ACCEPTABLE USE POLICY

OVERVIEW

Kredit Financial Inc. (“Kredit”) has developed the following Acceptable Use Policy (“AUP”) to ensure the security of its information, data, systems, technology, and resources (collectively referred to as “Information Assets”). Inappropriate use of Information Assets exposes Kredit, its clients, and consumers to risks such as cyberattacks, compromise of network systems and services, information breaches, and legal issues. Inappropriate personal use of Information Assets on Kredit time also deprives the company of another valuable resource - your time and service. To avoid these problems, every person who accesses Kredit’s Information Assets must know and understand the AUP and conduct their activities accordingly.

The Kredit AUP covers the following areas:

• Use of Computer Resources

• Monitoring of Kredit Systems

• Removable Media

• Software Installation on Kredit Devices

• Email and Internet Usage

• Blogging and Social Media

• Clean Desk/Clear Screen

• Bring Your Own Device (BYOD)

• Reporting Violations

Definitions:

• Personally Identifiable Information (PII) refers to any data or information that can be used to identify an individual. This includes information that, either on its own or in combination with other data, can be used to distinguish or trace the identity of a person. PII typically includes, but is not limited to, details such as:

  • Full name

  • Social Security number

  • Date of birth

  • Home address

  • Email address

  • Phone number

  • Driver's license number

  • Passport number

  • Financial account numbers (e.g., bank account or credit card numbers)

  • Biometric data (e.g., fingerprints, facial recognition data)

  • Medical records

  • Employment information

  • IP address (in certain contexts)

• Social media includes all means of communicating or posting information or content of any sort on the Internet, including to an employee’s own or someone else’s blog, personal website, social networking or affinity website, web bulletin board or chat room, whether its associated or affiliated with Kredit.

PURPOSE

The purpose of this Policy is to outline the acceptable use of Kredit’s Information Assets.

POLICY

It is the policy of Kredit to develop, implement, and train its employees and contractors on the AUP.

SCOPE

This Policy is applicable to all Kredit employees and contractors.

ROLES AND RESPONSIBILITIES

Kredit’s Chief Compliance Officer (“CCO”) is responsible for ensuring this Policy is communicated to all employees and contractors at hire and on an annual basis and ensuring the Policy is accessible to employees for their day-to-day reference. The CCO is also responsible for reviewing this Policy on an annual basis.

Kredit’s Chief Technology Officer (“CTO”) is responsible for regularly monitoring Kredit’s Information Assets to ensure compliance with the policies stated herein. The CTO is also responsible for deactivating employee and contractor access to Kredit’s Information Assets, when warranted.

It is the responsibility of all Kredit employees and contractors to abide by the AUP and report violations or suspected violations of the AUP by following the procedure set forth in the Reporting Violations section of this document. Kredit employees are also responsible for abiding by all federal, state, and local laws, copyright laws regarding protected commercial software or intellectual property and not overloading networks with excessive data or wasting Kredit’s other Information Assets.

PROCEDURE

Monitoring of Kredit Systems

While Kredit desires to provide a reasonable level of privacy, employees should be aware that data they create on company systems remains the property of Kredit and the confidentiality of employees’ personal information that is stored on any network device belonging to Kredit cannot be guaranteed. Kredit reserves the right to monitor email, personal file directories, web access, network traffic, and other information stored on company equipment, at any time and without notice, to ensure compliance with internal policies and this AUP.

Use of Computer Resources

Computers and networks can provide access to both internal and external resources, as well as the ability to communicate with other employees. Such open access is a privilege and requires that employees act responsibly. Kredit employees must respect the rights of their fellow co-workers, respect the integrity of the systems and related physical resources, and observe all relevant laws, regulations, and contractual obligations. The following activities are prohibited (but not limited to):

• Using a computer account that you are not authorized to use

• Obtaining a password for a computer account without the consent of the account owner

• Using the Kredit network to gain unauthorized access to any computer systems

• Knowingly performing an act that will interfere with the normal operation of computers, terminals, peripherals, or networks

• Knowingly running or installing on any computer system or network, or giving to another user, a program intended to damage or to place excessive load on a computer system or network (e.g., viruses, Trojan horses, and worms)

• Attempting to circumvent data protection schemes or uncover security loopholes

• Violating terms of applicable software licensing agreements or copyright laws

• Using email, text messages, or social media to harass others

• Masking the identity of an account or machine

• Attempting to disable or tamper with installed anti-virus, firewall, and patch deployment software from Kredit-owned devices

• Attempting to monitor or tamper with another user's electronic communications, or reading, copying, changing, or deleting another user's files or software without the explicit agreement of the owner

Removable Media

Employees are strictly prohibited from using removable media devices such as USB flash drives (e.g., thumb drives), memory cards, external hard drives, or smart devices (e.g., smartphones or smart tablets) to store PII or Kredit confidential information, unless approved by Kredit’s CTO.

