ERMITS ADVISORY SERVICES PRIVACY POLICY

Cybersecurity Advisory Services:

• CMMC consulting and readiness assessments
• Cybersecurity program development and maturity assessments
• Incident response planning and tabletop exercises
• Security architecture review and recommendations
• Vulnerability management program development

Compliance Advisory Services:

• NIST SP 800-171 compliance consulting
• DFARS compliance guidance
• HIPAA Security Rule consulting
• Privacy compliance advisory (GDPR, CCPA/CPRA, PIPEDA)
• Policy and procedure development

Third-Party Risk Management Advisory:

• Vendor risk assessment consulting
• Supply chain security advisory
• Third-party due diligence support
• Vendor security questionnaire development

Privacy Advisory Services:

• Privacy program development
• Data Protection Impact Assessments (DPIA)
• Privacy by Design consulting
• Data breach response and notification advisory
• Privacy policy development

Strategic Advisory Services:

• Executive advisory and virtual CISO services
• Cybersecurity roadmap development
• Budget planning and resource allocation guidance
• Technology selection and vendor evaluation support
• Board-level reporting and communication strategies

Cybersecurity Assessment Information:

• Current security controls and implementations
• Network architecture diagrams and documentation
• Security policies, procedures, and standards
• Incident response plans and documentation
• Vulnerability scan results and penetration test reports
• Security tool configurations and logs (sanitized/anonymized)

Compliance Assessment Information:

• System Security Plans (SSPs)
• Plans of Action and Milestones (POA&Ms)
• Compliance documentation and evidence
• Audit findings and remediation status
• Policy and procedure documents
• Training records and certification status

Risk Assessment Information:

• Business context and critical assets
• Threat landscape and risk tolerance
• Existing risk registers and assessments
• Vendor and third-party relationships
• Business continuity and disaster recovery plans

Privacy Assessment Information:

• Data inventory and data flow mapping
• Privacy policies and notices
• Data processing activities (Article 30 records)
• Data Protection Impact Assessments (DPIAs)
• Data subject request procedures
• Privacy incident history

Organizational Information:

• Business processes and workflows
• IT infrastructure and technology stack
• Organizational roles and responsibilities
• Budget and resource constraints
• Strategic objectives and priorities

Provide Advisory Services:

• Conduct assessments and evaluations per SOW
• Develop recommendations and strategic guidance
• Produce deliverables (reports, roadmaps, policies, procedures)
• Present findings and recommendations to stakeholders
• Answer questions and provide clarifications
• Support implementation of recommendations (if contracted)

Quality Assurance:

• Internal review of deliverables for accuracy and completeness
• Technical review by subject matter experts
• Engagement oversight by senior advisors
• Compliance with professional standards

Client Communication:

• Project status updates and milestone notifications
• Scheduling meetings and coordination
• Deliverable transmission and review
• Issue escalation and resolution
• Post-engagement support during warranty period

Billing and Payment:

• Generate invoices based on engagement terms
• Process payments and maintain financial records
• Track project hours and expenses (for time-and-materials engagements)
• Comply with tax and accounting requirements

Engagement Management:

• Resource allocation and consultant assignment
• Project timeline and milestone tracking
• Scope management and change control
• Contract compliance and deliverable tracking

Legal and Compliance:

• Comply with legal obligations and regulations
• Respond to lawful requests from authorities
• Enforce contracts and protect legal rights
• Maintain professional liability insurance requirements
• Comply with industry professional standards

Improve Services:

• Identify common client challenges and needs
• Develop new service offerings and methodologies
• Refine assessment frameworks and tools
• Train and develop consultant capabilities

Research and Thought Leadership:

• Publish anonymized case studies (with explicit client permission)
• Develop industry reports and white papers
• Contribute to industry standards and best practices
• Present at conferences and professional events

With Your Consent:

