January 2024

1701 Rhode Island Ave NW

Washington, DC 20036

The purpose of this policy is to provide a security framework that will ensure the protection of Goodworld proprietary and sensitive Company Information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our customers, both donors and charitable organizations. Company Information may be verbal, digital, and/or collateral, individually-controlled or shared, stand-alone or networked, used for administration, research, teaching, or other purposes.

Failure to comply with this policy may subject you to disciplinary action and to potential penalties including termination and legal action.

The Information Security Policy applies to all Goodworld officers, employees, interns, and contractors, as well as to any third party authorized to represent or act on behalf of Goodworld, Inc. This policy also applies to any other individuals or entities granted use of Company Information, including, but not limited to, contractors, temporary employees, and volunteers.

A. Access Control systems are in place to protect the interests of all users of Goodworld computer systems by providing a safe, secure and readily accessible environment in which to work.

B. Goodworld will provide all employees and other users with the information they need to carry out their responsibilities in an as effective and efficient manner as possible.

C. Generic or group access IDs are not permitted, unless specifically granted by the COO, CTO or CEO under exceptional circumstances. In such circumstance sufficient other controls on access must be in place.

D. The allocation of privilege rights (e.g. local administrator, domain administrator, super-user, root access) will be restricted and controlled by the CTO, and authorization provided jointly by the system owner and CTO. Technical teams may not issue blanket privilege rights to groups.

E. Access rights will be accorded following the principles of least privilege and need to know.

F. Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms should fail.

G. Users electing to place information on digital media or storage devices or maintaining a separate database must only do so where such an action is in accord with the data's classification.

H. All Users (employees, interns, contractors, vendors) are obligated to report instances of non-compliance to a Goodworld company officer immediately.

I. No access to any Goodworld resources and services will be provided without prior authentication and authorization of a user's Goodworld account.

J. Password issuing, strength requirements, changing and control will be managed through formal processes overseen by the CTO. User Passwords will be complex, dynamic, multi-factor and changed every 90 days.

K. Access to Confidential, Restricted or Protected information will be limited to only authorized persons whose job responsibilities require it, as determined by the data owner and the COO. Requests for access permission to be granted, changed or revoked must be made in writing.

L. Users are expected to become familiar with and abide by Goodworld policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.

Web based Goodworld applications are subject to security assessments based on the following criteria:

A. New or Major Application Release – subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.

B. Third Party or Acquired Web Application – subject to full assessment after which it will be bound to policy requirements.

C. Point Releases – subject to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.

D. Patch Releases – subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture.

E. Emergency Releases – An emergency release may be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out.

F. Emergency releases will be designated as such by the COO or an authorized manager who has been delegated this authority by the COO.

A. All system and application changes in Goodworld (e.g. operating system, computing hardware, networks, applications, data centers) are subject to this policy and will follow unit change management procedures. For the purpose of Section III, "Stakeholders" applies to both Goodworld employees and contractors as well as Goodworld commercial partners and users.

B. The following general requirements are mandatory parts of anychange management process:

A. Goodworld is committed to providing a workplace that is free from acts or threats of violence. It is therefore essential that every employee understand the importance of workplace safety and security.

B. Every threat of violence is potentially serious and must be treated as such. Threatening behavior can include such actions as throwing objects, making verbal threats to harm another individual or destroy property, displaying an intense or obsessive romantic interest that exceeds the normal bounds of interpersonal interest, or attempting to intimidate or harass other individuals.

C. Individuals who become aware of any threats of workplace violence must report these threats immediately to a Goodworld Officer.

D. For an individual who becomes aware of any actual violence, imminent violence, or threat of imminent violence, obtaining emergency assistance must be a matter of first priority. The individual should immediately contact Goodworld and, if appropriate, should contact the Police Department by dialing 911.

E. Compliance with this anti violence policy is a condition of employment for all members of the company.

User information found in computer system files and databases will be classified as either confidential or non-confidential. The company will classify the information controlled by them. Goodworld is required to review and approve the classification of the information and determine the appropriate level of security to best protect it.

