Leeway Privacy Policy

OVERVIEW AND SCOPE

This Policy and supporting Procedures are designed to provide Leeway, Inc., a Delaware corporation, and its subsidiaries and affiliates (collectively, "Leeway"), inclusive of Leeway Insurance Services LLC, a subsidiary of Leeway, Inc. with a documented and formalized process for protecting individuals’ privacy. Respect for the privacy of personal and other information is fundamental to Leeway. This privacy policy describes Leeway's collection of personally identifiable information (PII) from users of Leeway's Website ("Website" or "Site"), Leeway's platform, and all related applications, widgets, software, tools, and other services provided by Leeway and on which a link to this Policy is displayed (collectively, together with the Website, our "Services"). This Policy also describes Leeway's use and disclosure of such information. By using Leeway's Services, you consent to the collection and use of personally identifiable information in accordance with this policy.


In accordance with mandated organizational security requirements set forth and approved by management, Leeway has established a formal Privacy Policy and Procedures. This comprehensive Policy document is implemented immediately, along with all relevant and applicable Procedures.


PURPOSE


This Policy and supporting Procedures are designed to provide Leeway with a formalized information security and privacy policy to comply with various regulatory and business requirements. Regulatory and contractual requirements relevant to these policies and procedures and the organization’s approach to meet these requirements will be identified, documented, and kept up to date. Compliance with the stated policy and supporting procedures help ensure the safety and security of all Leeway’s system components within the sensitive data environment as well as any other environments deemed applicable.


SCOPE


This Policy and Procedures cover all system components within the sensitive data environment owned, operated, maintained, and controlled by Leeway. This Policy and Procedures cover all other system components (both internally and externally) that interact with these systems and all other relevant systems.


This Policy and supporting Procedures cover all employees, interns, volunteers, and contractors. (All of these individuals will be referred to as "Employees" throughout this Policy and these Procedures unless otherwise noted.)


Both Policy and Procedures will be made available to all Employees and will be adequately protected from loss of confidentiality, loss of integrity, or improper use. Policies and procedures will be appropriately distributed, accessed, retrieved, or used by authorized employees; securely stored and preserved in a legible form; maintained using version control and retained for as long as required by Leeway’s retention schedule; and disposed of according Leeway’s Data Handling, Retention, and Disposal policy. Any external documents necessary for the planning and operations of these policies and procedures will be appropriately identified and controlled.


Policies and procedures require employees to sign an acknowledgement they read them and will agree to abide by them.


MONITORING AND ENFORCEMENT


Leeway periodically monitors adherence to this Policy to help ensure compliance with applicable laws, requirements, and contractual agreements applying to client and consumer data. Leeway will consider the use of automatic measurements and reporting tools to conduct regular reviews. For any non-compliance items identified, managers will review the cause, evaluate corrective actions, implement corrective actions, and review the results of actions to determine effectiveness. Results of reviews and corrective actions will be recorded and maintained.


Penalties for failing to comply with Leeway’s policies and procedures could lead to disciplinary and/or enforcement actions against individuals and lead to sanctions brought against Leeway. Enforcement actions could include civil and/or criminal charges brought against violators depending on the seriousness of the offense.


The organization will identify any potential legal sanctions related to PII processing to include fines from regulatory authorities.


MANAGEMENT COMMITMENT


Leeway’s management is committed to and takes responsibility for implementing appropriate technical and organizational safeguards to ensure the protection of sensitive information (including personally identifiable information or "PII"). Leeway is also committed to demonstrating any processing of sensitive information is in compliance with all applicable regulations. Implemented measures will be reviewed and updated as necessary.


Management supports and is committed to achieving compliance with applicable PII protection regulations and contractual obligations agreed to between the organization and third parties clearly allocating responsibilities. Policies and procedures are developed and maintained to consider applicable PII protection regulations.


ROLES AND RESPONSIBILITIES


Management


Management will demonstrate commitment to and leadership over Leeway’s security and privacy management systems by ensuring the following:


- Establishment of security and privacy policies and objectives in alignment with Leeway’s strategic direction;
- Integration of security and privacy requirements into Leeway’s processes;
- Availability of security and privacy resources;
- Communication of security and privacy importance to employees, third parties, and both internal and external stakeholders as well as conformity to security and privacy requirements;
- Achievement of the intended outcomes of the security and privacy programs;
- Contribution of direct and support personnel to the effectiveness of the security and privacy programs;
- Continual improvement of the security and privacy programs;
- Support for other management roles in demonstrating leadership applied to their areas of responsibilities;
- Assignment and communication of responsibilities and authorities for the security and privacy programs as well as assurance that the programs conform to regulatory or contractual requirements with reports of performance provided to management; and
- Establishment of adequate monitoring and enforcement of policies and procedures.

