Policy on personal data processing

 1. Purpose and scope of the document Given policy regarding the personal data processing (hereinafter referred to as the Policy) defines the position and intentions of Neo-Com LLC (hereinafter referred to as the Company) in the field of personal data processing and protection of people who have contractual, civil and other legal relations with the Company in addition to observance of each person’s rights and fundamental freedoms, in particular, the right to privacy, personal and family secrets and to the protection of honor and good name. The policy is intended for study and strict compliance by the heads and employees of the Company’s all structural divisions and is to be brought to the notice of people having contractual, civil-legal and other relations with the Company (hereinafter referred to as citizens) along with partners and other interested parties.

2. Definitions Personal data refers to any information related to a directly or indirectly defined or defining individual (citizen). Thus, such information, in particular, includes: full name, year, month, date and place of birth, address, family, social and property status, information about education, profession, income, and etc. Personal data processing refers to any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools. Such actions (operations) include collecting, receiving, recording, systemizing, accumulating, storing, updating (updating, changing), extracting, using, transferring (distributing, providing, accessing), depersonalizing, blocking, deleting, destroying personal data, Personal data information system (ISDN) refers to a set of personal data contained in databases along with information technologies and technical means ensuring its processing. The Company processes the personal data of only those people who had contractual, civil-legal and other relations with the Company, namely: • people employed by the Company (employees of the Company); • people who are customers of the Company, or seeking information about the Company's services.

3. Provisions of the Policy Realizing the importance and value of information about a person, and also caring about observance of the constitutional rights of citizens of the Russian Federation, the Company ensures reliable protection of their personal data. Under the security of personal data, the Company refers to all the necessary legal, organizational and technical measures for its protection from unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as other illegal actions in relation to personal data. The Company processes and ensures the security of personal data in accordance with the requirements of the Constitution and Labor Code of the Russian Federation, Federal Law No. 152-FZ "On Personal Data" on top of by-laws and other defining cases and peculiarities of personal data processing from federal laws and guidelines of Russian FSTEC and FSB. The Company adheres to the following principles when processing personal data:
• The Company performs personal data processing only on a legal and fair basis; • The Company does not disclose to third parties or distribute personal data without the citizen’s consent (unless otherwise provided by the current legislation of the Russian Federation);
• The Company determines specific legitimate purposes before the personal data processing (including collection / receipt);
• The Company collects only those personal data that are necessary and sufficient for the stated purpose of the processing;
• The Company’s personal data processing is limited to the achievement of specific, predefined and legitimate purposes.
• The Company destroys or impersonates personal data upon reaching the processing objectives or in the event of the loss of the need to reach them [1].
• The company does not collect and process citizens’ personal data related to race, nationality, political, religious, and philosophical or other beliefs as well as health status, intimate life and membership in public associations, including trade unions.
• The company has the right to entrust the personal data processing (upon the citizen’s consent [2]) to legal entities on a contractual basis according to which the latter undertakes to observe personal data processing principles and regulations provided for by the Federal Law No. 152-FZ "On personal data". The contract (Company’s instruction) should specify the list of actions (operations) with personal data that will be performed by each personal data processing legal entity along with the purpose of such processing and in addition to obligation to maintain confidentiality and ensure the safety of personal data during processing and, finally, should specify requirements for the protection of the processed personal data.

4. Rights of citizens regarding the personal data processing A citizen whose personal data is processed by the Company has the right:
4.1. to receive from the Company: confirmation of the fact of personal data processing by the Company; legal grounds and objectives for the personal data processing ; information on the methods used by the Company for processing personal data; name and location of the Company; information on people (with the exception of the Company’s employees) who have access to personal data or who can act as an object of personal data disclosure on the basis of an agreement with the Company or according to a federal law; a list of the processed personal data relating to the citizen who filed the request and acted as the source of their receipt, unless other procedure for providing such data is provided for by a federal law; terms of personal data processing , including the terms of their storage; the procedure for the exercise by a citizen of the rights provided for by the Federal Law "On Personal Data" No. 152-FZ; information on a current or expected trans-border transfer of personal data; name (full name) and address of the person performing processing of personal data on behalf of the Company; other information provided for by the Federal Law "On Personal Data" No. 152-FZ or other federal laws;
4.2. to demand the specification of their personal data, their blocking or destruction in case if personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing;
4.3. to withdraw their consent to the personal data processing;
4.4. to demand the elimination of the Company's misconduct regarding personal data;
4.5 appeal against the Company’s actions or inaction to the Federal Service for Supervision of Communication, Information Technologies and Mass Communications (Roskomnadzor) or judicially in case if the citizen believes that the Company processes his personal data in violation of the requirements of the Federal Law No. 152-FZ " On Personal Data " or otherwise violates his rights and freedoms;
4.6. to protect their rights and legitimate interests, including the right to judicial compensation for material or moral damages.

