Information Security Policy

Zero Link Markets, Inc. dba Vinoshipper

1. Purpose

This Information Security Policy establishes the security requirements and control standards used by Zero Link Markets, Inc. dba Vinoshipper ("Vinoshipper") to protect the confidentiality, integrity, and availability of company systems and information.

This policy is intended to protect company, customer, partner, and employee information; support reliable business operations; and satisfy legal, regulatory, and contractual obligations applicable to the company's services.

2. Company Overview

Vinoshipper is headquartered in Windsor, California, USA.

Vinoshipper operates a compliance and commerce business platform for producers in the adult beverage industry. Because alcohol sales are subject to statutory reporting requirements in certain jurisdictions, Vinoshipper stores and processes transaction and customer information necessary to support commerce operations and regulatory compliance obligations.

3. Scope

• all employees, contractors, and authorized service providers
• all company-owned or company-managed systems, devices, applications, and networks
• all data stored, transmitted, or processed by the company
• all third parties with authorized access to company systems or company data

4. Governance and Responsibility

Security oversight is the responsibility of the Chief Technology Officer.

Executive Management is responsible for approval of this policy and for supporting the implementation of appropriate security controls across the organization.

Management shall designate a contact point for security-related inquiries and incident reporting. Personnel are responsible for understanding and complying with this policy as a condition of access to company systems and information.

5. Information Security Principles

Confidentiality
Information must be accessible only to authorized individuals and systems.

Integrity
Information must be accurate, complete, and protected against unauthorized alteration or destruction.

Availability
Systems and data must remain available to support legitimate business operations, customer needs, and compliance obligations.

6. Data Protection and Handling

The company shall protect information in a manner appropriate to its sensitivity, business value, and legal or regulatory obligations.

Information handled by the company may include customer identity and contact information, shipping and billing information, order and transaction history, date of birth, age-verification results, merchant or producer account information, regulatory reporting data, and internal company records.

• limit access to sensitive information to authorized business purposes
• protect regulated and sensitive data from unauthorized access, disclosure, misuse, or loss
• retain records as necessary to satisfy legal, regulatory, contractual, and operational requirements
• securely dispose of information when no longer required, subject to applicable retention obligations

Customer information required for alcohol compliance reporting may be retained and used for those reporting obligations.

The company does not store raw payment card data in its systems. Where payment references are retained, they shall be limited to processor-provided tokenized references or equivalent non-cardholder payment data.

7. Access Control

Access to systems and data shall be governed by the principle of least privilege and assigned according to business role and operational need.

• unique user accounts for system access
• role-based or function-based authorization
• strong authentication requirements
• multi-factor authentication for administrative, privileged, or otherwise sensitive access where supported
• prompt removal or modification of access following personnel changes or termination
• periodic review of privileged and production access

Write access to production systems shall be restricted to authorized engineering or technical personnel. Read-only access to production data or systems may be granted to authorized administrative personnel where required for business operations.

Access to production systems shall be limited to authorized, company-managed devices protected by company security controls.

8. Endpoint and Device Security

Company-managed endpoints used to access company systems or data shall be maintained in accordance with baseline security standards.

• full-disk or equivalent device encryption
• endpoint protection or anti-malware controls
• automatic screen locking
• timely operating system and software patching
• restricted local administrative privileges
• inventory and management of company-issued devices

The use of unmanaged personal devices for production access is prohibited unless expressly approved and protected by equivalent controls.

9. Infrastructure and Environment Security

The company shall maintain reasonable administrative, technical, and network safeguards to protect the systems that support its services.

• separation of production and non-production environments
• restricted administrative access to infrastructure and sensitive systems
• secure baseline configuration for systems and services
• controlled deployment and change management practices
• network protections appropriate to the sensitivity and exposure of the service
• management of vulnerabilities and security patches on supported systems

System architecture, vendor selections, and technical implementations may change over time, but must continue to satisfy the control requirements established by this policy.

10. Encryption and Secret Management

Sensitive information shall be protected in transit and at rest using industry-standard cryptographic protections appropriate to the system and data classification.

The company shall maintain controls to protect:

• authentication credentials
• encryption keys
• API keys
• secrets, tokens, and other privileged configuration material

Access to such materials shall be limited to authorized personnel and systems.

11. Logging and Monitoring

The company shall maintain logging and monitoring practices sufficient to support operational oversight, security detection, incident investigation, and auditability.

This includes:

• logging of relevant application, system, administrative, and security events
• centralized or otherwise controlled retention of logs
• review of alerts and other monitoring indicators by authorized personnel
• escalation procedures for suspicious events or potential security incidents

Logs shall be retained for a period appropriate to operational, legal, and investigative needs.

12. Backup and Recovery

The company shall maintain backups of critical systems and data to support recovery from data loss, service disruption, corruption, or security incidents.

Backup controls shall include:

• regular backup of critical data and systems
• secure storage and controlled access to backup data
• retention periods aligned to business, regulatory, and operational requirements
• the capability to restore critical systems or data following disruption

Backups of critical production data shall be retained in accordance with company retention standards. Critical systems shall be designed to be restorable from backup in the event of service disruption or data loss.

13. Third-Party Risk Management

Third parties that store, process, transmit, or access company data or systems shall be subject to reasonable security review and oversight appropriate to the nature of the service provided.

The company shall:

• evaluate third-party access and data handling based on business need and risk
• limit third-party access to the minimum necessary
• require appropriate contractual, technical, or operational protections where appropriate
• periodically reassess key service providers that support security-sensitive or business-critical functions

14. Security Awareness and Training

Personnel shall receive security awareness guidance and training appropriate to their responsibilities.

Security awareness activities shall address, at a minimum:

• protection of passwords and credentials
• phishing and social engineering risks
• proper handling of sensitive and regulated data
• acceptable use of company systems
• incident identification and reporting obligations

15. Incident Response

All personnel must promptly report suspected or actual security incidents through designated internal reporting channels.

The company shall maintain an incident response process that includes:

• identification and assessment of suspected incidents
• escalation to appropriate technical and management personnel
• containment, remediation, and recovery actions
• documentation of material incidents
• communication to affected parties as required by law, contract, or business necessity

Where a confirmed incident materially affects partner data, the company shall notify affected partners after confirmation of impact and without undue delay, consistent with legal, contractual, and operational requirements.

16. Compliance and Enforcement

Violations of this policy may result in disciplinary action, up to and including termination of employment or contract, revocation of system access, or legal action where appropriate.

Exceptions to this policy must be approved by authorized management and documented where required.

17. Policy Review

This policy shall be reviewed at least annually and updated as needed to reflect changes in company operations, risk profile, legal obligations, and security requirements.