Effective Date: Jan 1 2025

Last Updated: Jan 1 2025

1. Introduction

Sustainable Prosperity Corporation (SPC) is committed to protecting the privacy and security of personal and business data entrusted to us. Our IT-managed services are designed to minimize or eliminate access to client data while ensuring the security, maintenance, and performance of IT infrastructure. This Privacy Policy explains how SPC collects, uses, stores, and protects any information in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173) and relevant regulations.

2. Scope

This policy applies to:

- SPC’s internal business operations.

- Clients who engage SPC’s IT services.

- Third-party service providers who interact with SPC.

3. Data Collection and Processing

SPC does not access, collect, or store clients’ business data, personal data, or confidential information unless explicitly required for troubleshooting or system management, under the client’s supervision. The minimal data SPC may process includes:

- Client Contact Information (name, email, phone, company name) for service communication.

- IT Asset Details (device type, serial number, system logs) for inventory and troubleshooting.

- System Performance Metrics to maintain IT services.

SPC does not:

- Store or process personal information of client employees or customers.

- Have access to client databases, emails, or confidential files unless required for a specific request with explicit approval.- Retain any data beyond the necessary period to provide IT services.

4. Security Measures

SPC ensures robust security controls, including:

- Access Control: SPC employees do not have default access to client data systems. Any access is limited, logged, and granted on a per incident basis.

- Encryption: Secure handling of IT infrastructure-related data, where applicable.

- Remote Support Protocols: SPC only accesses systems via client-authorized remote sessions with active client supervision.

- Incident Response Plan: If SPC detects a potential security breach in a client’s system, we promptly report and assist in resolution.

5. Data Sharing & Third Parties

SPC does not sell, rent, or disclose client data. Any engagement with third-party IT service providers (e.g., hardware vendors, cloud service providers) follows strict confidentiality agreements.

6. Client Rights & Responsibilities

Clients have the right to:

- Request details on any IT service performed by SPC.

- Restrict access to their systems unless explicitly required.

- Report any security concerns regarding SPC’s service.

Clients are responsible for:

- Managing their own data access controls.

- Ensuring proper cybersecurity hygiene within their organization.

7. Contact Information

For inquiries about this policy, please contact:

Data Protection Officer (DPO), George Su

SPC (Sustainable Prosperity Corporation)

[george.spc@spcph.com] | [+63 917 578 7272]

---

(For Internal Use & Compliance)

1. Purpose

This Data Privacy Manual establishes SPC’s policies for handling data in compliance with the Data Privacy Act of 2012 while ensuring minimal or zero access to client data.

2. Scope

This manual applies to:

- SPC employees, contractors, and service providers.

- Clients using SPC’s managed IT services.

3. Data Privacy Principles

SPC adheres to the following:

- Legitimate Purpose: Any limited data processing is strictly for IT maintenance.

- Transparency: Clients are informed of any IT actions requiring data handling.

- Proportionality: SPC ensures no unnecessary data is accessed or retained.

4. Data Protection Measures

A. Organizational Measures

- Designation of a Data Protection Officer (DPO) to oversee compliance.

- Employee Training on cybersecurity, privacy risks, and confidentiality.

- Non-Disclosure Agreements (NDAs) with all staff to enforce client data protection.

B. Technical Measures

- Access Restrictions: No SPC personnel are granted default access to client data

systems.

- Secure Communication Channels: All IT support communications use encrypted channels.

- Zero-Storage Policy: No client data is stored on SPC’s devices or servers.

C. Physical Measures

- Secure Workstations: SPC’s office environment ensures restricted access to IT support equipment.

- Client Site Protocols: If on-site IT work is needed, personnel follow secure handling

procedures.

5. Data Breach Management

- Immediate Reporting: If an SPC technician identifies a security incident in a client’s system, it must be reported within 24 hours.- Assistance in Resolution: SPC will assist clients in responding to data breaches, but SPC is not liable for client-side security issues.

6. Records Retention and Disposal

- Client contact records: Retained only for service purposes.

- IT maintenance logs: Retained for audit purposes but do not contain sensitive data.

- Secure Disposal: Any temporary access credentials provided by clients are deleted immediately after resolution.

7. Compliance & Audits

- SPC undergoes an annual internal privacy compliance review.

- External audits may be conducted upon client request.

8. Penalties for Non-Compliance

- Employees violating SPC’s data privacy policies are subject to disciplinary action, including termination.

- SPC reserves the right to revise this manual to comply with changing privacy laws.

---

Sincerely,

George Su

Data Privacy Officer0