PURPOSE AND DATA SECURITY OBJECTIVES

The purpose of this Data Security Protocol is to describe the principles, controls, and operational environments through which the Company secures its systems, devices, and data. Data security is established as a foundational operational requirement intended to uphold confidentiality, integrity, availability, accountability, and controlled access. These objectives are achieved through a centralized, closed, and continuously monitored operational ecosystem governed by Company leadership and the designated Data Protection Officer (DPO). This Notice reflects the Company’s internal data security protocols and explains how data security is enforced in practice through defined controls and monitored environments.

SCOPE AND APPLICABILITY

This Data Security Protocol applies to all physical locations, technical systems, devices, networks, and environments used by or on behalf of the Company, whether on‑premise, hosted in partner data centers, or deployed within approved cloud platforms. It applies to all individuals who access Company systems or data, including employees, specialists, contractors, subcontractors, consultants, and authorized third parties, regardless of location, role, or mode of work. Compliance with the data security protocols described in this Notice is a mandatory condition of access to Company systems and resources.

DATA SECURITY GOVERNANCE MODEL

The Company operates a centralized data security governance model under which ultimate authority for data security oversight rests with Company leadership and the designated DPO. All data security‑related decisions, approvals, exceptions, and enforcement actions are governed through this centralized authority. No individual, team, or third party may independently alter data security controls, access rights, system configurations, or protective measures without explicit authorization.

CENTRALIZED DATA SECURITY ARCHITECTURE

The Company maintains a centralized data security architecture designed to reduce fragmentation, uncontrolled access, and data sprawl. All data, systems, authentication pathways, and administrative access points are governed, monitored, and auditable through defined control mechanisms. Unmanaged, decentralized, or informal environments are not permitted within the Company’s data security ecosystem.

CREDENTIAL AND ACCESS GOVERNANCE

Access to Company tools, platforms, and services is governed through strict credential and access management protocols. Login credentials, system access, and administrative privileges are centrally stored and managed using approved partner security vaults. Access to these vaults is restricted exclusively to selected members of Company leadership and the DPO. Credentials are not distributed informally, stored locally without authorization, embedded in personal devices, or shared outside approved security mechanisms.

CLOSED AND CONTROLLED DATA SECURITY ECOSYSTEM

The Company enforces a closed and controlled data security ecosystem. All work involving Company systems or data must occur within explicitly approved environments, using only authorized tools, networks, and devices. Uncontrolled data movement, shadow IT practices, unauthorized local storage, and the use of unapproved platforms, software, or services are expressly prohibited.

CORE DATA SECURITY TECHNOLOGY AND NETWORK CONTROLS

To enforce identity, access, device, and data security controls, the Company primarily leverages Microsoft enterprise technologies, including Microsoft Entra ID (formerly Azure Active Directory), Microsoft Intune, Microsoft Defender, Microsoft 365 security and compliance services, and related tools. Network connectivity supporting Company operations uses dedicated IP addresses and business‑grade fiber connections to ensure controlled network origin, traceability, reliability, and monitoring in support of data security.

SERVER AND HOSTING CONTROLS

The Company operates servers hosted through partner data centers that implement physical security, environmental protections, and restricted access controls appropriate to professional data center operations. These environments are integrated into the Company’s centralized data security oversight model, and data stored within these environments is encrypted at rest.

CLOUD BACKUP, REDUNDANCY, AND ENCRYPTION

To support resilience and continuity, the Company maintains cloud‑based backup and recovery systems primarily within Microsoft and Google infrastructure ecosystems. Data stored in these environments is encrypted at rest and governed by the Company’s internal data security protocols in conjunction with the security and compliance measures enforced by these providers. Encryption key handling is centrally governed and not managed individually by specialists or contractors.

WEBSITE AND EDGE‑LEVEL DATA SECURITY

The Company’s website is hosted through a content delivery network (CDN) that provides secure content delivery, traffic filtering, and protection against malicious activity, including denial‑of‑service and unauthorized access attempts. Secure communication protocols are enforced to protect data transmitted between users and Company systems.

