Information is an important asset of Continicare Corp. (“Continicare”) which needs to be protected against unauthorized access, modification, or use. This Policy provides directives on the security measures on access to information owned and managed by Continicare, including information collected on its customers. 

Continicare is committed to protecting the security of the Personal Information and Sensitive Information of our customers, employees, and other stakeholders. To achieve this goal, we have established the following information security policy to ensure that all information is handled with care and is protected from unauthorized access, use, or disclosure.

Continicare will comply with the security requirements outlined in this Policy. 

APPLICABILITY

This Policy is applicable to anyone Continicare controls and who may access, process, transmit and/or store Continicare Information, Customer Information or who may have access Customer Networks. This Policy applies to all employees, contractors, and other individuals who have access to Continicare information and systems. It covers all types of information, including personal identification information, financial information, health information, intellectual property, and any other sensitive or confidential information.

All business units within Continicare must be fully cognizant of the content of this policy. Executive management personnel, including Don Waugh (Don@continicare.com, Chief Operating Officer) have primary accountability for ensuring compliance with, and consistent application of this policy within their respective business units.

SCOPE

The scope of this Policy includes Information owned by Continicare (“Continicare Information”), and Customer Information including Customer Networks.

AUDIENCE

The intended audience for this policy is all Continicare employees and Contractors, Consultants and Third Parties including Customers. A copy of this policy shall be available on Continicare’s website  Information Security | Continicare Corp (continicare.com).

PURPOSE

The purpose of this policy is to establish clear guidelines and responsibilities for the protection of Continicare's information assets. This includes ensuring the confidentiality, integrity, and availability of all information, as well as protecting against any unauthorized access, use, or disclosure of information.

DEFINITIONS

The definitions of terms used in this policy are defined in Appendix A.

UNDERLYING PRINCIPLE

Access to information is governed by three fundamental principles:

1. The “need to know.” Access to Confidential Information shall be strictly based on business “need to know.”

2. The legal relationship between an individual and Continicare. While Continicare employees are subject to underlying employment agreement confidentiality obligations, third parties are required to sign Non-Disclosure Agreements prior to being granted access to the non-public Continicare Information.

3. Individual Access. Upon request, Continicare employees and its customers must be informed of the existence, use, and disclosure of their Personal Information and shall be given access to that information so as to validate or challenge the completeness or accuracy of that information and have it amended as appropriate. This principle is in full compliance with the Personal Information Protection and Electronic Document Act (“PIPEDA,” Canada) to which Continicare is subject, and the Data Protection Act (UK), the General Data Protection Regulation (“GDPR,” Europe) and the California Consumer Privacy Act (“CCPA,” California) and other relevant or applicable legislation. Continicare contact details for all such purposes are Privacy@Continicare.com[RM2] .

POLICY DETAILS

Accountabilities

1. Information Users. Every information user is responsible for protecting information records to which they have been granted access, usage or control in accordance with Continicare’s security policies, practices and standards

.

2. Information Owners. Continicare executive management (President, EVPs, SVPs and VPs) have primary accountability for information security and for ensuring (i) compliance with security policies and practices within their respective areas of responsibility, and (ii) that access to and use of Sensitive Information is authorized and only granted to those with a required need-to-know.

3. Information Custodians. Continicare information custodians (e.g. System Administrators, Archivists, Registrars, etc.) are responsible for preserving the confidentiality, integrity and availability of the information records under their care and control, commensurate with the security classification level accorded to these records.

Access Management

1. Identification. Information users shall have a unique User ID to access Continicare’s information systems. Unique User IDs shall not be shared.

2. User Authentication. Multifactor authentication created and used by Continicare employees must be treated as sensitive information and must not be shared with another person, including System Administrators, supervisors or other co-workers. Multifactor authentication must be used to protect all accounts and systems.

3. Transfer of Information Ownership. In compliance with the need to know principle, a review of employees’ access privileges shall be conducted by the appropriate Continicare information custodians following any employees’ transfer to other departments within Continicare.  If and when employees leave the company, measures shall be taken to ensure that the information that they leave behind is assigned to new Owners. By default, unless instructed otherwise, the ownership of the information shall be assigned to their respective supervisors.

4. Access by Third Parties. A formal NDA must be signed by any Continicare contractors or third parties (or their authorized corporate representatives, where applicable) before they can be granted access to non-public Continicare Information.

