Laserfiche WebLink
REV: 01-13-25 LR <br />EXHIBIT H <br />SECURITY POLICY <br />Data Categorization and Security <br />Populus exclusively uses Google Cloud for its data storage and processing services. Google <br />Cloud security has both the ISO 27001 and the ISO 27018 certifications. Google Cloud <br />implements software-level measures such as firewalls, layered DMZs, intrusion detection, DOS <br />protection and access management of end-user data. Google also implements hardware-level <br />measures such as hardware provenance, a secure boot stack, and security premises. The use of a <br />single cloud rather than multiple clouds eliminates security breaches that can occur in the <br />transmission of data. Populus received SOC2 Type 2 certification in March 2024. <br />Populus’s Data Classification Policy categorizes data into four classifications: <br />1.Sensitive/Restricted Data <br />2.Confidential Data <br />3.Internal Use Data <br />4.Public Data <br />Data Minimization <br />Populus encrypts all city data at rest and in transit with controlled access. All authorized users <br />may access aggregated data at any time in the web-based platform. All disaggregated data are <br />stored using Google Storage and are processed to an aggregate form using Google Compute <br />Engine before leaving Google Cloud to transmit to the web and other clients. Populus ingests <br />only location data from GPS traces. <br />No Personal Information in the form of rider information (i.e. names, contact information) is <br />associated with MDS, CDS, or GBFS, limiting the amount of personal information accessed and <br />stored. All data in Mobility Manager are anonymized and aggregated (five-trip minimum) so that <br />individual trips cannot be identified. Data aggregated by geography includes trip origins, <br />destinations, parking events, vehicle counts (by all available vehicle statuses), and trip routes. In <br />the event an aggregation includes fewer than five (5) events, that aggregation is hidden from <br />users and will not be visible in the dashboard results nor available in the exports or reports. <br />Populus only stores data necessary to fulfill the use case(s) (data minimization), in compliance <br />with the Mobility Data Specification (MDS) and Curb Data Specification (CDS) privacy <br />policies. MDS APIs allow MDS users to collect only that data which is actually needed. <br />Data Sharing and Access Limitations <br />Access to the platform is granted via a permission-based security system to facilitate the <br />protection of potentially sensitive data. Different features of the platform can be made available <br />to users with different levels of access. <br />ATTY/AGR.2025.005/Populus Technologies, INC (SaaS Agreement) (Page 32 of 34)