PHYSICAL PREMISES AND DEVICE CONTROLS

Company offices and facilities operate as closed and monitored environments designed to protect data accessed within those spaces. Physical access is restricted through security gateways and monitored entry points, and CCTV systems are deployed in areas where Company systems, data, or equipment are accessed.

OFFICE‑BASED DATA ACCESS CONDITIONS

Office‑based specialists and teams may access Company systems and data only through Company‑approved and Company‑monitored equipment connected through authorized networks. The use of personal devices, personal storage media, or unapproved hardware or software in office environments is strictly prohibited.

WORK‑FROM‑HOME DATA SECURITY CONTROLS

Work‑from‑home arrangements are recognized as higher‑risk environments and are subject to stricter data security controls. Remote access to Company systems and data is permitted only through designated Company‑approved equipment configured and monitored under Company data security standards. Personal devices may not be used for Company work. In select cases, VPNs are deployed to further secure remote access based on risk assessment.

WORKFORCE VETTING AND DATA ACCESS ELIGIBILITY

All specialists and teams undergo a rigorous vetting process prior to engagement. This process may include identity verification, address confirmation, background checks, and coordination with applicable local government units (LGUs). Eligibility for data access is contingent upon successful completion of this process.

ECOSYSTEM‑WIDE ACTIVITY AND DATA SECURITY MONITORING

The Company implements real‑time, ecosystem‑wide monitoring through approved time‑tracking and activity‑monitoring tools. Monitoring provides visibility into system access, user activity, and operational behavior within Company‑controlled environments and supports both data security oversight and incident detection.

LOGGING, RETENTION, AND AUDITABILITY

System access, administrative actions, and user activity within the controlled ecosystem are logged and retained in accordance with internal data security governance requirements. Logs support audits, investigations, compliance verification, and incident analysis. Data transmitted across Company systems is encrypted using secure communication protocols.

SOFTWARE AND TOOL APPROVAL CONTROLS

Only approved software, applications, and tools may be used within the Company ecosystem. Installation of any additional software, tools, plugins, or network utilities requires prior written approval from the DPO. Unauthorized installations constitute data security violations.

ACCESS SCOPING AND TIME‑BOUND PROVISIONING

Specialists, contractors, and team members are granted access only to the specific systems, tools, and data required to perform their assigned responsibilities. Access is role‑based, time‑bound, and automatically adjusted or revoked as responsibilities change or engagements end.

SYSTEM HYGIENE AND DATA CLEANUP

Company systems and devices undergo periodic maintenance and cleanup processes to remove unnecessary data, residual access artifacts, and unused system resources, reducing the risk of unintended data exposure.

DATA SECURITY TRAINING AND AWARENESS

All personnel with access to Company systems or data are required to complete data security training. Adherence to data security protocols is a condition of engagement and continued access.

ACCOUNTABILITY AND ENFORCEMENT

Compliance with the data security protocols described in this Notice forms part of individual and team performance expectations. Violations constitute serious breaches of obligation and may result in enforcement actions.

INCIDENT IDENTIFICATION AND RESPONSE

All suspected data security incidents, policy violations, or unauthorized actions must be reported immediately. The Company reserves the right to investigate incidents, preserve evidence, and take corrective or disciplinary action.

PAYMENTS SECURITY AND FINANCIAL ISOLATION

All payments are processed exclusively through Wise. The Company does not store, process, or control payment credentials or funds. Wise operates its own secure infrastructure and applications, and clients and specialists retain full control over the security of their funds within the Wise platform. Payment transfers are governed by Wise’s security, compliance, and regulatory controls.

TERMINATION, EXCEPTIONS, AND NOTICE MAINTENANCE

Security breaches may result in immediate termination of engagement and, where appropriate, legal action. Any exception to the data security protocols described in this Notice requires prior documented approval from the DPO and may be revoked at any time. This Notice is reviewed periodically and updated to reflect changes in internal data security protocols and operational practices.

CONTACT US

Data Protection Officer (DPO)

privacy@tractioncore.com

Vertis North, Vita St., cor. Sola Drive

Quezon City, National Capital Region

Philippines, 1105

https://www.tractioncore.com