5. Access to sensitive Customer Information by an Continicare Employee.From time to time, Continicare customers or third parties may wish to disclose sensitive information to certain Continicare employees under an NDA. Continicare employees are not authorized to sign an NDA on behalf of Continicare unless they have been authorized by executive management personnel and meet the requirements set out in the Policy on authorization.

Security Management Program

Continicare has in place a rigorous security program, which includes the development and implementation of an information security management program which defines how Continicare perpetually manages security in a holistic, comprehensive manner, including:

· We systematically evaluate our information security risks, taking into account the impact of threats and vulnerabilities.

· We have designed and implemented a comprehensive suite of information security controls and other forms of risk management to address customer and architecture security risks.

· We have an overarching management process to ensure that the information security controls meet our and our customers’ needs on an ongoing basis.

Continicare is committed to information risk management in accordance with industry best practices, and our current documented policies, standards, processes and procedures are consistent with the ISO/IEC 27002:2022 international standards in all material respects, focusing on:

1.1. Organisation of Information Security. Continicare has in place an executive sponsored information security organizational function with clearly defined information protection roles, responsibilities and accountability.

1.2. Location of Data. Continicare shall not process, transmit and/or store Customer Information outside of the country within which the Customer’s office is located, without the prior written consent of Customer senior management.

1.3. Human Resources Security.

a) Continicare Representatives with access to either Customer Information or an Continicare System must, prior to obtaining access to such information or system, participate (or have participated) in information security awareness training provided by Continicare and, thereafter, participate on a periodic basis (no less frequently than annually), and upon Customer request, Continicare will provide a written confirmation that such training has occurred; and

b) Continicare has implemented processes which require all Continicare Representatives having access to Customer Information to undergo screening checks commensurate with the Services being provided, the type of Customer Information, and level of access.

1.4. Asset Management.

a) Continicare maintains an inventory of Continicare Systems (including owner and location) which process, transmit and/or store Customer Information; and

b) Prior to disposing of any hardware, media, or software that contains, or has at any time contained, Customer Information, Continicare performs a forensic destruction of all of the Customer Information in such hardware or software so that none of such Customer Information can be recovered or retrieved. Such forensic destruction may involve: (a) physical destruction, including incineration; or (b) a secure data wipe.

1.5. Access Control.

a) Continicare restricts access to Customer Information in order that such information is available only to Customer, its Affiliates, Continicare and Continicare Representatives on a “need-to-know" basis (including by implementing adequate segregation of duties principles);

b) Continicare has implemented processes which require the secure creation, modification and deletion of system accounts (both local and remote) including Privileged Accounts, and/or shall support Customer in implementing such processes as applicable;

c) No later than the date a Continicare Representative ceases to support the provision of the Services, Continicare shall terminate any such Continicare Representative's access, whether physical or logical, that may provide him or her with access to Customer Information;

d) Continicare reviews and update access rights to Customer Information and Continicare Systems at least annually;

e) Continicare has implemented processes which require that all users are assigned a unique user identification that must not be shared, and all Continicare Representatives must be required to authenticate their identity (e.g. multifactor authentication) prior to accessing Customer Information;

f) Continicare enforces the following minimum authentication requirements within the Continicare Systems:

i. By default the use of multifactor authentication, ideally biometric and possession based. 

ii. Passwords, if used, are encrypted;

iii. user account credentials (e.g. multifactor authentication) must not be shared;

iv. if password are required, strong passwords including: minimum password length (at least 12 characters), lockout (maximum 5 incorrect attempts), and complexity and session timeouts; and

v. default passwords are prohibited;

g) Continicare has implemented processes which require that Continicare Representatives shall not store Customer Information on a personally owned device, unless such device has been authorized and secured by Continicare; and

h) Any Continicare Representative accessing all or a portion of either a Continicare System or a Customer system which process, store and/or transmit Customer Information shall be authenticated using a minimum two-factor and/or multifactor authentication method.