Privileged Users


Privileged users are employees with elevated access to systems (such as system administrators) or individuals with assigned roles and responsibilities related to security and privacy. Privileged users are required to abide by and understand their assigned responsibilities related to their elevated access rights along with their limitations in using these privileges. Privileged users must understand their obligations and liabilities in utilizing their privileges and ensure that they abide by separation of duties related to security and privacy activities.


Employees


Employees are responsible for abiding by and understanding all Leeway’s policies and procedures related to security and privacy. Employees are required to sign an acknowledgement that they have read and will abide by these policies and procedures. Employees will be subject to disciplinary actions, up to and including termination, for failing to abide by these policies and procedures.


Third Parties


Third parties, such as external service providers, are responsible for abiding by Leeway’s policies and procedures related to security and privacy. Third parties must sign agreements with Leeway concerning their responsibilities for implementing safeguards to protect the security and privacy of data provided by Leeway. Third parties failing to abide by these security and privacy requirements may be subject to legal actions, including the termination of contracts for services.


AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION


PROCESSING AUTHORITY


Leeway may process sensitive information, including PII, as a part of its operations across the information life cycle. Processing includes, but is not limited to, the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, reception, transmission, and disposal of information. Processing also includes logging, generation, transformation, and analysis techniques like data mining.


Leeway will abide by relevant laws establishing its authority or limitations on processing certain types of personally identifiable information and will establish related processing requirements according to contractual obligations. Leeway will consult with legal counsel regarding the authority to process information across multiple jurisdictions. Leeway will be governed by its privacy policies and procedures related to processing that consider all laws, contracts, and other privacy related requirements.


Leeway will determine and document the authority permitting the organization to process personally identifiable information and will restrict processing of personally identifiable information not authorized. Privacy risks may still be present even though processing is performed on a legal basis. Privacy risk assessments will be performed to identify any associated privacy risks and solutions to manage such risks will be determined. Where possible, Leeway, Inc. will attach data tags containing authorized processing to elements of personally identifiable information.

Leeway processes end user information in accordance with Plaid's End User Privacy Policy.


INDIVIDUAL REQUESTS


Leeway will provide a copy of the personal data undergoing processing. For any additional copies requested by the individual, Leeway may charge a reasonable fee based on administrative costs. If the individual makes the request via electronic means, the information shall be provided in a commonly used electronic form, unless otherwise requested by the individual. The right to obtain a copy of the personal data must not adversely affect the rights or freedoms of another individual.


ACCESS


Leeway permits individuals to determine whether it maintains personally identifiable information about them, and upon request, the individual may obtain access to their personally identifiable information. Leeway will verify and authenticate the identity of individuals who request access to their personally identifiable information before they are given access to the information.


Leeway will provide personally identifiable information to the individual in an understandable form, in a reasonable timeframe, and at a reasonable cost.


Leeway may deny an individual access to or a request to change their personally identifiable information based on regulatory requirements and will inform the individual of the denial along with the reason for the denial in a timely manner, unless prohibited by regulations.


CORRECTION AND UPDATE


Leeway will permit individuals to update or correct personally identifiable information held by the organization and will provide such updates or corrected information to third parties that were previously provided with the individual’s personally identifiable information. Taking into account the purposes of the processing, the individual has the right to have incomplete personal data completed, including by means of providing a supplementary statement.


Leeway may deny an individual access to or a request to change their personally identifiable information based on regulatory requirements and will inform the individual of the denial along with the reason for the denial in a timely manner, unless prohibited by regulations.

DELETION


Leeway will capture requests for deletion of personally identifiable information and information related to requests will be identified and flagged for destruction to meet the organization’s objectives related to privacy. Leeway will provide notification of such deleted information to third parties that were previously provided with the individual’s personally identifiable information consistent with the organization's objectives related to privacy.


Individuals have the right to obtain from the organization the erasure of their personal data without undue delay. Leeway is obligated to erase personal data without undue delay where one of the following applies:


- The personal data is no longer necessary in relation to the purposes for which the personal data was collected and/or processed;
- The individual withdrawals consent on which the processing is based and there is no other legal ground for processing;
- The individual objects to processing and there are no legitimate grounds for overriding the processing, or the individual objects to processing data that has no compelling legitimate grounds for being processed;
- The personal data has been unlawfully processed;
- The personal data has to be erased for compliance with legal obligations; or
- The personal data has been collected in relation to the offer of information society services.


