Cybersecurity Policy

---

At IceRide, we prioritize the security of our users, employees, and business operations. Our Cybersecurity Policy outlines the measures we take to protect data, systems, and networks from unauthorized access, breaches, and other cyber threats. By implementing robust security protocols, we ensure the confidentiality, integrity, and availability of information in our possession. This policy applies to all employees, contractors, and third-party partners of IceRide who access or handle our data and technology infrastructure.

1. PurposeThe purpose of this Cybersecurity Policy is to establish clear guidelines for the protection of the company's data and systems against cyber threats. Our goal is to minimize risks related to data breaches, cyber-attacks, unauthorized access, and other cybersecurity incidents, while ensuring that our services remain operational and secure.

2. ScopeThis policy applies to all employees, contractors, vendors, partners, and any other individuals who have access to IceRide's information systems and data. It covers all devices, networks, platforms, software, and applications used by the company, whether they are owned by IceRide or used under a third-party agreement.

3. Data Protection and EncryptionIceRide is committed to protecting sensitive and personal data through industry-standard encryption protocols. All data in transit and at rest will be encrypted using strong encryption algorithms, including but not limited to AES-256, to ensure the security of data handled by our systems.

4. Access ControlAccess to IceRide's systems and sensitive data is granted based on the principle of least privilege, ensuring that individuals only have access to the information necessary for their role. Multi-factor authentication (MFA) is required for all employees, contractors, and third-party vendors accessing sensitive systems, reducing the likelihood of unauthorized access.

5. Network SecurityWe implement state-of-the-art firewalls, intrusion detection and prevention systems (IDS/IPS), and virtual private networks (VPNs) to monitor and control traffic flowing into and out of IceRide's network. Regular vulnerability assessments and penetration testing will be conducted to identify and mitigate potential risks.

6. Employee Training and AwarenessCybersecurity awareness training is mandatory for all employees, contractors, and third-party partners. The training will cover:

• Recognizing phishing attacks and social engineering tactics
• Safe usage of company devices and the internet
• Secure password management
• Data protection and privacy regulations

Regular training sessions will be provided, and employees must complete refresher courses annually or as new threats arise.

7. Incident Response and ReportingIceRide maintains an Incident Response Plan (IRP) to ensure a swift and coordinated response in the event of a cybersecurity breach or attack. The IRP includes the following steps:

• Identification: Detect and classify the type and severity of the incident.
• Containment: Immediately isolate affected systems to prevent the spread of the attack.
• Eradication: Remove the threat from all affected systems.
• Recovery: Restore affected systems to operational status.
• Post-Incident Review: Conduct a thorough investigation to identify root causes and improve future responses.

Employees are required to report all suspected cybersecurity incidents immediately to the Cybersecurity Response Team (CSRT).

8. Vulnerability ManagementIceRide uses automated tools and manual processes to conduct regular vulnerability scans on all systems and applications. Patches and updates for software and hardware will be applied as soon as they are released by vendors. Critical vulnerabilities must be addressed within 48 hours of detection to minimize risk exposure.

9. Third-Party Vendor SecurityAll third-party vendors and contractors working with IceRide are required to adhere to the same cybersecurity standards outlined in this policy. Vendors must provide documented evidence of their own security protocols and may be subject to regular audits by IceRide.

10. Compliance with Regulatory StandardsIceRide complies with global cybersecurity standards and regulations, including:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Payment Card Industry Data Security Standard (PCI DSS)
• National Institute of Standards and Technology (NIST) Cybersecurity Framework

We are committed to maintaining compliance and adapting our policies as new regulations or guidelines are introduced.

11. Data Backup and RecoveryIceRide ensures the availability of critical data by implementing a robust data backup and disaster recovery plan. Data is backed up regularly, and recovery tests are conducted quarterly to ensure the reliability of the backup systems.

12. Continuous MonitoringOur cybersecurity team continuously monitors IceRide's systems for any signs of suspicious activity or anomalies. We use Security Information and Event Management (SIEM) tools to collect, analyze, and respond to security alerts in real-time.

13. Data Breach NotificationIn the event of a data breach that could compromise user information, IceRide is committed to notifying affected parties promptly, in accordance with applicable legal requirements, including GDPR, CCPA, and other data protection regulations.

14. Review and UpdatesThis Cybersecurity Policy will be reviewed annually and updated as needed to address emerging threats, new technologies, and changes in legal requirements.

For further inquiries or to report a cybersecurity issue, please contact:

IceRide Cybersecurity Team
Email: cybersecurity@iceinnovations.ai
Address: 5000 CentreGreen Way, Suite 500, Cary, North Carolina 27513