Software Installation on Kredit Devices

Unless expressly permitted to do so by Kredit’s CTO, employees are prohibited from the following activities (but not limited to):

• Installing any software on company owned devices

• Copying of copyrighted material for which Kredit or the end user do not have an active license

• Exporting software or technical information in violation of export control laws

Email and Internet Usage

Kredit employees shall have no expectation of privacy in anything they store, send, or receive on Kredit’s email system. Kredit may monitor messages without prior notice. Kredit prohibits the following use of email (but not limited to):

• Creating or distributing any disruptive or offensive messages, including comments about race, gender, physical appearance, disability, age, sexual orientation, pornography, religious belief and practice, political belief, or national origin

• Sending unsolicited email messages, including the sending of junk mail or other advertising material, to individuals who did not specifically request such material (i.e., SPAM)

• Engaging in any form of harassment, whether through language, frequency, or size of messages

• Creating or forwarding "chain letters," "Ponzi," or other "pyramid" schemes of any type

• Using a personal email address to conduct official Kredit business

• Automatically forwarding Kredit email to a personal email address or third-party email system (e.g., Yahoo, MSN Hotmail) to conduct Kredit business

• Employees must refrain from sending sensitive information and or consumer PII (i.e., consumer name, social security number, date of birth) via email. When sending this information is necessary, this type of information must be encrypted or sent through secure channels.

Kredit prohibits the following use of the internet (but not limited to) on Kredit issued devices:

• Producing or sending offensive content of any kind, including, but not limited to, pornographic material

• Threatening or violent behavior

• Engaging in illegal activities

• Producing or sending messages of a religious, political, or racial nature

• Accessing sports, entertainment, and gambling sites

• Dispersing corporate data without authorization

Blogging and Social Media

Kredit understands that social media can be a fun and rewarding way for employees to share their lives and opinions with family, friends, and co-workers; however, use of social media also presents certain risks and carries with it certain responsibilities. To assist employees in making responsible decisions, Kredit has established these guidelines for appropriate use of social media. The following activities are prohibited (but not limited to):

• Revealing any of Kredit’s confidential or proprietary information or trade secrets

• Engaging in any blogging that may harm or tarnish Kredit’s image, reputation and/or goodwill

• Making any discriminatory, defamatory, or harassing comments when blogging or otherwise engaging in any conduct prohibited by the Kredit Code of Conduct Policy

• Attributing personal statements, opinions, or beliefs to Kredit, or using Kredit’s trademarks, logos, or any other intellectual property without specific authorization from the CTO

Clean Desk/Clear Screen

To prevent inadvertent disclosure of consumer PII, employees must adhere to the following clean desk and clear screen guidelines:

• All computers must be secured when unattended during business and non-business hours

• Employees should log off and shut down their computer, including turning off monitor(s), at the end of the workday

• Computers and similar devices should be positioned in such a way as to avoid people passing by to have the ability to look at their screens and configured to use time-activated screensavers and password protection to minimize chances that someone takes advantage of unattended equipment.

• Documents should not be printed unnecessarily, and sticky notes should not be left on monitors or under keyboards. When printing is necessary, paper must be stored in suitable locked safes or cabinets when not in use, especially outside working hours.

Bring Your Own Device (BYOD)

Kredit employees utilize company-owned devices to perform their assigned duties. With prior approval from the CTO, employees are permitted to use their own devices. In these very limited circumstances, the employee’s device must have functioning up-to-date anti-virus protection and firewalls installed, must be regularly updated with recommended patches, and the passwords must conform with Kredit's Password Policy.

Reporting Violations

Kredit employees are responsible for reporting violations or suspected violations of this Policy to Kredit’s CEO or CTO. Kredit does not allow retaliation for reports of misconduct by others made in good faith.

Kredit employees are also responsible for reporting suspected or known security breaches, malware or virus attacks, as well as incidents involving lost or stolen devices to Kredit’s CEO or CTO.

Communication

This Policy shall be communicated to all employees at hire and annually thereafter and maintained in the Employee Policy Repository folder on Google Drive for reference purposes.

Violations

A violation of this policy is considered a breach of the Kredit's principles, objectives, and standards. Depending on the severity of the conduct, it also may violate local, state, or federal law. Kredit may impose penalties ranging from terminating an employee’s or contractor’s access to Kredit’s Information Assets to termination of employment or contract.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Information Security Policy

Policy Name: Acceptable Use Policy