Acceptable Use Policy

SOC 2 Criteria: CC1.1, CC1.4, CC1.5, CC2.2, CC5.2

Keywords: Background Checks, Security Awareness Training, Hard Drive Encryption, Anti-Virus Software

Background

StarTree is committed to ensuring all workforce members actively address security and compliance in their roles at StarTree. We encourage self-management and reward the right behaviors.

Purpose

This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Policy

StarTree policy requires all workforce members to accept and comply with the Acceptable Use Policy. StarTree policy requires that:

• Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.

• Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.

• Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures StarTree has in place. Employees will also have ongoing security awareness training that is audited

• Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any StarTree systems has been removed, as well as ensuring that all company owned assets are returned.

• StarTree and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets

• StarTree will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.

• A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc. StarTree reserves the right to terminate employees in the case of serious cases of misconduct.

Procedures

StarTree requires all workforce members to comply with the following acceptable use requirements and procedures, such that:

• All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.

• Use of StarTree computing systems is subject to monitoring by StarTree IT and/or Security team.

• Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including companyprovided and BYOD devices, unattended in public.

• Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.

• Use only legal, approved software with a valid license installed through a pre-approved application store. Do not use personal software for business purposes and vice versa.

• Encrypt all email messages containing sensitive or confidential data.

• Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.

• Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers.

• All data storage devices and media must be managed according to the StarTree Data Classification specifications and Data Handling procedures.