Where Leeway has made the personal data public and is obligated to erase the personal data, the organization will take reasonable steps (e.g., considering available technology and cost of implementation), including technical measures, to inform other organizations processing the personal data that the individual has requested the erasure of their personal data.


Leeway may deny the request of erasure if processing of personal data is necessary for the following reasons:


- For exercising the right of freedom of expression and information;
- For compliance with legal obligations;
- For reasons of public interest in the area of public health;
- For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in so far as the right to erasure is likely to render impossible (or seriously impair) the achievement of the objectives of the processing; or
- For the establishment, exercise, or defense of legal claims.


OBJECTIONS


Leeway will provide the right of the individual to object to processing of their personal data, including processing based on profiling. Leeway will no longer process personal data unless the organization can demonstrate compelling legitimate grounds for the processing overriding the interests, rights/freedoms of the individual, or for the establishment, exercise, or defense of legal claims.


Where personal data is processed for direct marketing purposes, the individual has the right to object at any time to processing of their personal data for such marketing, including profiling to the extent it is related to such direct marketing. The personal data shall no longer be processed for marketing purposes based on an individual’s objection.


The right to object will be brought to the individual’s attention at the time of first communication with the individual and will be presented in a clear and separate form from any other information.


In the context of information society service use, the individual may exercise their right to object by automated means using technical specifications.


Where personal data is processed for scientific historical research purposes or statistical purposes, the individual has the right to object to processing their personal data unless the processing is necessary for the performance of a task carried out in the public interest.


Leeway will identify and document the purposes for processing personally identifiable information. This enables individuals to make informed decisions and manage their privacy interests. The purpose of processing will be described in the public privacy notices and related privacy procedures. Leeway will restrict processing of personally identifiable information to only that which is compatible with the identified purposes. Leeway will monitor for changes in processing and consult with the Data Protection Officer or other legal counsel to ensure any new processing is still compatible with the original purpose. If information that was previously collected is to be used for purposes not previously identified in the privacy notice, Leeway will document the new purpose, notify the individual, and obtain implicit or explicit consent prior to such new use or purpose.


Leeway will monitor changes in processing personally identifiable information and implement mechanisms to ensure that any changes are made in accordance with defined requirements.


Where possible, the organization will attach data tags containing purposes to elements of personally identifiable information for defined processing purposes.


The organization will track processing purposes of personally identifiable information using automated mechanisms.


The organization will ensure that contracts in place to process PII address the organization’s role in providing any assistance to its customers related to their obligations with processing, taking into account the nature of processing and information available to the organization. Leeway, Inc. will only process PII on behalf of a customer for the purposes expressed in documented instructions by the customer.


COLLECTION


Leeway will limit the collection of personally identifiable information to what is necessary to meet the organization’s objectives. The methods of collecting PII will be reviewed by management prior to implementation to confirm PII is obtained fairly and without intimidation or deception as well as lawful, in adherence to all relevant rules of law.

Leeway will inform individuals if the organization develops or acquires additional information about them for its use.


USE AND DISCLOSURE


Leeway uses personally identifiable information only as is authorized and only at the minimum necessary level required by the organization to meet service level obligations, contractual obligations, or regulatory requirements.

RETENTION

Leeway will retain PII only as long as required or according to the organization’s retention schedule as may be required by regulatory or contractual obligations.

SAFEGUARDS

Leeway must define and approve where sensitive information (including PII) will be stored. Sensitive information will be kept to a minimum as may be required for business or legal purposes and retained only as long as needed according to the data retention schedule.

Leeway must implement technical measures to protect the confidentiality and integrity of sensitive information at rest or stored in approved locations according to regulations. This sensitive information will be rendered unusable, unreadable, or indecipherable in any electronic form it is stored by using any of these techniques:

- Enforcing mandatory full disk encryption on laptops or other mobile devices where supported;
- Note: If disk encryption is utilized, logical access must be managed
independently of the operating system and any decryption keys must not be tied to user accounts.
- Encrypting virtual disks;
- Encrypting disk volumes; or
- Encrypting specific files or folders.


Leeway will utilize strong encryption technology such as the use of one-way hashes, truncation, or other strong cryptography with key management. Approved encryption algorithms include those meeting FIPS 140-2 standards such as Advanced Encryption Standard [AES utilizes a minimum of 128-bit key length, Triple Data Encryption Algorithm (or Triple DES)]. The organization will document the rationale and approval of the CISO for any cases where encryption is not reasonable or appropriate.