• Sharing deliverables with your designated third parties
• Joint presentations with your technology vendors
• Collaboration with your legal counsel or other advisors
• Case studies or testimonials (with explicit written permission)

Service Providers (Under NDA):

• Secure file sharing platforms (Supabase, encrypted storage)
• Payment processors (Stripe for invoicing)
• Document collaboration tools (as needed for engagement delivery)
• Professional liability insurance carriers (for coverage verification)

Subcontractors and Specialists:

• Technical specialists providing niche expertise
• All subcontractors bound by equivalent confidentiality terms
• Client notification and approval for subcontractor involvement
• ERMITS remains responsible for subcontractor confidentiality

Legal and Regulatory Requirements:

• Court orders, subpoenas, or legal process
• Regulatory investigations or examinations
• National security requests (where legally required)
• Professional standards board inquiries

References:

• We may request your permission to list you as a client reference
• You may decline or specify limited reference scope
• References provided only with your explicit consent
• You may withdraw consent at any time

Case Studies:

• Require explicit written permission before publication
• Client review and approval of all content before publication
• Option to be identified or remain anonymous
• Right to request removal of published case studies

Our Commitments:

• Notify you promptly of requests (when legally permitted)
• Challenge overbroad or improper requests
• Provide minimum information required by law
• Seek protective orders for sensitive information
• Document all disclosures for your records

Limitations:

• Cannot notify if legally prohibited (e.g., national security letters)
• Cannot refuse legally valid court orders
• Must comply with regulatory examination requests
• Professional standards may require disclosure in limited circumstances

Immediate Response (0-24 hours):

• Containment and isolation of affected systems
• Assessment of scope and impact
• Notification to affected clients within 24 hours
• Engagement of incident response procedures

Investigation (24-72 hours):

• Forensic analysis of incident
• Determination of data affected
• Root cause identification
• Evidence preservation

Notification (Within 72 hours):

• Formal written notification to affected clients
• Details of incident, data affected, and remediation steps
• Recommendations for client protective measures
• Ongoing communication and updates

Remediation:

• Implementation of corrective measures
• Enhanced security controls
• Post-incident review and lessons learned
• Updated security procedures

Warranty Period (Typically 90 days):

• Full engagement file retained for issue resolution
• Client access to consultants for questions and clarifications
• Errata or corrections to deliverables if needed

Professional Standards Period (3 years):

• Core deliverables and supporting documentation retained
• Required for professional liability insurance
• Support for quality assurance and peer review
• Evidence of professional standards compliance

Legal Compliance Period (7 years):

• Financial records and invoices
• Contracts and Statements of Work
• Core deliverables (final reports)
• Required by tax regulations and professional standards

Automated Deletion:

• Working documents deleted after 3 years
• Communications purged from email systems
• Encrypted files deleted and keys destroyed

Verified Deletion:

• Secure data wiping (DoD 5220.22-M standard)
• Physical document shredding (cross-cut, unrecoverable)
• Certificate of destruction available upon request

Early Deletion Requests:

• Clients may request early deletion of data
• Subject to legal and professional standard requirements
• Cannot delete financial records (7-year requirement)
• Cannot delete documents under legal hold
• Deletion typically completed within 30 days of request

Right to Access:

• Request copies of all information we hold about you or your organization
• Receive engagement files and working documents
• Obtain documentation of data processing activities
• Request: privacy@ermits.com

Right to Rectification:

• Correct inaccurate information in our records
• Update contact information or organizational details
• Request corrections to deliverables (during warranty period)
• Turnaround: 10 business days

Right to Deletion:

• Request deletion of information (subject to legal/professional requirements)
• Cannot delete financial records (7-year legal requirement)
• Cannot delete documents under legal hold
• Deletion completed within 30 days (where legally permissible)

Right to Restrict Processing:

• Request limitation of data use
• Object to specific processing activities
• Suspend processing pending dispute resolution

Right to Data Portability:

• Receive engagement data in machine-readable format (JSON, XML, CSV)
• Transfer data to another service provider
• Provided at no charge within 30 days

Right to Object:

• Object to processing for research or thought leadership
• Opt out of anonymized data aggregation
• Decline reference or case study requests

Legal Basis for Processing:

We process your data based on:

• Contract: To perform advisory services under our engagement agreement
• Legitimate Interests: Professional standards compliance, quality assurance, legal compliance
• Consent: For case studies, testimonials, marketing communications (explicit opt-in)
• Legal Obligation: Tax compliance, regulatory requirements, legal process

Right to Lodge a Complaint:

• File complaint with your local Data Protection Authority (DPA)
• EU: Find your DPA at https://edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner's Office (ICO) - https://ico.org.uk
• Switzerland: FDPIC - https://www.edoeb.admin.ch

Data Protection Officer:

• Contact: privacy@ermits.com
• Subject: "GDPR Inquiry - Advisory Services"

Right to Withdraw Consent:

• Withdraw consent for optional processing anytime
• Does not affect processing based on contract or legal obligation
• Does not invalidate prior processing conducted with consent

Right to Know:

• Categories of personal information collected
• Sources of personal information
• Business purposes for collection
• Categories of third parties with whom we share information
• Specific pieces of personal information collected

Right to Delete:

• Request deletion of personal information (subject to exceptions)
• Exceptions: Contract performance, legal compliance, professional standards

Right to Opt-Out of Sale:

ERMITS Advisory Services does not sell client information

• We have not sold personal information in the past 12 months
• We will not sell your information in the future

Right to Non-Discrimination:

• Equal service quality regardless of privacy rights exercise
• No penalties for exercising privacy rights

Authorized Agent:

• May designate an authorized agent to make requests
• Agent must provide written authorization
• We may require identity verification

Submit Requests:

• Email: privacy@ermits.com (Subject: "CCPA Request - Advisory Services")

How to Submit Requests:

Verification Process:

• Email verification to registered contact
• Additional verification for sensitive requests (government ID, contract details)
• Authorized representatives must provide written authorization

Response Timeline:

• Initial acknowledgment: 10 business days
• Complete response: 30 days (GDPR), 45 days (CCPA)
• Extensions: May extend with notice for complex requests

No Cost:

• First two requests per year are free
• Reasonable fees for excessive or repetitive requests

Processed in:

• United States (primary operations)
• European Union (EU-based consultants for EU clients)
• Canada (Canadian consulting team)

Stored in:

• United States (encrypted cloud storage - Supabase US)
• European Union (optional EU data residency for EU clients)
• Client-designated locations (for on-premises engagements)

Standard Contractual Clauses (SCCs):

• European Commission-approved SCCs (Decision 2021/914)
• Module Two (Controller to Processor) for subprocessors
• Module One (Controller to Controller) for consulting relationships
• Full text available upon request: privacy@ermits.com

UK International Data Transfer Addendum:

• UK Addendum to EU SCCs for UK clients
• Compliance with UK GDPR requirements
• Approved by UK Information Commissioner's Office (ICO)

Swiss Data Transfer Mechanisms:

• Swiss-adapted Standard Contractual Clauses
• Compliance with Swiss Federal Data Protection Act (FADP)
• Swiss FDPIC-approved transfer mechanisms

Additional Safeguards:

• End-to-end encryption for all data transfers
• Access controls and authentication (MFA, RBAC)
• Data minimization (collect only what's necessary)
• Regular security assessments and audits
• Incident notification within 72 hours
• Client notification of government access requests (when legally permitted)

EU Data Residency (Available):

• EU-based consultants for EU client engagements
• Data stored in EU regions only (Supabase EU - Frankfurt)
• No transfer to United States (unless client authorizes)
• Request at engagement initiation: privacy@ermits.com

On-Site Engagements:

• Consultant travel to client location
• Data processed and stored at client facilities
• No transmission to ERMITS infrastructure (if preferred)
• Client retains complete control of data

