BSA SOLUTIONS INC.

Data Protection and Privacy Policy

1 Purpose

The primary purpose of this Data Protection and Privacy Policy is to establish and articulate a comprehensive framework for the handling, protection, and management of personal data within BSA. This policy is crafted to ensure strict adherence to the highest standards of data protection and privacy, in alignment with the requirements of ISO/IEC 27001, an internationally recognized standard for Information Security Management Systems (ISMS), and RA 10173, the Data Privacy Act of 2012, which is the local data protection legislation in the Philippines.

By implementing this policy, BSA aims to protect the personal data of all individuals with whom we interact, including our clients,User employees, contractors, and partners. This policy outlines our commitment to ensuring the confidentiality, integrity, and availability of personal data and to upholding the privacy rights of data subjects in a transparent and accountable manner. We also integrate additional standards and best practices pertinent to the Knowledge Process Outsourcing (KPO) industry to enhance our data protection measures and ensure comprehensive compliance.

2 Policy Statement

BSA Solutions, Inc. is fully committed to maintaining the highest standards of data protection, privacy, and information security. In line with Republic Act No. 10173 or the Data Privacy Act of 2012 and guided by the internationally recognized ISO/IEC 27001:2022 standard for Information Security Management Systems (ISMS), this Data Protection and Privacy Policy outlines our obligations, principles, and practices in the collection,
processing, protection, and disposal of personal data.

This Policy reflects our commitment to safeguarding the confidentiality, integrity, and availability of information entrusted to us by our employees, clients, partners, service providers, and other stakeholders. We recognize that data privacy and information security are foundational elements of our operations and essential to maintaining stakeholder trust and regulatory compliance.

2.1 Legal and Regulatory Framework
BSA Solutions complies with the Data Privacy Act of 2012, its Implementing Rules and Regulations, as well as any relevant circulars and advisories issued by the National Privacy Commission (NPC). Moreover, our data handling processes are designed in alignment with the controls, policies, and risk management frameworks outlined in ISO/IEC 27001:2022, ensuring a holistic and globally accepted approach to managing information security risks.

2.2 Data Protection Principles
In accordance with RA 10173 and ISO 27001, BSA Solutions adheres to the following principles:
• Lawfulness, Fairness, and Transparency: All personal data is processed in a lawful, fair, and transparent manner, with clear communication to data subjects regarding the scope and purpose of collection.
• Purpose Limitation: Data is collected only for specific, clearly defined, and legitimate business purposes. Further processing for incompatible purposes is not allowed unless additional consent is obtained.
• Data Minimization: Only the minimum personal data necessary for the identified purpose is collected and processed, avoiding excessive or irrelevant information.
• Accuracy: Reasonable steps are taken to ensure that personal data is accurate, complete, and up to date. Any identified inaccuracies are promptly
corrected or deleted.
• Storage Limitation: Data is retained only as long as necessary for the fulfillment of its purpose or as required by law. Secure disposal mechanisms
are implemented after the retention period lapses.
• Integrity and Confidentiality: Robust technical and organizational measures are enforced to ensure data security, including protection from unauthorized access, unlawful processing, accidental loss, or damage.
• Accountability and Demonstrability: We maintain detailed records of processing activities and continuously evaluate the effectiveness of our data
protection controls.

2.3 Adherence to Industry Standards for Data Privacy and Protection
As part of our ongoing commitment to information security, BSA Solutions has implemented an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022. This includes:
• A formalized risk assessment process to identify, evaluate, and mitigate risks to information assets.
• Defined security controls (based on ISO 27001 Annex A) to safeguard data confidentiality, integrity, and availability.
• Periodic internal audits and management reviews to ensure continued compliance and improvement.
• Clear roles and responsibilities for information security throughout the organization.
• A continuous training and awareness program for all employees.
• An established incident management process for breach detection, response, and recovery.

2.4 Collection and Use of Personal Data
We may collect the following categories of personal data:
• Personal identifiers: Full name, contact details, address, date of birth, and government-issued identification numbers.
• Employment information: Job applications, resume data, background checks, payroll, and benefits data.
• Digital data: Website usage, IP addresses, access logs, cookies, and browser information.
• Sensitive personal information: Health data, financial information, or other protected data types when required and lawful.

These are collected directly from data subjects or indirectly via automated means or third-party sources. Data is processed for purposes including:
• Recruitment and employment lifecycle management
• Customer service and business operations
• Website functionality and user experience improvements
• Legal compliance and regulatory reporting
• Internal audit, monitoring, and security operations
• Marketing communications (with consent)

2.5 Data Sharing and Third Parties
BSA Solutions may share personal data with:
• Authorized service providers who process data on our behalf
• Business partners in accordance with lawful and contractual obligations
• Government agencies and regulators, as required by law or lawful order

All third parties are subject to strict data protection obligations through Data Sharing Agreements (DSAs), Data Processing Agreements (DPAs), or binding contractual clauses, aligned with the security controls of ISO/IEC 27001.

2.6 Rights of Data Subjects
Data subjects are entitled to exercise their rights under the Data Privacy Act, which include:
• Right to be informed
• Right to object to processing
• Right to access and obtain a copy of personal data
• Right to rectify errors or outdated data
• Right to erasure or blocking of data
• Right to data portability (where applicable)
• Right to lodge a complaint with the NPC

Requests may be submitted to our Data Protection Officer (DPO) as indicated in Section 11.

2.7 Security Controls and Risk Management
BSA Solutions implements the following controls in line with ISO/IEC 27001:
• Encryption, firewalls, and endpoint protection
• Role-based access controls and authentication protocols
• Regular penetration testing and vulnerability scanning
• Security awareness training for all staff
• Asset management and classification of information
• Business continuity and disaster recovery plans

Security incidents are managed through a structured Incident Response Plan, ensuring containment, mitigation, notification, and corrective action.

2.8 Data Retention and Disposal
Personal data is retained only for the duration necessary to fulfill the lawful purposes for which it was collected, or as mandated by legal or regulatory obligations. Upon expiration of the retention period, data is securely deleted, anonymized, or destroyed using documented disposal procedures

For inquiries or more details about our policy, please get in touch with:

ISMR: john.fernandez@bsasolutions-inc.com
DPO: dpo@bsasolutions-inc.com

17 MARCH 2026