Wilmore Holdings Inc.

Security Policies

• Access Control Policy
• Data Classification and Encryption Policy
• Incident Response Policy
• Vulnerability and Threat Management Policy
• Personal Data Protection Policy
• Privacy Policy
• Data Subject Requests Policy
• Data Breach Notification Policy
• Data Retention and Deletion Policy

Effective Date: February 25, 2026
Version: 1.0
Company: Wilmore Holdings Inc.

---

1. Purpose

This Information Security & Data Protection Policy establishes the framework by which Wilmore Holdings Inc. protects personal data, customer information, and company systems. The objective is to ensure confidentiality, integrity, and availability of information while maintaining compliance with contractual and legal obligations.

2. Scope

This policy applies to all systems, devices, infrastructure, and personnel involved in processing or accessing company or customer data.

3. Access Control & Least Privilege

Access to systems and personal data is restricted based on role and business necessity. Users are granted the minimum permissions required to perform their duties.

• Administrative privileges are limited.
• Access requires documented business justification.
• Permissions are reviewed periodically.
• Shared credentials are avoided.

4. Security Baseline Controls

The organization maintains operational security controls including:

• Strong password complexity requirements.
• Multi-factor authentication where supported.
• Automatic screen locking on company-managed devices.
• Secure device configurations.
• Routine software and system updates.

5. Data Classification & Encryption

Information is categorized according to sensitivity and business impact.

• Sensitive data transmitted externally is protected using secure protocols such as HTTPS/TLS.
• Data at rest is protected using encryption mechanisms provided by hosting and infrastructure providers where supported.

6. Vulnerability & Threat Management

Systems are maintained to reduce exposure to known threats.

• Software updates and security patches are applied regularly.
• Systems are monitored for suspicious or unauthorized activity.
• Identified vulnerabilities are prioritized and remediated within reasonable timeframes.

7. Incident Response

Security incidents are handled according to defined procedures.

• Incidents are identified, assessed, and contained promptly.
• Root cause analysis is conducted where appropriate.
• Corrective actions are implemented to prevent recurrence.

8. Data Breach Notification

If a suspected or confirmed incident impacts personal data:

• An internal investigation is conducted immediately.
• Relevant stakeholders, sellers, or partners are notified as required by law or contractual obligations.
• Remediation measures are implemented to mitigate impact.

9. Personal Data Protection

Personal data is processed only for legitimate business purposes.

• Data minimization principles are applied.
• Access is restricted to authorized personnel.
• Personal data is not sold.

10. Data Retention & Deletion

Customer data is retained only as long as necessary to fulfill operational, contractual, or legal obligations.

• Upon termination of services, customer data in our possession is deleted within a reasonable timeframe unless retention is legally required.
• Deletion processes are designed to prevent unauthorized recovery.

11. Policy Review

This policy is reviewed periodically and updated as necessary to reflect operational, legal, or regulatory changes.

12. Contact

For security or privacy inquiries, please contact:
[email protected]