Introduction: This Information Security and Data Privacy Policy ("Policy") is issued by Plasma POS, Inc. ("Company", "we", "us", or "our") and applies to all users ("User", "you", or "your") of our licensed PlasmaPOS software ("Software"). The Company is committed to protecting your privacy, as well as the privacy of your customers, and ensuring compliance with all applicable data protection laws and regulations. This Policy is designed to help the Company fulfill its legal obligations and meet the expectations of our clients and their customers.
Guiding Principles: The Company follows these guiding principles when developing and implementing information security controls. We are committed to protecting the confidentiality, integrity, and availability of the Company's information assets and those of our clients and their customers. We comply with applicable information security, privacy, and data protection laws. We balance the need for business efficiency with the need to protect sensitive information from undue risk. We grant access to sensitive information only to those with a need to know and at the least level of privilege necessary. We provide security training opportunities and expert resources to help individuals meet their information security obligations.
Data Privacy Policy
Compliance with Applicable Laws: The Company collects, uses, maintains, and discloses information in strict adherence to all applicable laws, regulations, and standards, including global data protection and privacy laws. This includes compliance with laws such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.
Data Collection: The Company may collect and process the following categories of data about you and your customers. Personal Data includes identifiable information such as your name, email address, and payment information that you provide when registering for and using our Software. Customer Data includes identifiable data you collect from your customers (businesses and retailers) and provide to us for using our Software. The Company processes this data on your behalf and in accordance with our agreement with you. Usage Data includes non-identifiable information about how you and your customers use our Software, such as the features used, time spent using them, and transactions performed. Transaction Data includes identifiable details of the transactions you and your customers carry out through our Software, including time, date, amount, and customer details.
Data Use: The Company uses the data collected for the following purposes. For Software Improvement, we analyze Usage Data to understand user behavior and preferences, identify potential improvements, and enhance the user experience. For Customer Support, we use Personal Data to provide customer support, respond to inquiries, and address issues. For Transaction Processing, we use Transaction Data to facilitate payment processing through the POS system integrated into our Software.
Data Sharing: The Company may share your data and your customers' data with third parties under the following circumstances. We may share data with third-party service providers that perform services on our behalf, such as payment processing, customer support, and data analysis. These third parties are required to respect the security of your data and your customers' data and treat it in accordance with the law. Additionally, we may disclose data if required by law or in response to legal proceedings, to protect our rights, property, or safety, or that of our users or others, and in connection with a merger, acquisition, or sale of assets.
Data Protection: The Company implements various security measures to maintain the safety of your personal information and that of your customers, including encryption, secure servers, and access controls. Procedures are in place to deal with any suspected personal data breach, and you, your customers, and any applicable regulator will be notified of a breach where legally required. These measures include secure data storage, regular security audits, and restricted access to data.
User Rights: You and your customers have certain rights in relation to the personal data we hold. These rights include the right to access, rectify, or erase your personal data, the right to restrict or object to processing, and the right to data portability. For any requests to exercise these legal rights, please contact us at privacy@plasmapos.com. We will respond to all legitimate requests within one month, although it may take longer if the request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Updates to the Policy: The Company may update this Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Significant changes will be notified through the Software or by email. Your continued use of our Software following the posting of changes to this policy will be deemed your acceptance of those changes. We encourage you to review this Policy periodically to stay informed about our data protection practices.
Contact Information: If you have any questions or concerns about this Policy, please contact us at privacy@plasmapos.com. We have appointed a data privacy manager responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out above.
Responsibilities: Security Organization, Authority, and Obligations
Policy Authority and Maintenance: The Company has the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes as necessary to protect the integrity of our information assets. We are responsible for ensuring that these policies and procedures are kept up to date with the latest industry standards and legal requirements.
Policy Review: The Company will initiate an annual review of this Policy, engaging relevant stakeholders as appropriate. This review process ensures that the Policy remains effective and compliant with any changes in legal or regulatory requirements.
Exceptions: The Company recognizes that specific business needs may occasionally call for an exception to this Policy. Exception requests must be made in writing and approved by us. All approved exceptions will be documented and periodically reviewed to ensure they remain valid and necessary.
Obligation to Comply: Clients must comply with all aspects of this Policy that apply to them. Any attempt to bypass or circumvent security controls may be treated as a violation of this Policy. For example, sharing access credentials, including passwords, deactivating anti-malware software, removing or modifying secure configurations, or creating unauthorized network connections are prohibited unless we have granted an exception.
Sanctions: Any violation of this Policy may result in disciplinary action or other sanctions. Sanctions may include suspension, access restrictions, work assignment limitations, or more severe penalties up to and including termination of service. If we suspect illegal activities, we may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved.
Acknowledgment: Clients must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire or as otherwise designated by us. Material changes to this Policy may require additional acknowledgment. The Company will retain acknowledgment records.
Training: The Company recognizes that an informed user base is the best line of defense. We will provide security training opportunities and expert resources to help users understand their obligations under this Policy and avoid creating undue risks. Clients must ensure that their employees complete all required training.
People: Roles, Access Control, and Acceptable Use
Roles: The Company grants access based on business roles. Clients may request access for their employees only to the resources required for their roles. External parties, such as contractors, vendors, service providers, and business partners, may be granted access only if they have a demonstrated business need that cannot be reasonably met through other means.
Identity and Access Management: The Company uses identity and access management controls to provide user accounts with appropriate privileges to employees and others. The Company assigns unique user accounts, passwords, and other authentication means and credentials to individuals. Protect your passwords and other authentication means at all times. Do not share your account, password, or other authentication means with others.
Acceptable Use Policy: The Company provides network resources and systems for business purposes. Any incidental non-business use of Plasma POS's resources must be for personal purposes only. Do not use Plasma POS's resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with Plasma POS. Do not use Plasma POS's network or systems for activities that may be deemed illegal under applicable law. If the Company suspects illegal activities, we may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved.
Incident Reporting and Response
Incident Reporting: Immediately notify us at privacy@plasmapos.com if you discover a cyber incident or suspect a breach. Treat any information regarding cyber incidents as Highly Confidential Information. Examples of cyber incidents include loss or suspected compromise of user credentials, suspected malware infections, loss or theft of any device containing the Company information, suspected entry into Plasma POS's network or systems by unauthorized persons, any breach of Confidential or Highly Confidential Information, and any attempt to obtain passwords or other confidential information through social engineering or phishing.
Incident Management: The Company manages a cyber incident response plan to handle information security incidents effectively. We will investigate all reported or detected incidents and document the outcome, including any mitigation activities or other remediation steps taken.
Data Breach Notification: Applicable law may require the Company to report cyber incidents that result in the exposure or loss of certain kinds of information to various authorities or affected individuals or organizations, or both. Breaches of Highly Confidential Information, especially personal information, are the most likely to carry these obligations. Our incident response plan includes a step to review all incidents for any required notifications. Coordinate all external notifications with our legal team. Do not act on your own or make any external notifications without prior guidance and authorization.
Service Providers: Risks and Governance
Service Provider Approval Required: Obtain approval from us before engaging a service provider that involves access to Plasma POS's systems or Confidential Information. Service providers must comply with applicable laws and this Policy. We maintain a service provider risk governance program to oversee service providers that interact with Plasma POS's systems or Confidential or Highly Confidential Information. This program includes processes to track service providers, evaluate their capabilities, and periodically assess their risks and compliance with this Policy.
Effective Date: This Information Security and Data Privacy Policy is effective as of August 1, 2024.