1.6. Operations Security.

a) Continicare has implemented processes which require security-related events on each Continicare System to be logged, reviewed monthly, and secured, and maintained for a period of 12 months;

b) Continicare Systems shall have security controls that can detect and prevent attacks by making use of firewall and intrusion detection/prevention systems (IDS/IPS) in a risk-based manner (e.g. between the internet and unauthorized access, and between unauthorized actors and internal servers containing Customer Information). High and critical priority alerts shall be continuously monitored and promptly responded to;

c) Continicare performs quarterly vulnerability assessments and annual penetration testing on each internet-facing Continicare System and, upon Customer request, shall share the summary of results of all such assessments and testing with Customer within 30 days of completion. High risk and critical gaps must be remediated within 30 days of Continicare’s receipt of such assessments and testing results;

d) Continicare implements and maintain controls to prevent and detect unauthorized access, intrusions, and malware on all Continicare Systems, which at a minimum include:

i. Customer and server-side antivirus programs that include the most current antivirus definitions;

ii. a process that will install any critical patches or security updates for all production and internet-facing environments, within thirty (30) days;

iii. ensuring that only licensed software is installed on the Continicare Systems; and

iv. ensuring the latest software and hardware upgrades and patches have been tested prior to their application to Continicare Systems in order to address all known vulnerabilities;

a) Continicare maintains documented change management procedures that provide a consistent approach for controlling and identifying changes (including high risk and emergency changes) to any Continicare System, which includes segregation of duties and security requirements;

b) Development and testing environments for Continicare Systems are physically and/or logically separated from production and internet-facing environments. Production changes must be approved by the appropriate owner;

c) Continicare does not use production data comprised of Customer Information for testing purposes unless the test environment has the same controls as the production environment; and

d) For Customer Information hosted in a shared or cloud environment, Continicare provides physical and/or logical separation from other Continicare customers’ information.

1.7. Cryptography. 

Customer Information is encrypted when in transit and at rest and Continicare shall protect Customer Information by implementing cryptographic and hashing algorithm types, strength, and key management processes, consistent with or exceeding current security industry standards. Continicare and Continicare Representatives do not transfer Customer Information to any portable computing device or any portable storage medium unless it is encrypted consistent with or exceeding current security industry standards.

1.8. Information Security Incident Management. 

1. Continicare has implemented up-to-date and documented security incident response plans and procedures covering detection, analysis, containment, eradication, recovery and post-incident activity phases. 

2. Regular security updates and patches must be applied to all systems and devices to ensure the security of the information they contain.

3. Any security breaches or vulnerabilities must be reported immediately to the appropriate authorities.

1.9. Back-up. 

Continicare is required to back-up and retain Customer Information, Continicare maintains back-ups in physically and environmentally secure locations, both onsite and offsite, and Continicare shall perform such back-ups at regular intervals. Regular training and awareness programs must be conducted to educate employees on information security best practices.

1. Physical And Environmental Security Requirements

This section refers to Continicare facilities (including the facilities of each of our Affiliates and Continicare Representatives who are involved in the provision of the Services) that store Customer Information and/or have connectivity to one or more Customer network(s).

a) Continicare facilities have physically secure perimeters, and external entry points are protected against unauthorized access. Access to all locations shall be limited to Continicare Representatives and authorized visitors. Reception areas, if any, must have means to control physical access;

b) Access to areas where Customer Information is stored or can be accessed is restricted to authorized Continicare Representatives and authorized visitors. Access must be monitored, recorded and controlled with physical access rights reviewed annually at a minimum;

c) Continicare maintains logs of authorized access, which must be stored for a period of at least 12 months, and will be provided to Customer upon request. If not staffed 24x7, alarms and entry point security cameras must be installed for off-hours access monitoring with recordings retained for a period of 3 months;

d) All Continicare Representatives and authorized visitors must be issued unique identification cards. Identification cards must be visibly displayed at all times while on the premises, and all visitor cards must be retrieved and inventoried daily;

e) Authorized visitors shall be required to sign a visitors' register upon each entry to and exit from the premises and shall be escorted or observed at all times;

f) A clear desk policy shall be enforced throughout the Continicare facilities. Hard copy documentation and portable storage media containing Customer Information shall be kept secured when not in use;

g) All servers and/or network equipment used to store or access Customer Information are kept in a secure room with the following controls:

i. Physical access control mechanisms are required on all doors;

ii. Rooms must be located on the interior of the building with no windows unless safeguards are in place to prevent shattering;

iii. Telecommunications equipment, cabling and relays receiving data or supporting services must be protected from interception or damage; and

iv. Fire detection and suppression mechanisms are in place, tested, and operating in accordance with applicable local fire codes; and

h) For rooms containing servers and/or network equipment used to provide services to Customer, controls are implemented to mitigate the risk of power failures (e.g. surge protectors, uninterruptible power supplies, and generators), and ensure environmental conditions consistent with the operating parameters of such equipment (e.g. temperature and humidity). 

