Solutions V Industries v Why Protected Harbor Resources v Company v Free I Data Controller and Data Processor Protected Harbor's business customers are the data controllers for most information entered into the Protected Harbor web application, website, and supporting systems or shared periodically with Protected Harbor employees to deliver services. This positions Protected Harbor as the data processor for most information stored and processed by Protected Harbor. Some pieces of information are collected directly by Protected Harbor to facilitate security, logging, and application performance. These items include IP addresses and behavior within the Protected Harbor platform. For these pieces of information, Protected Harbor acts as the data controller and processor. Additionally, Protected Harbor employs a variety of technologies and partners that periodically act as sub-processors. If users have any questions or concerns about the processing and handling of their personal information, they may communicate directly with the Privacy Officer. Privacy Notice and Transparency It is important ethically and legally to provide reasonable transparency to data subjects concerning the processing and handling of their personal data. Protected Harbor maintains an upto-date privacy notice that is made available to all customers and users of the Protected Harbor platform and services. Employees and contractors must read this privacy notice. If errors or concerns are discovered, findings must be shared with the Privacy Officer. Privacy by Design The concept of privacy by design must be applied to every new product, project, or service and if a change of substance to a current product, project, or service occurs. Privacy by design involves considering privacy at every project stage: planning, design, development, testing, launch, mantenance, and end ot 1te In applying privacy by design, the following elements must be considered: • Types of Data Collected • The Purposes of Processing • legal Rasis of Processino • Data Residency and Cross-Border Transfer oRetentron 'ime • Data Subject Rights A privacy impact assessment and a threat risk assessment must be conducted as part of the planning and design phases of the project. They must be updated before launch to factor in changes in scope that occur throughout the product development. Additionally, these assessments must be reviewed at least annually or in the event of a significant change in scope, business use case, architecture, or legal landscape. Legal Basis of Processing Below are the legal bases for Protected Harbor to collect personal information: • Users have given their consent for one or more specific purposes. • Provision of data is necessary for the performance of an agreement with the user. • Processing is necessary for compliance with a legal obligation. • Processing is necessary for the legitimate interests pursued by the controller or a third party.