Effective Date: [1 January 2026]

1. Policy Statement
   Initiate Global Foundation, Inc. (“Initiate Global,” the “Foundation,” “we,” “us,” or “our”) is committed to safeguarding personal, financial, and operational data entrusted to us by donors, campaign creators, partners, employees, and website visitors.

   As a non-stock, non-profit organization acting as a foundation and conduit between donors and campaign creators, Initiate Global recognizes its obligations under the Data Privacy Act of 2012 (Republic Act No. 10173) and related regulations.

   We implement reasonable, appropriate, and risk-based organizational, physical, and technical safeguards to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

   This Information Security Policy (“Policy”) outlines the controls, responsibilities, and procedures adopted to ensure system integrity and resilience.

2. Objectives and Scope
   2.1 Objectives
   This Policy aims to:
   
   1. Preserve the confidentiality, integrity, and availability of information;
   2. Prevent unauthorized access, disclosure, alteration, or destruction of data;
   3. Detect and respond promptly to security threats and incidents;
   4. Ensure compliance with applicable legal and regulatory requirements.

   2.2 Scope
   This Policy applies to:

   1. All information systems, applications, databases, and networks owned or managed by Initiate Global;
   2. All personal, financial, and operational data collected or processed by the Foundation;
   3. All employees, officers, trustees, contractors, volunteers, and third-party service providers with access to platform data.
3. Access Control and Authentication
   3.1 Role-Based Access Control
   
   1. Access to systems and data is granted strictly on a need-to-know and least-privilege basis.
   2. Role-based access control (RBAC) mechanisms are implemented to restrict permissions according to job function.
   3. Access rights are reviewed periodically and revoked immediately upon termination, resignation, or role change.

   3.2 Credential Management

   • Strong password policies are enforced, including minimum complexity requirements.
   • Administrative and privileged accounts require Multi-Factor Authentication (MFA).
   • Shared credentials are prohibited unless technically unavoidable and subject to enhanced logging and monitoring.

   3.3 Logging and Monitoring

   • System activity logs are maintained for administrative accounts and sensitive operations.
   • Logs are protected against tampering and retained in accordance with regulatory and audit requirements.
4. Encryption and Data Protection Controls
   4.1 Encryption in Transit
   All data transmitted between users and the platform is encrypted using secure protocols (e.g., HTTPS with TLS 1.2 or higher).

   4.2 Encryption at Rest
   Sensitive personal and financial information is encrypted at rest using industry-recognized encryption standards (e.g., AES-256 or equivalent).

   4.3 Secure Development and Configuration

   • Applications are developed following secure coding principles.
   • Security patches and updates are applied promptly based on risk severity.
   • Default credentials on systems and devices are changed prior to deployment.
5. Backups, Business Continuity, and Disaster Recovery
   5.1 Data Backups
   
   1. Regular backups of critical data are performed and stored in secure, redundant environments.
   2. Backup data is encrypted prior to transfer and storage.

   5.2 Recovery Testing

   1. Periodic restoration tests are conducted to validate backup integrity and disaster recovery capabilities.
   2. Recovery objectives are aligned with business continuity requirements.

   5.3 Infrastructure Resilience
   Where feasible, systems are hosted in secure, professionally managed data centers with appropriate physical and environmental controls.

6. Security Assessments and Monitoring
   6.1 Vulnerability Management
   
   1. Periodic vulnerability assessments and, where appropriate, penetration testing are conducted by qualified personnel or independent security professionals.
   2. Identified vulnerabilities are assessed, prioritized, and remediated based on risk impact.

   6.2 Continuous Monitoring

   1. Systems are monitored for unusual or suspicious activity.
   2. Intrusion detection, anomaly detection, and fraud monitoring tools are implemented where appropriate.

   6.3 Vendor Security Reviews
   Third-party service providers with access to personal data are evaluated for adequate security safeguards prior to engagement and periodically thereafter.

7. Incident Response and Breach Management
   7.1 Incident Response Framework
   Initiate Global maintains an internal incident response procedure to manage suspected or confirmed security incidents.

   An Incident Response Team (IRT), composed of designated personnel (including the Data Protection Officer and IT Security Lead), is responsible for:

   1. Incident identification and containment;
   2. Risk assessment and impact analysis;
   3. Evidence preservation and documentation; and
   4. Implementation of corrective and preventive measures.

   7.2 Breach Notification
   Where a personal data breach is likely to result in serious harm or poses a significant risk, Initiate Global shall notify:

   1. The National Privacy Commission (NPC), within the period required by applicable regulations; and
   2. Affected data subjects, where required by law.

   Notifications shall include a description of the breach, categories of data affected, likely consequences, and remedial measures taken.

   Notification may be delayed only where legally justified (e.g., to avoid compromising a law enforcement investigation).

   7.3 Post-Incident Review
   Following resolution, a formal review shall be conducted to:

   1. Identify root causes;
   2. Evaluate effectiveness of response;
   3. Implement necessary improvements to controls or procedures.
8. Physical Security
   
   1. Physical access to servers, network equipment, and storage devices is restricted to authorized personnel.
   2. Office premises implement reasonable access controls, visitor logging, and device protection measures.
   3. Portable devices containing personal data must employ device encryption and secure authentication.
9. Employee and Contractor Responsibilities
   
   1. All personnel must maintain strict confidentiality of personal and sensitive information.
   2. Confidentiality obligations continue after termination of employment or engagement.
   3. Mandatory training on data privacy, cybersecurity awareness, and secure data handling is conducted at least annually.
   4. Violations of this Policy may result in disciplinary action, contract termination, and possible legal liability.
10. Third-Party Processors and Data Processing Agreements
    • Third-party processors (e.g., payment gateways, KYC providers, cloud services) are engaged only after due diligence.
    • Data Processing Agreements (DPAs) are executed to:
      
      1. Define permitted data uses;
      2. Require compliance with RA 10173 and applicable regulations;
      3. Establish breach notification obligations; and
      4. Mandate secure return or deletion of data upon termination.

    Third-party compliance may be evaluated through certifications, security attestations, or audit rights.

11. Compliance, Review, and Continuous Improvement
    • This Policy forms part of Initiate Global’s broader Information Security Management System (ISMS).
    • The Data Protection Officer (DPO) and designated IT Security Officer are responsible for oversight and implementation.
    • The Policy shall be reviewed at least annually or whenever material legal, technological, or operational changes occur.
    • Material updates shall be communicated through appropriate channels.
12. Limitation of Risk
    While Initiate Global implements industry-aligned safeguards and security controls, no system is completely immune from risk. Users are responsible for maintaining the confidentiality of their credentials and promptly reporting suspicious activity.
13. Acknowledgement
    By accessing or using the Initiate Global platform, users acknowledge this Information Security Policy and agree to comply with its provisions where applicable.

Prepared by Management, 2026