ELOSOFT INC. DATA PRIVACY POLICY


Introduction
This policy describes the commitment of ELOSOFT INC. to protect and safeguard personal information. This policy governs the handling of personal information by our organization and establishes a set of privacy principles for the good management of this information. This policy should be made available, physically or electronically (i.e. via elosoftbiz.com) to all data subjects to whom ELOSOFT INC. obtains personally identifiable information for ELOSOFT INC. processes. We acknowledge the right of every entity to privacy, our commitment to this starts in complying with the registration requirements of the National Privacy Commission (NPC) in accordance with the Data Privacy Act of 2012 (DPA), NPC Registration No. PIC-001-825-2022. ELOSOFT shall balance the free flow of information with privacy in pursuing its objectives.

Policies and Guidelines
This policy applies to all personal information processed by ELOSOFT INC. including, but not limited to, data on employees, client personnel, and third parties.

This privacy policy applies to the processing of all “personal information” – which is defined as information relating to an identified or identifiable natural person. Examples include:

  • name,
  • address,
  • mobile phone number
  • date of birth,
  • account numbers (bank account, credit card etc.),
  • personnel numbers,
  • photographs and other information such as salary, performance ratings and time and expense data.

“Sensitive personal information” is a category of personal information that requires an extra level of protection or a higher duty of care. Examples include information that reveals:
  • biometric signature including finger prints and facial ID
  • racial or ethnic origin,
  • trade union membership,
  • Government issued identification, such as national identification number, national insurance number and social security numbers

ELOSOFT will protect all information in its custody or control in accordance with applicable law and contractual obligations, professional requirements and internal policies, procedures and practices and in accordance with the following privacy principles:

  • Information on Collection
    We should only collect Personal Information that is necessary, relevant and not excessive for the business purposes for which it is to be used.
  • Notice
    a. As appropriate we will be transparent about how we collect and use personal information.
  • Choice and Consent
    b. We will avoid using or sharing personal information in ways that are incompatible with the original purpose for which it was collected, unless subsequent authorization has been obtained.
  • Update of Personal Information
    a.We will periodically update individual personal information in our Information Management System, as appropriate.
  • Information Transfer
    a. As appropriate we will take reasonable steps to ensure that transfers of an individual’s personal information to third parties or across borders are consistent with the purposes identified to the individual and the contractual obligations that apply to us with respect to such Personal Information. We will require that third parties acting on our behalf (e.g. subcontractors) process personal information in accordance with our instructions and in a manner consistence with the contractual obligations that apply to us.
  • Information Integrity
    a. We have to take reasonable steps to verify that personal information is relevant, accurate, complete and current as is necessary for the purpose for which it is to be used.
  • Information Security
    a. We have to take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration or destruction.
  • Information Retention of Personal Information
    a. We take reasonable steps to ensure that personal information is retained only for as long as needed to meet the purposes for which it was collected, with details as follows:
    b. Employee’s personal information will be retained by ELOSOFT as it deems necessary.
    c. Client’s personal information obtained to support and performs ELOSOFT services will be filed as part of client data and will be retained in accordance with ELOSOFT’S internal policy (1-year retention for hard copies and 5-year retention for digital copies). This includes information obtained when performing background check of key owners and officers of Client.
  • Information Retention of Sensitive Information
    a. Elosoft Inc. responsibly retains sensitive data by classifying it, complying with laws, encrypting, controlling access, secure storage, audits, data minimization, proper disposal, employee training, backup, and incident response. This ensures privacy, security, and legal adherence.
    b. Employee’s sensitive information will be retained by ELOSOFT for as long as he/she is engaged with the Company.
    c. Clients sensitive information collected for the purpose of accessing the application intended for clients’ use.
  • Retention of Facial ID Data on Mobile Devices by Elosoft
    a. Purpose: The purpose of this procedure is to ensure that the facial ID data installed by Elosoft on mobile devices is retained solely in the device used by the student who registered their facial print and is not transmitted or retained in any other manner. The retention is limited to the duration of the review process.
    b. Scope: This procedure applies to all mobile devices equipped with facial ID technology provided by Elosoft and used for student verification during the review process.
    c. Responsibilities:
    • a. Elosoft: Elosoft is responsible for implementing and maintaining the facial ID system, ensuring that the data is securely stored only on the mobile device, and managing the retention period.
    • b. Students: Students are responsible for registering their facial print and adhering to the policies and procedures set by Elosoft.
  • Data Retention:
    a. Registration process:
    • When a student registers their facial print using the Elosoft facial ID system, the data will be securely stored only within the mobile device used for registration.
    • The registered facial ID data will not be transmitted to any external servers or devices.
    b. During the review process:
    • The registered facial ID data will remain solely on the mobile device used for registration and will not be transmitted, shared, or retained in any other manner.
    • The facial ID data will be used for verification and authentication solely within the mobile device during the review process.
    c. Retention period:
    • The facial ID data will be retained only for the duration of the review process.
    • Once the review process is complete, the facial ID data will be automatically and securely deleted from the mobile device. No backup or copies will be retained.
  • Security Measures:
    a. Data encryption: The facial ID data will be stored in an encrypted format on the mobile device to ensure its confidentiality and security.
    b. Access control: Only the student who registered their facial print will have access to their own facial ID data on their respective mobile device.
  • Compliance and Privacy:
    a. Elosoft will comply with all relevant data protection regulations and privacy laws to ensure the security and confidentiality of the student's facial ID data.
    b. Elosoft will not transmit, share, or retain the facial ID data outside of the student's mobile device used for registration, unless required by law or with the explicit consent of the student.
  • Monitoring and Review:
    a. Elosoft will periodically review and update this procedure as necessary to maintain its effectiveness and compliance with legal and regulatory requirements.
  • Compliance and Enforcement
    We will address inquiries or complaints regarding personal information promptly and courteously.
  • Security Incident Response Protocol
    The following steps should be followed by all ELOSOFT employees and stakeholders in case of a privacy incident.

Escalation Step Action Required Timeframe
Step 1 Incident Identification
Report the privacy incident to the designated response team.
ELOSOFT Response Team:
• Regina Maica Apat ([email protected])
• Gerardo Eloriaga ([email protected])
• Romeo Luzuriaga ([email protected])
Immediately upon discovery
Step 2 Initial Assessment
Perform an initial assessment to determine severity and potential impact.
Within 1 hour
Step 3 Investigation and Remediation
Conduct a thorough investigation, document findings, and implement remediation measures.

Prepare the needed documentations related to the guidelines documented on NPC’s webpage.
https://www.privacy.gov.ph/exercising-breach-reporting-procedures/
Within 48 hours
Step 4 Regulatory Reporting
Prepare and submit a report to regulatory bodies if incident meets reporting criteria.
Within 72 hours
Step 5 Communication and Notification
Coordinate with stakeholders to determine if affected parties need to be notified, and send notifications as required.
As soon as reasonably possible
Step 6 Post-Incident Analysis
Conduct a post-incident analysis, identify lessons learned, and implement preventive measures.
Within 7 days

It is the responsibility of all ELOSOFT employees and clients to know, understand, and comply with this Policy. Failure to comply could result in significant risk to the company and its people, and may subject that individual to disciplinary action, up to and including termination.

If you have any questions or concerns about the interpretation or operation of this policy please contact our Data Protection Officer at [email protected].