Grassfeld Security Policy.

1.

User Access Control.

1.

External users must register for access through a secure online process that verifies user identity. Each user will be authenticated using a combination of a password and a multi-factor authenticator (MFA).

1.2

Access will be granted strictly based on the user’s necessity to interact with the system. Users are only allowed access to features and data pertinent to their role or transaction requirements.

1.3

The administrative accounts are only used to perform administrative tasks. All unused or unnecessary user accounts, email addresses, etc., are deleted or disabled by IT administration. Furthermore, upon termination of employment, contract, or agreement, user accounts are deleted or disabled by IT administration and are documented accordingly. If employees had access to shared accounts, the login credentials of these accounts are altered by IT administration.

2.

Data Protection.

2.1

Data that is stored within the Grassfeld platform and application is high-level encrypted through various encryption technologies. Furthermore, data is monitored 24 hours a day regarding possible attacks and data breaches aiming for an immediate mitigation of a possible attack.

2.2

All data and information accessed, processed, and stored by Grassfeld are categorized by the Security Officer and periodically reviewed no less than annually. The impact level of each data category is categorized (Reference: NIST Special Publication 800-60 Volume I). Data must be managed, protected, and secured in accordance with the impact level of the data category.

2.3

Data is stored in a multi-layer secured database with very restricted accessibility. This accessibility is only available for authorized personnel that oblige to strict authentication protocols. If a user removes their account, dedicated data to that account will be destroyed. Grassfeld does not support backup data; thus, previously deleted data cannot be recollected.

2.4

Sharing of personal and financial information within the application is governed by strict protocols and only occurs with explicit user consent. Grassfeld unequivocally does not sell any data to any third parties.

3.

Employee Responsibility.

3.1

All new (internal and external) employees are informed about the information security policy.

3.2

Employees are obligated to adhere to the policy guidelines.

4.

User Responsibility.

4.1

Users are responsible for keeping their passwords secret. Passwords must not be shared or written down. If a password is suspected to have been compromised, it must be changed immediately.

4.2

To guarantee the safe use of the application on a user’s phone, users are responsible for ensuring their devices are secure, updated with the latest security patches, and have adequate anti-virus protection.

4.3

Users must follow best practices for password creation, ensuring strong, unique passwords that are updated regularly. Users are required to enable two-factor authentication (2FA) for an additional layer of security. Additionally, users must complete phishing awareness training to recognize and avoid potential security threats.

5.

Security by Design.

5.1

Security measures are proactively incorporated into the design and architecture of Grassfeld, rather than being added reactively. MMOX, the cybersecurity partner of Grassfeld, receives intelligence about threats, vulnerabilities, and their business impact from a variety of sources including internal or external information sharing, as well as non-commercial and commercial entities.

5.2

The design and implementation of the app follow the principle of least privilege, ensuring users have the minimum level of access necessary for their functionality needs. This reduces potential damage from any breach or misuse. Furthermore, Grassfeld practices Security by Design by implementing an IP check per user session, secure connection with our own servers, and creating a new account by email, password, and SMS verification.

5.3

Users of Grassfeld are pseudonymized in our system as a number. This means that Grassfeld does not see any personal information connected to the account. The user, in this case a pseudonymized number, can only be read in our system through a secure connection specifically designed for the communication with the user. Any information that is added by a user and stored by Grassfeld is only used to finetune our algorithms and cannot be altered.

6.

Incident Management.

6.1

In case of a security incident, Grassfeld manages an immediate and proper response by escalating it to the core team. Grassfeld ensures the isolation of attacked systems and network segments to prevent further damage. Further steps are taken through forensic research and analyzing the scope of the incident. Grassfeld has a cyber team that is available 24 hours a day. Communication with affected persons and stakeholders is practiced through laws and regulations.

6.2

Grassfeld’s incident management policy outlines specific processes for detecting, reporting, and responding to security incidents. These processes include breach notification timelines, coordination with regulatory authorities, and ensuring affected users are promptly informed of the incident and mitigation steps. Grassfeld’s cyber team maintains a detailed incident response playbook to guide actions during security events.

7.

Compliance and Legal.

7.1

Grassfeld works conform to the requirements of the applicable data protection legislation. Information about Grassfeld’s compliance regarding legal issues is addressed in the Privacy and Cookie Policy.