2. Software Development Services

Continicare has implemented a documented and validated software development lifecycle process which includes requirements gathering, system design, integration testing, user acceptance testing, and system acceptance. Security requirements shall be documented and included throughout such lifecycle. Continicare must provide all developers with secure code development training. All confirmed high/critical security vulnerabilities found during testing must be remediated and retested prior to moving to the production phase.

3. Policy Updates.

This policy will be reviewed and updated regularly to ensure that it remains consistent with industry best practices and legal requirements.

APPENDIX A – DEFINITIONS

Affiliate means any other Person that directly, or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with, such Person. The term "control" as used in this definition (including, with correlative meanings, the terms "controlled by" and "under common control with" as used with respect to any Person) means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such Person whether through ownership of voting securities, by contract or otherwise.

Continicare Information means any non-public information of Continicare, its licensors and its agents, including without limitation the presentation or non-presentation of the data contained in any products or services, the fees charged therefor, and the contents of any Agreement entered into by Continicare for any reason, trade secrets, Confidential Information, Personal Information and proprietary information of Continicare, and/or its licensors, and agents, whether disclosed orally or in writing.

Continicare Systems means any and all intranet, stand-alone computer or other non-cloud connected systems maintained or provided by Continicare internally to those employees, agents, administrators, contractors or other third parties, and which may host Customer Information, Confidential Information and/or Continicare Information.

Continicare Representatives means any Continicare executive, employee, contractor or agent that has been authorized by Continicare executive management to make representations on Continicare’s behalf.

Continicare EULA means an Continicare End-User License Agreement with a specified date of effectiveness, entered into by Continicare and a customer.

Customer Information means any and all information and/or data provided by any customer to Continicare under a written agreement, including any Continicare EULA entered into between the customer and Continicare, and may include Confidential Information. 

Customer Networks means systems, devices, infrastructure and networks that are used by Customers and their agents and employees to access internal products or services. These networks may include the Customers’ own internal networks, as well as any external networks that Customer uses to connect to the Continicare's systems. These networks may be used to transmit sensitive information such as financial data, personal identification information, or health information. In order to protect the security of customer networks in accordance with ISO 27002:2022, it is important for an organization to implement appropriate safeguards and controls to ensure the confidentiality, integrity, and availability of the information transmitted over these networks. This may include measures such as encryption, secure authentication and access controls, and regular maintenance and updates to ensure the security of the network.

Confidential Information means material that is not generally available to or used by others or the utility or value of which is not generally known or recognized, whether or not the underlying details are in the public domain, and includes, but is not limited to Customer Information, software, delivery systems, information concerning marketing plans and strategies, profits, costs, pricing, and systems and procedures set out in this Policy, that are acquired or developed by or on behalf of Continicare or provided to Continicare by any customer; in the case of any Customer, Confidential Information shall include all personal information relating to any Customer employee, contractor, customer or other individual.

Personal Information means any information about an identifiable individual. This includes, but is not limited to, an individual's name, address, telephone number, email address, age, gender, race, ethnicity, religion, political beliefs, sexual orientation, marital status, education level, financial information, medical information, employment history, biometric data, and includes Personally identifiable information (PII) is a subset of personal information that can be used to identify an individual. This includes information such as an individual's name, social security number, driver's license number, passport number, and financial account numbers, in accordance with PIPEDA in Canada, the GDPR in the European Union, the Data Protection Act (DPA) in the United Kingdom, and the California Consumer Privacy Act (CCPA) regulating the collection, use, and disclosure of personal information. 

Sensitive Information means certain types of personal information that require a higher level of protection due to their sensitive nature. Sensitive information may include, but is not limited to, the following types of information:

1. Personal identification information: This includes information such as a person's name, address, phone number, and email address, as well as biometric data such as fingerprints and facial recognition data.

2. Financial information: This includes information such as bank account numbers, credit card numbers, and financial transaction history.

3. Health information: This includes information about an individual's physical or mental health, including medical records and insurance information.

4. Personal communication: This includes information contained in personal emails, texts, and other forms of communication.

5. Intellectual property: This includes proprietary information, trade secrets, and other forms of intellectual property.

In order to protect sensitive information in accordance with ISO 27002:2022, it is important to implement appropriate safeguards and controls to ensure that the information is only accessed by authorized individuals and is not disclosed or misused in any way. This may include measures such as encryption, secure storage, access controls, and employee training on information security best practices.