Data Governance & Cybersecurity Policy

I. Purpose

This policy establishes the framework for responsible data management, privacy protection, and cybersecurity across PROVENIQ Foundation, Inc. and all Pet Command ecosystem platforms it operates under license from the PROVENIQ Charitable Trust.

II. Scope

This policy applies to all data collected, processed, stored, or transmitted by the Corporation through MAYDAY, ShelterOS, LifeLog, VetOS, Guardians, ACO-Mobile, SYSOP, the Foundation website, and any internal systems. It applies to all Directors, Officers, employees, volunteers, contractors, and technology partners.

III. Data Classification

• Public Data: Information intentionally made available to the general public (e.g., published pet listings, public shelter information).
• Internal Data: Information used for Corporation operations not intended for public release (e.g., internal reports, staff communications).
• Confidential Data: Sensitive information requiring protection (e.g., donor records, personnel files, financial data, Board deliberations).
• Restricted Data: Highly sensitive information requiring the highest level of protection (e.g., veterinary medical records, personal identification information, geolocation data from MAYDAY reports, user authentication credentials).

IV. Data Privacy Principles

• Collect only the minimum data necessary for the stated purpose.
• Inform users about what data is collected and how it is used.
• Obtain appropriate consent before collecting personal information.
• Provide users with the ability to access, correct, and delete their personal data where feasible and consistent with legal obligations.
• Do not sell user data. Ever.
• Retain data only as long as necessary for the stated purpose or as required by law.
• Comply with all applicable privacy laws, including state data breach notification requirements.

V. Cybersecurity Requirements

• Maintain role-based access controls across all platforms and internal systems.
• Require multi-factor authentication for all administrative and staff access.
• Encrypt data in transit (TLS 1.2 or higher) and at rest.
• Maintain regular patching and vulnerability management.
• Conduct periodic security assessments and penetration testing as resources allow.
• Maintain secure development practices in the Pet Command development lifecycle.
• Implement logging and monitoring sufficient to detect and investigate security incidents.
• Maintain secure backup procedures with tested recovery processes.

VI. Incident Response

The CEO (or their designee) shall maintain a written incident response plan covering detection and identification of data breaches or security incidents, containment and eradication, notification to affected individuals as required by law (including WV Code §46A-2A-101 et seq.), notification to the Board Chair within 24 hours of a confirmed material breach, engagement of legal counsel and forensic investigators as needed, post-incident review and remediation.

VII. Platform-Specific Governance

Each Pet Command ecosystem platform handles different categories of data with different risk profiles. The CEO shall ensure that platform-specific data handling procedures are documented and maintained, consistent with the Pet Command Canon’s data architecture doctrines (including the dual-time doctrine, append-only truth, and the prohibition on silent mutation of meaning as defined in the Pet Command Constitution).

VIII. Vendor and Third-Party Management

Third-party service providers with access to Corporation data shall be subject to appropriate contractual data protection obligations. The Corporation shall assess the data security posture of material third-party providers before engagement and periodically thereafter.

IX. Board Oversight

The CEO shall report to the Board (or the Finance, Audit & Risk Committee) at least annually on cybersecurity posture, data incidents, privacy compliance, and any material risks. Material data breaches shall be reported to the Board within 24 hours.

X. Training

All employees, contractors, and volunteers with access to Corporation systems shall receive data privacy and cybersecurity awareness training during onboarding and at least annually thereafter.

XI. Annual Review

This policy shall be reviewed annually by the CEO and the Finance, Audit & Risk Committee.