Customer Information Ownership and Confidentiality Policy
ARTICLE 1: Objective
To define guidelines for handling customer property and the confidentiality of information accessed daily as part of SmartSoft S.A.’s operations. The goal is to maintain the integrity of customer data and ensure the proper care of customer property that is accessed or handled.
ARTICLE 2: Scope
This regulation applies to all SmartSoft S.A. personnel who access customer information through on-premises and/or cloud environments, documentation provided by the customer, database access, sensitive information, and all data accessed through SmartSoft’s operations.
ARTICLE 3: Responsible Areas
The following departments and their respective managers are designated as responsible for ensuring compliance with this policy: PMO Management, Development Management, Human Resources Management, Business Development Management, Integrations Department, Customer Care Department, Financial Management, and General Management.
ARTICLE 4: General Provisions
SmartSoft S.A. defines all confidential information and customer property under this policy as all oral or written information shared by customers, whether in physical or digital formats, including technical, financial, commercial, strategic information, project documents, project definitions, reports, technical specifications, databases, and other documents prepared by SmartSoft or the customer deemed confidential by nature.
ARTICLE 5: Information Confidentiality
Each employee must understand that:
- Customer information may only be shared with SmartSoft S.A. employees when necessary for their job functions.
- Employees may only use the information provided by the customer to fulfill their duties and must delete the information from their devices once the tasks are completed.
- SmartSoft S.A. may use sensitive data to create general statistical reports, including but not limited to the number of transactions performed by the customer each month.
- Information obtained from customers must be stored only in the company’s official repositories (Confluence, JIRA, SharePoint, One Drive). Any document containing sensitive information stored on employees’ devices must be deleted once their tasks are completed.
- When an employee recognizes they have access to sensitive customer information or is informed by the customer that the information provided is sensitive, they must notify by email that they are receiving sensitive information, that it will be treated as such, and that it will be deleted once its use is completed.
- When sending customers information related to rules, definitions, requirements, data mappings, formats, or any other sensitive information, it must be indicated by email that the information is sensitive and should be used only for work purposes.
- All SmartSoft employees are obligated to understand and comply with the confidentiality agreement provided at the beginning of their employment relationship.
ARTICLE 6: Information Ownership and Use
- All data transferred, stored, or downloaded is the exclusive property of the customer and should not be used for any purpose other than work-related.
- Customer-owned information must not be shared with anyone outside of SmartSoft S.A.
- Information of one customer must not be shared with another SmartSoft S.A. customer.
- In case of any unauthorized use or privacy violation of confidential information, the discovering party must immediately inform the other party and cooperate by all reasonable means to regain control and possession of the compromised confidential information and prevent its unauthorized use or disclosure.
- If a specific security risk concerning sensitive data is identified, the employee must communicate it to their superiors.
- If a security risk and/or information loss is confirmed, SmartSoft S.A. must inform the customer through the communication channels established in the contract.
ARTICLE 7: Use of Resources for Work Activities
- Customer Equipment: These devices should only be used for work-related purposes related to the customer providing the equipment. It is strictly prohibited to store SmartSoft S.A. information, personal information, personal email accounts, social networks, data, or information of other customers, or information directly related to any crime (drugs, pornography, abuse, etc.). Only the email account created by the customer for the employee may be accessed to carry out their duties.
- SmartSoft Equipment: It is strictly prohibited to store personal information, personal email accounts, social networks, or information directly related to any crime (drugs, pornography, abuse, etc.). Only personal information related to studies or training is allowed. The employee must comply with the guidelines established in the «Internal Policy for the Use of IT Resources at SmartSoft.»
- Rented Equipment: For personal devices used for work purposes, prior authorization from the immediate supervisor is required, specifying the duration of the permission. The immediate supervisor is responsible for validating conditions at the permission’s expiration. The employee must comply with the guidelines in the «Internal Policy for the Use of IT Resources at SmartSoft» and avoid practices against the computer crime laws of their country.
ARTICLE 8: Reporting Damage or Deterioration of Customer-Provided Equipment
If any equipment or information provided by a SmartSoft S.A. customer is damaged or deteriorates, the immediate supervisor of the employee assigned to the equipment or access must inform the customer through the contract-established communication channels for further instructions.
ARTICLE 9: Policy Non-Compliance
Violations of the rules and provisions set forth in this policy regarding the use of customer property and information confidentiality may result in disciplinary or legal actions by SmartSoft S.A.
Therefore, everyone working for SmartSoft S.A. must ensure the care and confidentiality of the information they access as part of their job functions, as per Article 71 of the Labor Code of the Republic of Costa Rica, subsection c, Law 8968 on data protection, and Law 8039 on intellectual property rights enforcement procedures. The company will hold the user accountable for any consequences arising from non-compliance with the policies and rules established in this document.
SmartSoft S.A. reserves the right to periodically evaluate compliance with this regulation. Any disciplinary action resulting from non-compliance (such as warnings, suspensions, or dismissals) will be considered according to the procedures established by the company and in strict accordance with Law 9048 on Computer Crimes and the Labor Code of the Republic of Costa Rica as applicable.
Users who fail to correctly use customer property and confidentiality of information will be directly responsible for the legal sanctions resulting from their actions.
This policy takes effect from the date of authorization signed in San José on September 20, 2021.
This policy is linked to the Sentinel Cloud contracts as follows:
- Clause IV.7. SmartSoft Obligations
Comply with SMARTSOFT’s privacy policies, which form an integral part of this Agreement and are available at https://soysentinel.com/customer-policy/, as updated from time to time.
- Clause XVII. Data Protection
Notwithstanding the foregoing, the collection and use of Sensitive Data will be conducted in accordance with SMARTSOFT’s Privacy Policy, available at https://soysentinel.com/customer-policy/and updated from time to time. Any information provided by the CUSTOMER to SMARTSOFT during the Platform and Services implementation process, aside from Sensitive Data, will be treated in accordance with the «Confidentiality» clause and the confidentiality agreement signed by the parties.