Data Protection and Security Policy

Policy brief & purpose

Murf is committed to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality.

With this data protection and security policy (Policy), we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.

For this reason, we have implemented a number of data protection and security measures. We have also prepared instructions to help mitigate security risks. We have covered both provisions in this Policy.

Scope

This Policy applies to all employees, contractors, consultants, partners, interns and anyone who has permanent or temporary access to systems or hardware of Murf Inc. and its subsidiaries (Covered Persons).

Policy elements

As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data etc.

Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.

1. Our data will be:

• • Accurate and kept up-to-date,
  • Collected fairly and for lawful purposes only,
  • Processed by the company within its legal and moral boundaries, and
  • Protected against any unauthorized or illegal access by internal or external parties.

2. Our data will not be:

• • Communicated informally,
  • Stored for more than a specified amount of time,
  • Transferred to organizations, states or countries that do not have adequate data protection policies, and
  • Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities).

3. In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs. Specifically we must:

• • Let people know which of their data is collected,
  • Inform people about how we’ll process their data,
  • Inform people about who has access to their information,
  • Have provisions in cases of lost, corrupted or compromised data, and
  • Allow people to request that we modify, erase, reduce or correct data contained in our databases.

Actions

To exercise data protection we’re committed to:

• Restrict and monitor access to sensitive data,
• Develop transparent data collection procedures,
• Train employees in online privacy and security measures,
• Build secure networks to protect online data from cyberattacks,
• Establish clear procedures for reporting privacy breaches or data misuse,
• Include contract clauses or communicate statements on how we handle data, and
• Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.).

Privacy provisions for Murf users and subscribers will appear on our website. 

Protect personal and company devices

When Covered Persons use their digital devices to access company emails or accounts, they introduce security risk to our data. We advise Covered Persons to keep both their personal and company-issued computer, tablet and cell phone secure. They can do this if they:

• Keep all devices password protected,
• Choose and upgrade a complete antivirus software,
• Ensure they do not leave their devices exposed or unattended,
• Log into company accounts and systems through secure and private networks only,
• Install security updates of browsers and systems monthly or as soon as updates are available, and
• We also advise Covered Persons to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others.

When new hires receive company-issued equipment they will receive instructions for:

• Disk encryption setup
• Password management tool setup

They should follow instructions to protect their devices and refer to our designated data protection and security lead (Security Lead) if they have any questions.

Keep emails safe

Emails often host scams and malicious software (e.g. worms.) To avoid virus infection or data theft, we instruct Covered Persons to:

• Avoid opening attachments and clicking on links when the content is not adequately explained (e.g. “watch this video, it’s amazing.”),
• Be suspicious of clickbait titles (e.g. offering prizes, advice.),
• Check email and names of people they received a message from to ensure they are legitimate, and
• Look for inconsistencies or giveaways (e.g. grammar mistakes, capital letters, excessive number of exclamation marks.)

If a Covered Person isn’t sure that an email they received is safe, they can refer to our Security Lead.

Manage passwords properly

Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advise Covered Persons to:

• Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays),
• Remember passwords instead of writing them down. If Covered Persons need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done, 
• Exchange credentials only when absolutely necessary, and
• Change their passwords every three months.

Remembering a large number of passwords can be daunting. We will purchase the services of a password management tool which generates and stores passwords. Covered Persons are obliged to create a secure password for the tool itself, following the above advice.

Transfer data securely

Transferring data introduces security risk. Covered Persons must:

• Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request Covered Persons to ask our Security Lead for help,
• Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies, and
• Report scams, privacy breaches and hacking attempts.

Our Security Lead needs to know about security incidents to better protect our infrastructure and comply with reporting our legal requirements. For this reason, we advise Covered Persons to report perceived attacks, suspicious emails, phishing attempts or breaches as soon as possible to our Security Lead. 

Additional measures

To reduce the likelihood of security breaches, we also instruct Covered Persons to:

• Avoid accessing suspicious websites, 
• Change all account passwords at once when a device is stolen,
• Turn off their screens and lock their devices when leaving their desks,
• Report a perceived threat or possible security weakness in company systems,
• Report stolen or damaged equipment as soon as possible to our Security Lead, and
• Refrain from downloading suspicious, unauthorized or illegal software on their company equipment.

Remote employees

Remote employees must follow this Policy’s instructions too. Since they will be accessing Murf’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.

Disciplinary Action

All principles described in this Policy must be strictly followed. A breach of this Policy will invoke disciplinary and possibly legal action. Disciplinary action may be as below.

• First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the Covered Person on security.
• Intentional, repeated or large scale breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination.

We will examine each incident on a case-by-case basis.