Privacy Policy

As part of our business, we collect and use information from our employees, customers, and business partners that is confidential in nature. It is imperative that we protect and safeguard all confidential information in our possession. This privacy policy lays out our company rules, procedures, and processes for doing this.

Definitions

For purposes of this policy, confidential information includes personal identifiable information about employees or customers, such as social security numbers, driver’s license numbers, birth dates, personal addresses, financial account information (such as bank accounts), phone numbers, medical information, and insurance information.

Scope

All of our employees must respect and comply with this policy as well as any related polices from the Ajinomoto Group. In addition, all employees must also comply with all related legal requirements, including the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), State laws related to confidential information, and the European Union’s General Data Protection Regulation (GDPR).

Role of CEO

Our CEO is responsible for ensuring that our company activities are based on this privacy policy and that all employees are thoroughly informed.

Privacy Officer

Our CEO will appoint a privacy officer. As of the publication of this policy version, our privacy officer is Leora Coleman-Fire, Associate General Counsel, based in Portland, OR. Others may also be appointed to support the privacy officer.

The privacy officer is responsible for the overall implementation and management of our company’s privacy policy and supporting systems and processes, including the following:

1. Developing and implementing overall data privacy and security policies and procedures;
2. Working with company management to ensure compliance with the policies and procedures;
3. Conducting audits to monitor privacy compliance;
4. Ensure compliance with HIPAA, GDPR, and other laws that apply to the company’s information-gathering functions;
5. Coordinate with the company’s IT group to implement appropriate electronic safeguards to protect confidential information; and
6. Perform any other tasks assigned by our CEO or other relevant management personnel.

Safeguards

The company has implemented the following administrative, physical, and technical safeguards to protect confidential information.

Administrative Safeguards

General

As a company, we can only accept personal confidential information where (i) the information is necessary for us to perform our contracted functions and (ii) the individual has consented. Only employees who need to know confidential information in order to perform their assigned company responsibilities and who have been approved to handle confidential information may have access to confidential information. All of these employees must first receive appropriate training by the privacy officer (or designee) and sign appropriate confidentiality agreements. These employees must ensure that the confidential information they access is only the minimum necessary to accomplish their assigned responsibilities. For example, an individual’s entire file should never be disclosed unless it has been specifically justified and approved by the privacy officer (or designee). The company will limit employees’ access to confidential information in order to avoid unauthorized access.

Training

The company will provide all necessary training to employees to ensure that they are informed and up to date on all privacy policies and procedures. Training will be provided under the direction of the privacy officer. No employee may handle confidential information unless they have been adequately trained. Only trained and authorized employees with a reasonable and demonstrable need to use, disclose, create, receive, maintain or access confidential information will have access to confidential information.

Social Security Numbers

We must be especially careful with the social security numbers of our employees and customers. To this end, we will not:

1. Require individuals to provide social security numbers over the Internet or other computer network unless the connection is secure, the transmission is encrypted, or a password is used;
2. Publicly display or divulge any part of a social security number;
3. Use any part of a social security number as a primary account number or other identifier;
4. Disclose any part of a social security number except as permitted or required by applicable law; or
5. Print any part of a social security number on a receipt or other document issued by the company.

Paper Documents

Wherever possible, we will save personal confidential information in a digital format and not on paper. Paper files containing confidential information must be scanned and saved in an appropriate and protected location as soon as possible after receipt. Paper files that are retained for any reason must be safeguarded while they are being used and kept in a designated locked filing cabinet when they are not being used. Mail personnel must be trained not to access confidential information that comes in the mail. Faxes received or documents printed that contain confidential information may only be handled by trained and approved employees.

Electronic Documents

Electronic documents containing confidential information must be stored in digital locations that require access by password. Employees must log in to the applicable system and application when they need access and log out afterwards.

Authorized Disclosures

From time to time, it may be necessary for us to disclose confidential information to a third party, such as a government agency or insurance company. In these situations, it is imperative that the employee receiving the request provide the request to an employee who is authorized to access and transmit confidential information. Next, this authorized employee must verify that the request comes from an authorized and legitimate source. If it does, the next step is to determine whether the requested disclosure requires authorization per company guidelines and, if so, to obtain the authorization before making the disclosure. All disclosures must be recorded in our company disclosure log.