Furthermore, the CTO/COO will classify information controlled by units not administered by Goodworld.

A. Business Risk Assessment and Business Impact Analysis

a) Key business processes; b) Applicable risk to availability; c) Prioritization of recovery; d) Recovery Time Objectives; and e) Recovery Point Objectives.

B. Contingency Plans

a) An Emergency Mode Operations Plan for continuing operations in the event of temporary hardware, software or Network outage. This Plan should include information relating to the end user process for continuing operations. b) A Recovery Plan for returning functions and services to normal on-site operations when a disaster is over. c) A procedure for periodic testing, review and revision of the Contingency Plan for all affected Systems, as a group and individually as needed.

C. Data Plans

a) CTO (codebase) and COO (operational) are responsible for taking reasonable steps to ensure the backup of Data, particularly Sensitive Data and Confidential Data; b) A backup schedule; c) The Key Business Systems that are to be backed up; d) Where backup media is to be stored and workforce members who may access the stored backup media; e) Where backup media is to be kept secure before it is moved to storage, if applicable; f) Who may remove the backup media and transfer it to storage; g) Restoration procedures to restore Key Business System Data from backup media to the appropriate System; h) Test restoration procedures and frequency of testing to confirm the effectiveness of the Plan; i) The retention period for backup media; and j) A method for restoring encrypted backup media, including encryption key management.

A. Information

B. Devices. If a device is capable of device encryption and recovery keys can be safely made available to the Company, it is required that device encryption be applied.

C. Personally Owned Laptops

D. Other Portable Devices

A. All mobile computing and storage devices that access Goodworld data must be compliant with Goodworld Security Policies and Standards.

B. Any and all mobile computing devices used within the Goodworld information and computing environments must meet all applicable Goodworld encryption standards. mobile computing devices purchased with Goodworld funds, including, but not limited to contracts, grants, and gifts, must also be recorded in the unit's information assets inventory.

C. Goodworld information security policies are applicable to desktop or workstation computers apply to mobile computing devices.

A high-level network diagram of the network is maintained and reviewed on a yearly basis. The network diagram provides a high level overview of the cardholder data environment (CDE), which at a minimum shows the connections in and out of the CDE. Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable should also be illustrated.

A. Systems include but are not limited to servers, platforms, networks, communications, databases and software applications.

B. Databases and Software (including in-house or third party developed and commercial off the shelf (COTS):

Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.

A. Media is defined as any printed or handwritten paper, received faxes, floppy disks, backup tapes, computer hard drive, etc.

B. Media containing sensitive cardholder information must be handled and distributed in a secure manner by trusted individuals.

C. Visitors must always be escorted by a trusted employee when in areas that hold sensitive cardholder information.

D. Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. "Employee" refers to full-time and part-time employees, temporary employees and personnel, and consultants who are "resident" on Company sites. A "visitor" is defined as a vendor, guest of an employee, service personnel, or anyone who needs to physically enter the premises for a short duration, usually not more than one day.

E. Strict control is maintained over the external or internal distribution of any media containing card holder data and has to be approved by management.

F. Strict control is maintained over the storage and accessibility of media

G. All computer that store sensitive cardholder data must have a password protected screensaver enabled to prevent unauthorized use.

Only authorized persons may remotely access the company network. Remote access is provided to those employees, contractors and business partners of the company that have a legitimate business need to exchange information, copy files or programs, or access computer applications. Authorized connection can be remote PC to the network or a remote network to company network connection. The only acceptable method of remotely connecting into the internal network is using a secure ID.

A. The company takes the issue of security seriously. Those people who use the technology and information resources of company must be aware that they can be disciplined if they violate this policy. Upon violation of this policy, an employee of company may be subject to discipline up to and including discharge. The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of the Security Policy, prior violations of the policy committed by the individual, state and federal laws and all other relevant information. Discipline which may be taken against an employee will be administered in accordance with any appropriate rules or policies of the company.

B. In a case where the accused person is not an employee of company the matter will be submitted to a Goodworld officer immediately. Goodworld may refer the information to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s).