Client-Controlled Storage:

• Store all engagement data on client-provided infrastructure
• ERMITS access via secure VPN or on-site only
• No ERMITS cloud storage used
• Available for sensitive engagements (CUI, classified, ITAR)

Business Associate Agreement (BAA):

• Required before any access to Protected Health Information (PHI)
• Executed as part of engagement contract
• HIPAA-compliant safeguards implemented
• Request: privacy@ermits.com

PHI Handling:

• PHI accessed only as necessary for engagement scope
• Minimum necessary standard applied
• PHI not stored on ERMITS infrastructure (processed at client site)
• Encrypted transmission if PHI must be transmitted
• Breach notification within 48 hours

Recommended Approach:

• Use de-identified or anonymized data for assessments (when possible)
• On-site consulting to avoid PHI transmission
• Client retains all PHI on client-controlled systems
• ERMITS access via secure client VPN only

Your Responsibilities:

• Determine if BAA is required for engagement scope
• Execute BAA before PHI access
• Provide HIPAA training to ERMITS consultants (if required)
• Supervise consultant access to PHI
• Report breaches involving PHI per HIPAA Breach Notification Rule

Special Protections:

• No access to customer financial data or payment card information
• No storage of financial records on ERMITS systems
• Consultants sign confidentiality agreements acknowledging SOX requirements
• Support for SOX 404 compliance assessments (IT general controls)

Compliance Support:

• Advisory services designed to support GLBA, SOX, PCI-DSS compliance
• No certification or attestation authority (recommend third-party auditors)
• Deliverables may be used to support compliance programs
• Professional services do not constitute audit or assurance

Restrictions:

• Do not process payment card data (PCI data)
• Do not access customer personally identifiable information (PII)
• Financial records reviewed on-site or via sanitized/anonymized samples
• Client retains all sensitive financial data

Attorney-Client Privilege Protection:

• ERMITS may be engaged by your legal counsel to provide technical consulting
• Work product prepared at counsel's direction may be privileged
• Communications routed through legal counsel to preserve privilege
• Disclosure restrictions to protect privilege

Our Role:

• Technical advisor to legal counsel
• Consultant under attorney work-product doctrine
• No independent client relationship (engagement through counsel only)

Maintaining Privilege:

• Clearly identify counsel as client in engagement documents
• Route all communications through legal counsel
• Mark documents "Attorney-Client Privileged - Prepared at Request of Counsel"
• Limit disclosure to preserve privilege

Not Legal Advice:

• ERMITS provides technical and cybersecurity consulting only
• We are not attorneys and do not provide legal advice
• Legal counsel responsible for legal advice and strategy
• Consult your attorney regarding privilege protections

Material Changes:

• 30 days' advance notice via email to active clients
• Opportunity to discuss changes with your account manager
• Option to terminate engagement if you object to changes (during active engagement)

Non-Material Changes:

• Update "Last Updated" date
• Effective immediately upon posting
• Notification in next scheduled client communication

General Privacy Questions:

Email: privacy@ermits.com

Subject: "Advisory Services Privacy Inquiry"

Website: https://www.ermits-advisory.com/privacy-policy.html

Data Rights Requests:

Email: privacy@ermits.com

Subject: "Privacy Rights Request - Advisory Services"

Engagement-Specific Questions:

Contact your assigned consultant or project manager

Email: advisory@ermits.com

For technical support inquiries:

Email: support@ermits.com

Data Protection Officer (EU/UK/Swiss):

Email: privacy@ermits.com

Subject: "GDPR Inquiry - Advisory Services"

California Privacy Requests (CCPA/CPRA):

Email: privacy@ermits.com

Subject: "CCPA Request - Advisory Services"

HIPAA Privacy Officer (Healthcare Clients):

Email: privacy@ermits.com

Subject: "HIPAA Privacy Matter - Advisory Services"