Instatus, Inc.

Egypt

All records retained during their specified periods are traceable and retrievable. Any file movement, use or access is tracked and logged, including inter-departmental changes. All company and employee information are retained, stored and destroyed in line with legislative and regulatory guidelines. For all data and records obtained, used and stored within the Instatus, we: - Carry out periodical reviews of the data retained with specific checks on purpose, continued validity, accuracy and requirement to retain - Establish periodical reviews of data retained - Establish and verify retention periods for the data, with special consideration given in the below areas: – * the requirements of the Company * the type of personal data * the purpose of processing * lawful basis for processing * the categories of data subjects Where it is not possible to define a statutory or legal retention period, as per the GDPR requirement, the Company will identify the criteria by which the period can be determined and provide this to the data subject on request and as part of our standard information disclosures and privacy notices Have processes in place to ensure that records pending audit, litigation or investigation are not destroyed or altered Transfer paper-based records and data to an alternative media format in instances of long retention periods (with the lifespan of the media and the ability to migrate data where necessary always being considered)

All information of a confidential or sensitive nature on paper, card, microfiche or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers. The Company is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions made in the General Data Protection Regulation (GDPR) and that staff are trained and advised accordingly on the procedures and controls in place. 7.1.1 Paper Records Due to the nature of our business, the Company retains paper based personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner. The Company utilise [Onsite-Shredding or A Professional Shredding Service Provider] to dispose of all paper materials. Employee shredding machines and confidential waste sacks are made available throughout the building and where we use a service provider for large disposals, regular collections take place to ensure that confidential data is disposed of appropriately. 7.1.2 Electronic & It Records and Systems The Company uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner. The deletion of electronic records must be organised in conjunction with the IT Department who will ensure the removal of all data from the medium so that it cannot be reconstructed. When records or data files are identified for disposal, their details must be provided to the designated owner to maintain an effective and up to date a register of destroyed records. Only the IT Department can authorise the disposal of any IT equipment and they must accept and authorise such assets from the department personally. Where possible, information is wiped from the equipment through use of software and formatting, however this can still leave imprints or personal information that is accessible and so we also comply with the secure disposal of all assets. In all disposal instances, the IT Department must complete a disposal form and confirm successful deletion and destruction of each asset. This must also include a valid certificate of disposal from the service provider removing the formatted or shredded asset. Once disposal has occurred, the IT Department is responsible for liaising with the information Asset Owner and updating the Information Asset Register for the asset that has been removed. It is the explicit responsibility of the asset owner and IT Department to ensure that all relevant data has been sufficiently removed from the IT device and backed up before requesting disposal and/or prior to the scheduled pickup. 7.1.3 Internal Correspondence and General Memoranda Unless otherwise stated in this policy or the retention periods register, correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support (i.e. where a memo pertains to a contract or personal file, the relevant retention period and filing should be observed). Where correspondence or memoranda that do not pertain to any documents having already be assigned a retention period, they should be deleted or shredded once the purpose and usefulness of the content ceases or at a maximum, 2 years. Examples of correspondence and routine memoranda include (but are not limited to): – Internal emails Meeting notes and agendas General inquiries and replies Letter, notes or emails of inconsequential subject matter

Documents are grouped together by category and then in clear date order when stored and/or archived. Documents are always retained in a secure location, with authorised personnel being the only ones to have access. Once the retention period has elapsed, the documents are either reviewed, archived or confidentially destroyed dependant on their purpose, classification and action type.

United States

Cloud hosted

AWS

yes

Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

yes

no

no

security@instatus.com

no

no

no

Vercel, AWS, Mailgun, Paddle, Segment, Google Analytics, Sentry

no