C. In a case where data loss or compromise consists of any customer data, Goodworld will notify the affected party(s) within 6 hours of discovery.

D. The Goodworld CFO will ensure that a current insurance policy is active and covers up to $1M per incident for both third parties and first party. CFO will provide a current Certificate of Insurance to customers upon request.

A. All data must be securely disposed of when no longer required by Goodworld, regardless of the media or application type on which it is stored.

B. An automatic process must exist to permanently delete online data, when no longer required.

C. Goodworld will have procedures for the destruction of hard copy (paper) materials. These will require that all hard copy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed.

XV. Vulnerability and Patch Management

A. Goodworld CTO will ensure routine assessment of risk from technical vulnerabilities and the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores or transmits;

B. Goodworld CTO will update the risk assessment on a defined schedule (every 3 months) or whenever there are significant changes to the

The Company Officers are responsible for the prevention and detection of fraud. All parties should be familiar with the types of fraud that might occur and should be alert for any indication of fraud. This policy applies equally to any fraudulent activity involving not only employees but also directors, vendors, outside agencies, and/or unknown parties; without regard to length of service, title/position, or relationship.

The terms fraud, misappropriation and irregularities refer to, but are not limited to:

Any individual who has knowledge of any suspected fraudulent activity can

anonymously report these suspicions.

A. All employees will review of handling procedures for sensitive information and incorporate these procedures into day to day company practice.

B. COO will distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document when they sign their annual PIIA and NDA.

C. Any employees that handle sensitive information may undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they will be authorized access to such information.

D. Any and all third parties with access to credit card account numbers or tokens will be contractually obligated to comply with card association security standards (PCI/DSS).

E. Company security policies will be reviewed annually and updated as needed.

Goodworld expects and will accept no less than the highest standards of ethical and professional conduct from all employees. Employees are expected to avoid even the appearance of impropriety in all business dealings. Any employee who violates the standards in this Code of Ethics will be subject to disciplinary action. Any employee who believes himself or herself to be in a situation that may violate this Code should reporting such violations to a Company Officer immediately.

Goodworld expects all employees to respect and obey the laws of the cities, states and countries in which we operate. While it is impossible for any one person to know all the details of all laws, we expect our employees to have a working knowledge of the appropriate laws and just as importantly to know when to ask for advice from a manager regarding legal matters.

The Company is committed to maintaining a fair and ethical workplace and condemns all human rights violations including human trafficking and modern slavery. As part of this directive, Goodworld takes or will take appropriate steps to ensure human servitude and modern slavery do not exist at the Company or at any of the Company’s partners and affiliates. The Company has a zero-tolerance policy for any human rights violations and is taking appropriate steps to communicate this perspective to all relevant interested parties.

Company employees are prohibited from making any contribution or providing any financial support to any political party or candidate on behalf of the Company, except as may be pre-approved by the CEO.

The Company takes a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate. This Anti-Bribery and Anti-Corruption Policy is designed to ensure compliance with the U.S. Foreign Corrupt Practices Act (the “FCPA”) and any other local anti-bribery or anti-corruption law where we operate.

Goodworld does not discriminate on the basis of race, color, religion, national origin, ancestry, age, sex, sexual orientation, gender identity, pregnancy, disability, genetic information, veteran or military status, or any other legally protected status. All employees of Goodworld are expected to treat people with dignity, respect and compassion to foster a work environment free of harassment, intimidation, and unlawful discrimination.

Every employee of Goodworld is expected to report what he or she believes in good faith are violations of the law or of Goodworld policy, whether accidental or deliberate, by any other Goodworld employee. Should you become aware of a violation, it is your responsibility and obligation to disclose the matter fully. The failure to report such violations is itself a violation of Goodworld policy. Should any employee feel it necessary to report any suspected illegal or unethical behavior, the employee should call or write the Vice President or any other officer of the Company.

You may report suspected legal or ethical violations in confidence and without fear of retaliation. Goodworld does not permit retaliation of any kind against employees for good faith reports of suspected or actual ethical or legal violations.