5. Revision of the Policy’s provisions The revision of the Policy’s provisions is to be carried out periodically at least once a year and in the case of: change in the Russian Federation’s legislation in the field of personal data; structural change of people to whom the Company entrusts personal data processing; inconsistencies affecting the personal data processing; the monitoring results of the fulfillment of requirements for the personal data processing and protection; decision of the Company's management. Revision of the Policy’s provisions is followed by publishing of an updated version on the Company's website.

6. Responsibility In case of failure to comply with the provisions of this Policy, the Company is liable in accordance with the current legislation of the Russian Federation. PLEASE NOTE If you have any questions after reading this Policy, you can get a clarification on all the relevant issues by sending an official request through e-mail to info@neocom72.com or through Russian Post to the address: 625013, Russia, Tyumen, 50 let Okrtyabrya Street 88 You must specify the following in the official request:
• citizen’s ID card number (or of his legal representative), information on the date of its issue and the issuing body; • Information confirming your relations with the Company (for example, the contract number or customer number) or information otherwise confirming the fact of the personal data processing by the Company;
• citizen’s signature (or of his legal representative). If the request is in electronic form, then it must be issued in the form of an electronic document and signed by an electronic signature in accordance with the legislation of the Russian Federation. Information on the current requirements for the protection of personal data Neo-Kom LLC (hereinafter referred to as the Company) takes all the necessary legal, organizational and technical measures in the personal data processing process for the protection of personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision and distribution along with other illegal actions regarding personal data. Such measures, in accordance with article 18.1 and 19 of the Federal Law No. 152-FZ "On Personal Data", in particular, include:
• Appointment of the person responsible for the organization of personal data processing along with people responsible for ensuring the security of personal data;
• Identification of threats to the security of personal data during processing;
• development and approval of local acts on the personal data processing and protection;
• damage assessment that can be inflicted on citizens in the event of violation of the Federal Law No. 152-FZ "On Personal Data" in addition to the ratio of such damage and measures taken by the Company aimed at ensuring the fulfillment of the duties provided for by the aforementioned Federal Law No. 152-FZ "On Personal Data";
• Training of the Company’s employees directly involved in personal data processing along with familiarization with the provisions of the legislation of the Russian Federation on personal data, including requirements for the personal data protection and local acts on the personal data processing and protection;
• compliance with conditions excluding unauthorized access to tangible medium and ensuring the safety of personal data;
• application of technical protection measures, including:
• means for access differentiation at the network, application and system-wide levels;
• firewalling;
• means for registration and recording of user’s actions at the network, application and system-wide levels;
• antivirus protection;
• Certified means of cryptographic information protection;
• Intrusion Detection Tools;
• means for security analysis;
• means for monitoring physical access to the personal data processing premises. Note.
The Company applies information protection means that have undergone conformity assessment in accordance with the established procedure; efficiency assessment of the measures taken to ensure the personal data security prior to the commissioning of PDIS; Detection of unauthorized access to personal data and follow-up measures; restoration of personal data, modified or destroyed due to unauthorized access; establishment of regulations for access to personal data processed in the PDIS along with registration and recording of all actions with it; implementation of internal control and audit of the personal data processing’s compliance with the Federal Law No. 152-FZ "On Personal Data" along with by-laws; Until the specification of the aforementioned measures, the Company follows: The Decree of the Government of the Russian Federation No. 781 dated November 17, 2007 "On approval of the Regulation on ensuring the safety of personal data during processing in personal data information systems"; Decree of the Government of the Russian Federation No. 687 dated September 15, 2008 "On approval of the Regulations on the peculiarities of personal data processing, carried out without the use of automation tools"; The joint order of the Russian FSTEC, FSB (Federal Security Service) and the Ministry of Information and Communications No. 55/86/20 dated February 13, 2008 "On approval of the procedure for the classification of personal data information systems"; "Provision on means and methods for protecting information in personal data information systems", approved by the Order Russian FSTEC No. 58 dated February 5, 2010. "Typical requirements for the organization and operation of encryption (cryptographic) means designed to protect information that does not contain information constituting state secrets, in case of their use to ensure the security of personal data under processing in personal data information systems", approved by the management of the Russian FSB’s 8th Center No. 149/6 / 6-662 dated February 21, 2008. [1] Unless otherwise provided for by the contract or any other agreement between the Company and the citizen or in case if the Company is not entitled to process personal data without the due consent of the citizen on the grounds provided for by the Federal Law No. 152-FZ "On Personal Data" or other federal laws. [2] Unless otherwise provided for by the federal law.