If an authorized employee intends to use, disclose, create, maintain, store or transmit confidential information regarding individuals in the United States outside of the United States, the employee must first obtain written permission from the privacy officer. Note that the use, disclosure, creation, maintenance, storage or transmittal of confidential information outside of the United States may require written permission from agencies within the United States and additional safeguarding measures. Therefore, access or use of confidential information outside of the United States regarding individuals in the United States is generally prohibited.

Risk Assessment

We will conduct an annual security risk assessment (and more often than that, if needed) to ensure the best protection for our confidential information. Our privacy officer will be responsible for the schedule and content of these assessments.

Vendors & Subcontractors

No confidential information may be disclosed to third-party vendors, suppliers, subcontractors, or other parties unless (i) a determination is made that the disclosure is necessary, (ii) the third party has agreed in writing to strict confidentiality restrictions consistent with those in this privacy policy and any other related requirements in the State where the work is to be performed, and (iii) reasonable steps have been take to verify that the third party has the capacity to abide by those confidentiality restrictions. Any disclosures to third parties under this section must also be recorded in our official disclosure log.

Physical Safeguards

Our company has a physical security plan for all of our locations at all times. The security plan includes (i) an up-to-date list of all employees and their ID card numbers, (ii) a list of all hardware, storage cabinets, and other locations where confidential information may be stored, and (iii) a process for using and updating this information.

Employees must follow the company’s guidelines for safeguarding workstations. The guidelines (i) allow each workstation to be accessed by only the employee assigned to it, (ii) require a password to access each workstation; and (iii) do not allow access to workstations by visitors.

This privacy policy and the physical safeguards described here apply not only to desktop computers but also to laptops, tablets, cell phones, flash drives, external hard drives, disks, and other hardware or media that can easily be removed from the company premises. Confidential information may only be stored on devices and media that are owned and secured by the company, unless otherwise permitted by the privacy officer.

Technical Safeguards

Confidential information stored on electronic systems and devices must not be accessible without a password. Passwords must be strong and must be changed on at least a quarterly basis.

Our IT department is responsible for implementing and maintaining our electronic systems and procedures to ensure privacy. In coordination with the privacy officer, the IT department will conduct periodic audits to ensure data security and privacy. The IT department will implement a backup process for all data stored by the company. The process should allow the company to continue to conduct business despite the loss or destruction of electronic systems or data and should include storing backup data in off-site, secure locations.

Where required by law, we must encrypt and decrypt confidential information when we send or receive by electronic transmission.

Security Incident (Breach)

We will work hard to ensure this will never happen, but in the unlikely event of a security breach, the privacy officer and CEO must be notified immediately. Under the direction of the privacy officer, we will (i) identify and respond to the incident, (ii) mitigate harmful effects as much as possible, and (iii) document all steps taken. In some situations, we will be required to report data breaches to the affected individuals and to appropriate government authorities, as determined necessary by the privacy officer.

Record Retention and Destruction

The company will retain confidential information in accordance with the company’s record retention policy.

When the record retention policy requires destruction of confidential information, the privacy and security officers will direct the shredding, erasure, or otherwise destroy the confidential information. Confidential information will be destroyed in a manner that makes it unreadable or undecipherable prior to discarding it. In the event a vendor is used to provide this service, the company will ensure that the vendor maintains all required government issued licenses to provide the service.

Sanctions and Enforcement

The failure by a company employee or third party vendor or subcontractor to follow the specific requirements in this privacy policy or to do anything that could compromise our data security is a serious violation of company policy and could subject the employee to sanctions, up to and including termination of employment or third-party contract. Any employee who is aware of a possible violation of this privacy policy should report immediately to the privacy officer, the HR director, or to the CEO. All reports will be investigated and appropriate disciplinary procedures will be followed. A violation of this privacy policy that is permitted by law, such as in whistle-blower situations, will not be punished.

Individual Rights

Individuals have the right to request and inspect their own confidential information that is in the company’s possession. Individuals also have the right to request a restriction on the use of their confidential information. In both cases, the individual must submit a request to the company, which will be reviewed and handled as appropriate by the privacy officer. Complaints about how the company handles confidential information may also be submitted to the privacy officer.

190401