Electronically Signed By:
Rafael Jara
Employment Screening and Acceptable Use Policy Organization: Fintable, Inc. Owner: Security & Compliance Approved by: Rafael Jara Approval Date: 2025 September 15 Review Cadence: Annual or upon material change 1) Purpose This policy establishes Fintable, Inc.’s requirements for employment screening of new hires and acceptable use of company-supplied technology and data systems. As a financial technology provider handling bank data and APIs, Fintable must uphold the highest standards of trust, security, and compliance, including adherence to U.S. sanctions laws. 2) Scope This policy applies to all employees, contractors, and temporary staff employed by Fintable, Inc. It also covers all company-provided hardware, software, and accounts, including laptops, mobile devices, cloud services, bank API integrations, and customer spreadsheet systems. Additionally, it encompasses any data, applications, or network resources accessed through corporate credentials or the corporate VPN (Tailscale). 3) Employment Screening Policy 3.1) Background Checks All new hires must consent to pre-employment background screening, identity, criminal background, employment, education, and reference checks. 3.2) OFAC Sanctions Screening In accordance with the U.S. Treasury’s Office of Foreign Assets Control (OFAC), all employees, contractors, and key vendors must undergo screening against OFAC sanctions lists prior to onboarding. Employment is strictly prohibited if an individual is identified on an OFAC list. Furthermore, employees must promptly disclose any changes in status that may impact sanctions eligibility. 3.3) Screening Criteria Employment eligibility is contingent upon the absence of convictions for fraud, embezzlement, identity theft or financial felonies. Results must align with role responsibilities for a position of trust and legal requirements. 3.4) Ongoing Screening Fintable reserves the right to conduct additional checks during employment for both internal and external purposes. 4) Acceptable Use Policy 4.1) General Responsibilities Employees must utilize company-supplied hardware, software, and accounts in a manner consistent with the scope of employment. This includes limiting personal use to a minimum and strictly prohibiting any use that compromises company duties or security. Employees are responsible for the safety and status of provided devices and credentials. 4.2) Secure Access (VPN Requirement) All work involving customer data, bank APIs, or company systems must be conducted through the corporate VPN (Tailscale). Unencrypted or unapproved network access is prohibited. 4.3) Employee Connectivity All employees must maintain a continuous connection to Tailscale during all work sessions, regardless of their location (in-office, remote, or traveling). 4.4) Device Security (Apple Secure Enclave Requirement) All company-issued devices must have Apple’s Secure Enclave enabled. Secure Enclave must be utilized for local encryption, biometric authentication and cryptographic key storage. Devices must be locked immediately when not in use and must be personally secure whenever used in public or open settings. 4.5) Password Management All credentials must be stored in Apple's built-in password management system (iCloud Keychain), secured by the device Secure Enclave. Without exception, no third-party password management software (e.g., LastPass, 1Password, Bitwarden) may be employed for storing company credentials. Strong, unique passwords must be utilized for all accounts, and employees must refrain from reusing passwords across personal and corporate systems. Passwords may never be written down, shared, or transmitted outside of authorized encrypted channels. 4.6) Data Protection Employees must not store customer financial data on personal devices or unapproved cloud services. Data must be accessed and transmitted exclusively through secure, company-approved applications. Copying, transferring, or exporting sensitive data outside of authorized workflows (e.g., syncing to spreadsheets through approved systems) is strictly prohibited. 4.7) Prohibited Activities Employees are prohibited from allowing unauthorized access to corporate devices, installing unapproved software or compromising data integrity. Personal use is permitted within policy guidelines and the scope of employment, but unauthorized use by third parties to company hardware, software or data is not. 5) Enforcement Violations of this policy may result in disciplinary action, including termination of employment and potential legal action. Approved By: Rafael Jara Vice President
Electronically Signed By:
Rafael Jara