The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

The company restricts privileged access to encryption keys to authorized users with a business need.

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

The company restricts privileged access to the firewall to authorized users with a business need.

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.

The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually.

System access restricted to authorized access only

The company's access control policy documents the requirements for the following access control functions:

• adding new users;
• modifying users; and/or
• removing an existing user's access.

The company restricts privileged access to databases to authorized users with a business need.

The company restricts privileged access to the operating system to authorized users with a business need.

The company restricts privileged access to the production network to authorized users with a business need.

The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.

The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.

The company's network is segmented to prevent unauthorized access to customer data.

The company uses firewalls and configures them to prevent unauthorized access.

The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

The company requires passwords for in-scope system components to be configured according to the company's policy.

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

The company maintains a formal inventory of production system assets.

The company encrypts portable and removable media devices when used.

The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

The company performs background checks on new employees

The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.

The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

The company requires contractors to sign a confidentiality agreement at the time of engagement.

The company requires employees to sign a confidentiality agreement during onboarding.

The company managers are required to complete performance evaluations for direct reports at least annually.

The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas.

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

The company's datastores housing sensitive customer data are encrypted at rest.

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

The company's formal policies outline the requirements for the following functions related to IT / Engineering:

• vulnerability management;
• system monitoring.

The company conducts access reviews at least annually for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion.

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

Host-based vulnerability scans are performed at least annually on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

The company restricts access to migrate changes to production to authorized personnel.

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Complete a description of your system for Section III of the audit report

The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

The company's data backup policy documents requirements for backup and recovery of customer data.

The company notifies customers of critical system changes that may affect their processing.

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

The company maintains an organizational chart that describes the organizational structure and reporting lines.

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

The company's information security policies and procedures are documented and reviewed at least annually.

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

The company communicates system changes to authorized internal users.

The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

The company tests their incident response plan at least annually.

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

The company reviews access to the data centers at least annually.

The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

The company provides guidelines and technical support resources relating to system operations to customers.

The company provides a description of its products and services to internal and external users.

The company specifies its objectives to enable the identification and assessment of risk related to the objectives.

The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives.

The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

The company has a vendor management program in place. Components of this program include:

• critical third-party vendor inventory;
• vendor's security and privacy requirements; and
• review of critical third-party vendors at least annually.

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

At Polestar Analytics, our mission is to empower organizations to harness the full potential of artificial intelligence through responsible, innovative AI solutions—built on the foundations of transparency, accountability, and trust. We believe that the transformative potential of artificial intelligence should always serve people, organizations, and society in an ethical and accountable way.

Our approach to AI development and deployment is rooted in ethical responsibility and continuous oversight, guided by our Responsible AI Principles. These principles are embedded throughout our AI lifecycle—from model design and training to deployment and monitoring—and extend across our internal operations and governance structures.

We are committed to human-centered AI that keeps users informed, in control, and confident in their AI-assisted decisions. Every AI solutions are designed with explainability and interpretability at their core, ensuring stakeholders understand how AI-driven insights are generated and can validate recommendations before taking action.

Polestar Analytics upholds the highest standards of AI integrity, privacy protection, and stakeholder respect—delivering business value while maintaining commitment to responsible AI innovation.

Fairness

• AI systems should be developed and deployed fairly, ensuring they are inclusive and free from unlawful bias. This requires using representative datasets, conducting regular bias assessments, and implementing safeguards to prevent discrimination throughout the entire AI lifecycle.

Transparency

• AI systems should operate with clarity, making it evident when and how AI influences decision-making processes. This includes providing clear explanations of each system's purpose, underlying logic, limitations, and potential impacts on users and stakeholders.

Accountability

• AI systems require responsible governance with continuous human oversight across their lifecycle. Clear ownership and accountability must be established at every stage—from data collection and model development through to deployment and ongoing management.

Accuracy & Reliability

• AI systems must consistently deliver on their intended purpose with reliable, accurate results. This includes validating performance with high-quality data, regularly testing outputs, and addressing errors or drift to maintain trust and effectiveness over time.

Privacy

• AI systems must handle personal data lawfully and in alignment with user expectations. They must include controls that ensure data use is authorized, purpose-specific, and appropriately protected throughout the lifecycle.

Security

• AI systems should be resilient, tested against adversarial threats, and designed to resist model manipulation, data poisoning, and other emerging attack vectors. Strong security measures are critical to maintaining system integrity and preventing malicious exploitation.

Adaptability

• AI systems should remain resilient amid evolving data patterns, environmental changes, and shifting user requirements. Models must be designed for efficient updating, retraining, and fine-tuning to sustain performance and effectively manage emerging risks.

Control & Choice

• AI systems should provide users with control over their interactions and provide clear options for engaging with AI-driven features. This encourages thoughtful engagement with the content and data they contribute.