated into our Software.

    4. Data Sharing: The Company may share your data and your customers' data with third parties under the following circumstances. We may share data with third-party service providers that perform services on our behalf, such as payment processing, customer support, and data analysis. These third parties are required to respect the security of your data and your customers' data and treat it in accordance with the law. Additionally, we may disclose data if required by law or in response to legal proceedings, to protect our rights, property, or safety, or that of our users or others, and in connection with a merger, acquisition, or sale of assets.

    5. Data Protection: The Company implements various security measures to maintain the safety of your personal information and that of your customers, including encryption, secure servers, and access controls. Procedures are in place to deal with any suspected personal data breach, and you, your customers, and any applicable regulator will be notified of a breach where legally required. These measures include secure data storage, regular security audits, and restricted access to data.

    6. User Rights: You and your customers have certain rights in relation to the personal data we hold. These rights include the right to access, rectify, or erase your personal data, the right to restrict or object to processing, and the right to data portability. For any requests to exercise these legal rights, please contact us at privacy@plasmapos.com. We will respond to all legitimate requests within one month, although it may take longer if the request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

    7. Updates to the Policy: The Company may update this Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Significant changes will be notified through the Software or by email. Your continued use of our Software following the posting of changes to this policy will be deemed your acceptance of those changes. We encourage you to review this Policy periodically to stay informed about our data protection practices.

    8. Contact Information: If you have any questions or concerns about this Policy, please contact us at privacy@plasmapos.com. We have appointed a data privacy manager responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out above.

  1. Responsibilities: Security Organization, Authority, and Obligations

    1. Policy Authority and Maintenance: The Company has the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes as necessary to protect the integrity of our information assets. We are responsible for ensuring that these policies and procedures are kept up to date with the latest industry standards and legal requirements.

    2. Policy Review: The Company will initiate an annual review of this Policy, engaging relevant stakeholders as appropriate. This review process ensures that the Policy remains effective and compliant with any changes in legal or regulatory requirements.

    3. Exceptions: The Company recognizes that specific business needs may occasionally call for an exception to this Policy. Exception requests must be made in writing and approved by us. All approved exceptions will be documented and periodically reviewed to ensure they remain valid and necessary.

    4. Obligation to Comply: Clients must comply with all aspects of this Policy that apply to them. Any attempt to bypass or circumvent security controls may be treated as a violation of this Policy. For example, sharing access credentials, including passwords, deactivating anti-malware software, removing or modifying secure configurations, or creating unauthorized network connections are prohibited unless we have granted an exception.

    5. Sanctions: Any violation of this Policy may result in disciplinary action or other sanctions. Sanctions may include suspension, access restrictions, work assignment limitations, or more severe penalties up to and including termination of service. If we suspect illegal activities, we may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved.

    6. Acknowledgment: Clients must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire or as otherwise designated by us. Material changes to this Policy may require additional acknowledgment. The Company will retain acknowledgment records.

    7. Training: The Company recognizes that an informed user base is the best line of defense. We will provide security training opportunities and expert resources to help users understand their obligations under this Policy and avoid creating undue risks. Clients must ensure that their employees complete all required training.

  1. Data: Information Classification and Risk-Based Controls: The Company has established a three-tier classification scheme to protect information according to risk levels: Public Information, Confidential Information, and Highly Confidential Information. All information should be treated as Confidential Information unless otherwise marked.

    1. Public Information: Public Information is information that the Company has made available to the general public. Examples include press releases, marketing materials, job announcements, and any information that the Company makes available on its publicly accessible website. Do not assume that any information you obtain from Plasma POS's internal network or systems is publicly available. For example, draft marketing materials are typically Confidential Information until their release.

    2. Confidential Information: Confidential Information is information that may cause harm to Plasma POS, its clients, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Examples include the Company financial data, client-provided data, customer lists, revenue forecasts, program or project plans, intellectual property, client contracts, and communications or records regarding internal the Company matters and assets. Protect Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks.

    3. Highly Confidential Information: Highly Confidential Information is information that may cause serious and potentially irreparable harm to Plasma POS, its clients, employees, or other entities or individuals if disclosed or used in an unauthorized manner. Examples include personal information for employees, clients, customers, and sensitive business information such as budgets, financial results, or strategic plans. Additional safeguards for Highly Confidential Information include strict access controls, encryption, and physical security measures.

  1. People: Roles, Access Control, and Acceptable Use

    1. Roles: The Company grants access based on business roles. Clients may request access for their employees only to the resources required for their roles. External parties, such as contractors, vendors, service providers, and business partners, may be granted access only if they have a demonstrated business need that cannot be reasonably met through other means.

    2. Identity and Access Management: The Company uses identity and access management controls to provide user accounts with appropriate privileges to employees and others. The Company assigns unique user accounts, passwords, and other authentication means and credentials to individuals. Protect your passwords and other authentication means at all times. Do not share your account, password, or other authentication means with others.

    3. Acceptable Use Policy: The Company provides network resources and systems for business purposes. Any incidental non-business use of Plasma POS's resources must be for personal purposes only. Do not use Plasma POS's resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with Plasma POS. Do not use Plasma POS's network or systems for activities that may be deemed illegal under applicable law. If the Company suspects illegal activities, we may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved.

  1. Incident Reporting and Response

    1. Incident Reporting: Immediately notify us at privacy@plasmapos.com if you discover a cyber incident or suspect a breach. Treat any information regarding cyber incidents as Highly Confidential Information. Examples of cyber incidents include loss or suspected compromise of user credentials, suspected malware infections, loss or theft of any device containing the Company information, suspected entry into Plasma POS's network or systems by unauthorized persons, any breach of Confidential or Highly Confidential Information, and any attempt to obtain passwords or other confidential information through social engineering or phishing.

    2. Incident Management: The Company manages a cyber incident response plan to handle information security incidents effectively. We will investigate all reported or detected incidents and document the outcome, including any mitigation activities or other remediation steps taken.

    3. Data Breach Notification: Applicable law may require the Company to report cyber incidents that result in the exposure or loss of certain kinds of information to various authorities or affected individuals or organizations, or both. Breaches of Highly Confidential Information, especially personal information, are the most likely to carry these obligations. Our incident response plan includes a step to review all incidents for any required notifications. Coordinate all external notifications with our legal team. Do not act on your own or make any external notifications without prior guidance and authorization.


  1. Service Providers: Risks and Governance

    1. Service Provider Approval Required: Obtain approval from us before engaging a service provider that involves access to Plasma POS's systems or Confidential Information. Service providers must comply with applicable laws and this Policy. We maintain a service provider risk governance program to oversee service providers that interact with Plasma POS's systems or Confidential or Highly Confidential Information. This program includes processes to track service providers, evaluate their capabilities, and periodically assess their risks and compliance with this Policy.

  1. Effective Date: This Information Security and Data Privacy Policy is effective as of August 1, 2024.

Plasma POS
Data Privacy Policy

Plasma POS
Data Privacy Policy

This Information Security and Data Privacy Policy is effective as of August 1, 2024.

This Information Security and Data Privacy Policy is effective as of August 1, 2024.

This Information Security and Data Privacy Policy is effective as of August 1, 2024.