Table of Contents

1.0 Introduction 2

2.0 Purpose and Scope 2

3.0 Information Security Objectives 3

4.0 Security Governance and Responsibilities 3

5.0 Data and Information Asset Protection 4

6.0 Information Security Approach 5

7.0 Golden Rules for Information Security 5

8.0 Risk Management and Security Controls 6

9.0 Backups, Recovery and Continuity 7

10.0 Staff, Contractor and Supplier Responsibilities 7

11.0 Review and Policy Maintenance 7

1.0 Introduction

Flowly relies on information systems to operate its platform, support customers and protect the data handled through its services. The reliability of those systems is important to the availability of the platform, the accuracy of information held within it and the confidentiality of customer data.

This Security Policy sets out Flowly’s approach to protecting its platform, customer information, internal systems and supporting technology providers. It is intended to provide a clear framework for managing information security risks, applying appropriate controls and responding to security concerns in a structured way.

Information security is treated as a core part of Flowly’s operation. Weaknesses in security can affect platform availability, customer trust, legal compliance and business continuity. For that reason, Flowly will take reasonable steps to identify security risks, protect information assets and reduce the likelihood and impact of security incidents.

For the purpose of this policy, ‘information security’ means the measures used to protect the confidentiality, integrity and availability of information held or processed by Flowly. This includes but is not limited to:

• Customer data;
• Platform records;
• Uploaded materials;
• Account information;
• Technical logs, and;
• Other information needed to provide the service.

Responsibility for information security sits with Flowly’s management and any authorised personnel or suppliers involved in operating, developing or supporting the platform. Any suspected or confirmed security incident should be reported promptly so that appropriate action can be taken to reduce risk and limit potential impact.

2.0 Purpose and Scope

The purpose of this policy is to define Flowly’s approach to protecting the information and systems used to operate its platform. It applies to Flowly’s services, internal operations and authorised third parties where their access or responsibilities may affect the security of Flowly systems or information.

Flowly’s security approach is based on three core principles: confidentiality, integrity and availability.

1. Confidentiality: Information should only be accessible to authorised persons.
2. Integrity: Information should remain accurate, complete and reliable.
3. Availability: The platform and related information should be accessible when reasonably required for business and customer use.

This policy does not replace Flowly’s Privacy Policy, Data Processing Agreement, Business Continuity and Disaster Recovery Plan, or any other policy that applies to the use of the platform. Those documents should be read together where security, data protection, continuity or customer obligations overlap.

3.0 Information Security Objectives

4.0 Security Governance and Responsibilities

Flowly’s management is responsible for setting the overall direction for information security and ensuring that appropriate controls are in place to protect the platform, customer data and supporting systems. Security responsibilities will be assigned to the people or suppliers involved in operating, developing, administering and supporting Flowly. Each person with access to Flowly systems is expected to use that access responsibly and only for authorised business purposes. Access will be reviewed and removed where it is no longer required, including when a role, supplier relationship or contractor arrangement ends.

Technical personnel and authorised suppliers are responsible for applying security controls within their area of work. This includes maintaining secure access, supporting safe configuration, addressing identified vulnerabilities and escalating security concerns promptly. Access to customer data, platform records and administrative systems will be limited to those with a legitimate need. Permissions should be appropriate to the person’s role and reviewed where access changes, work ends or a security concern is identified.

Flowly will take reasonable steps to make sure that security expectations are understood by personnel and relevant suppliers. Where third-party providers support the platform, Flowly will rely on appropriate contractual, technical and operational arrangements to manage security responsibilities.

Suspected or confirmed security incidents must be reported promptly to the appropriate responsible person within Flowly. Incidents will be assessed, recorded and escalated according to their severity, potential customer impact and any legal, regulatory or insurance considerations.

5.0 Data and Information Asset Protection

Flowly will take reasonable steps to protect the data and information assets used to operate the platform. This includes customer data, uploaded materials, account records, activity logs, support information and internal operational records. Information held by Flowly should only be accessed, used or shared where there is a legitimate business or technical reason to do so. Access to customer information and platform records will be restricted to authorised persons and managed in line with the user’s role or responsibility.

Customer data and uploaded materials must be handled with appropriate care and accessed only where there is a legitimate reason to do so. Information must not be copied, exported, disclosed or altered unless required to provide the service, resolve a support issue, investigate a security concern, or meet a legal or contractual obligation.

Flowly will support this approach through appropriate technical and organisational measures designed to protect information against unauthorised access, accidental loss, misuse, alteration or disclosure.

Where information is shared with third-party providers used to support the platform, Flowly will take reasonable steps to ensure that those providers are suitable for the services they perform and that appropriate data protection and security arrangements are in place.

Information that is no longer required will be retained, deleted or anonymised in accordance with Flowly’s Data Retention and Deletion Policy. Where information is held in backup systems, deletion may take effect when the relevant backup is overwritten or reaches the end of its retention period.

6.0 Information Security Approach

Flowly’s information security is based on continual management, review and improvement. Security is not treated as a one-off activity, but as an ongoing part of operating and developing the platform. Flowly will:

• Consider security when introducing new systems or making material platform changes;
• Apply proportionate controls based on the type of data handled and the level of risk involved;
• Review access, supplier dependencies and platform changes where these may affect security;
• Respond to identified weaknesses, incidents or risks in a timely and appropriate manner;
• Maintain security as part of day-to-day platform operation.

Core security controls will be applied to protect Flowly’s platform, customer data, user accounts and supporting systems. Where certain information or activities require a higher level of protection, additional controls may be applied based on the sensitivity of the information or the potential impact of disruption, loss or unauthorised access.

Where weaknesses, risks or incidents are identified, Flowly will take reasonable steps to address them and improve the relevant security measures.

7.0 Golden Rules for Information Security

Flowly expects all personnel, contractors and authorised suppliers to handle information carefully and follow good security practices when accessing the platform, customer data or internal systems.

The following rules apply to anyone with authorised access to Flowly systems or information:

1. Keep login details secure: Passwords, authentication details and access credentials must be kept confidential and must not be shared with others.
2. Report security concerns promptly: Any suspected or confirmed security incident, unusual account activity, data exposure or system weakness must be reported without delay.
3. Handle customer information with care: Customer data and uploaded materials must only be accessed, used or shared where there is a legitimate reason connected with the service.
4. Use systems responsibly: Flowly systems, email, internet access and third-party tools must be used responsibly and in a way that does not create unnecessary security risk.
5. Follow this policy and related procedures: Personnel and contractors must follow Flowly’s security requirements and any related procedures that apply to their role.
6. Do not disclose confidential information: Confidential information must not be provided to unauthorised persons.
7. Protect devices and workspaces: Devices used to access Flowly systems should be kept secure. Screens should be locked when unattended, and confidential information should not be left visible or accessible to unauthorised persons.
8. Dispose of information safely: Information that is no longer required must be deleted, destroyed or disposed of securely, in accordance with Flowly’s data retention and deletion requirements.
9. Do not ignore security for convenience: Convenience must not be used as a reason to bypass security controls, share credentials, ignore suspicious activity or mishandle customer information.

8.0 Risk Management and Security Controls

Flowly manages security risk by identifying where the platform, customer data or supporting systems could be exposed to risk. Security controls are applied in proportion to the nature of this risk, combined with the potential impact on customers, platform operation and business continuity.

Flowly’s risk management approach considers the services and information most important to the operation of the platform, with particular attention given to areas that affect customer access, data protection, and payment-related functions.

Flowly’s security controls cover the following areas:

• Restricted access to administrative systems and customer data;
• Authentication controls for user accounts and internal access;
• Secure configuration of platform services and third-party tools;
• Monitoring and review of activity where needed to identify misuse or unusual behaviour;
• Protection of uploaded materials and customer records;
• Backup and recovery arrangements for important platform data;
• Incident reporting and escalation procedures;
• Supplier reviews where third-party services support critical platform functions.

Identified vulnerabilities will be reviewed and addressed according to their risk and potential impact.

9.0 Backups, Recovery and Continuity

Flowly’s backup, recovery and continuity arrangements are addressed in its Business Continuity and Disaster Recovery Plan. Security incidents will be handled in line with this plan.

10.0 Staff, Contractor and Supplier Responsibilities

Flowly’s security arrangements depend on the conduct of those who access, manage, develop or support the platform. Personnel, contractors and suppliers must handle information responsibly and use Flowly systems only for authorised purposes connected with their role.

Flowly’s management is responsible for setting security expectations and ensuring that responsibilities are clearly assigned. Personnel and contractors are responsible for following those requirements when using systems, handling customer information or supporting the platform. They must not take any action that could compromise customer data, platform security or service availability.

Contractors and external suppliers may only access Flowly systems or information where they are authorised to do so. Access must be limited to the work they are required to perform and removed when it is no longer needed.

Suppliers that support Flowly’s platform, infrastructure or service delivery are expected to maintain appropriate security standards for the services they provide. Where supplier systems affect Flowly’s security, availability or data handling, Flowly will take reasonable steps to manage the relationship and address any material security concerns.

11.0 Review and Policy Maintenance

Flowly will review this Security Policy periodically to ensure it remains aligned with the platform, its operating environment and the security risks relevant to the service.

The policy may be updated where Flowly introduces material platform changes, changes its technology providers, identifies new security risks, responds to a security incident or updates its internal security arrangements.

Security controls will be reviewed to confirm that they remain appropriate for the type of information Flowly handles and the way the platform is used. Where weaknesses or improvement areas are identified, Flowly will take reasonable steps to address them.

The latest version of this policy will apply from the date it is approved or made available, unless a later effective date is stated.