NETTAXES Privacy Policy

OBJECTIVE

Our objective, in the development and implementation of this
comprehensive Written Information Security Plan (WISP), is to create
effective administrative, technical, and physical safeguards for the protection
of the Personally Identifiable Information (PII) retained by NETTAXES,
(hereinafter known as the Firm). This WISP is to comply with obligations
under the Gramm-Leach-Bliley Act and Federal Trade Commission Financial
Privacy and Safeguards Rules to which the Firm is subject. The WISP sets
forth our procedure for evaluating our electronic and physical methods of
accessing, collecting, storing, using, transmitting, and protecting Pll retained
by the Firm. For purposes of this WISP, PII means information containing the
first name and last name or first initial and last name of a Taxpayer, Spouse,
Dependent, or Legal Guardianship person in combination with any of the
following data elements retained by the Firm that relate to Clients, Business
Entities, or Firm Employees:

Social Security number, Date of Birth or Employment data.

Driver’s license number or state-issued identification card number.

Income data, Tax Filing data, Retirement Plan data, Asset

Ownership data, Investment data.

Financial account number, credit or debit card number, with or

without security code, access code, personal identification number,

or passwords(s) that permit access to a client’s financial accounts

E-mail addresses, non-listed phone numbers, residential or mobile

or contact information.

PII shall not include information that is obtained from publicly available
sources such as a Mailing Address or Phone Directory listing; or from federal,
state or local government records lawfully made available to the general
public.

PURPOSE

The purpose of the WISP is to:

Ensure the Security and Confidentiality of all PIl retained by the
Firm.

Protect PII against anticipated threats or hazards to the security or
integrity of such information.

Protect against any unauthorized access to or use of Pll in a manner
that creates a substantial risk of Identity Theft or Fraudulent or
Harmful use.

SCOPE

Identify reasonably foreseeable internal and external risks to the
security, confidentiality, and/or integrity of any electronic, paper, or
other records containing PII.

Assess the potential damage of these threats, taking into
consideration the sensitivity of the PII.

Evaluate the sufficiency of existing policies, procedures, customer
information systems, and other safeguards in place to control
identified risks.

Design and implement this WISP to place safeguards to minimize
those risks, consistent with the requirements of the Gramm-LeachBliley Act, the Federal Trade Commission Financial Privacy and
Safeguards Rule, and National Institute of Standards
recommendations.

Regular monitoring and assessment of the effectiveness of
aforementioned safeguards.

IDENTIFIED RESPONSIBLE OFFICIALS

NETTAXES has designated ANNETTE VOICE to be the Data Security
Coordinator (hereinafter the DSC). The DSC is the official responsible for the
Firm data security processes and will implement, supervise, and maintain the
WISP. Accordingly, the DSC, will be responsible for the following, if
applicable:

Implementing the WISP, including all daily operational protocols.

Verifying all employees have completed recurring Information Security
Plan Training.

Monitoring and testing employee compliance with the plan’s policies
and procedures.

Requiring third-party service providers to implement and maintain
appropriate security measures that comply with this WISP.

NETTAXES has designated ANNETTE VOICE to be the Public Information
Officer (hereinafter the PIO). The PIO will be the firm’s designated public
statement spokesperson. To prevent misunderstandings and hearsay, all
outward-facing communications should be approved through this person who
shall be in charge of the following, if applicable:

All client communications by phone conversation or in writing.

INSIDE THE FIRM RISK MITIGATION

To reduce internal risks to the security, confidentiality, and/or integrity of
any retained electronic, paper, or other records containing PII, the Firm has
implemented mandatory policies and procedures as follows:

PII Collection and Retention Policy

We will only collect the Pll of clients, customers, or employees that
is necessary to accomplish our legitimate business needs, while
maintaining compliance with all federal, state, or local regulations.

Access to records containing Pll is limited to employees whose
duties, relevant to their job descriptions, constitute a legitimate
need to access said records, and only for job-related purposes.

The DSC will identify and document the locations where PII may be
stored on the Company premises:
O Laptop Computers
O Client Portals
O Online (Web-based) applications
O Portals

Designated written and electronic records containing PIl shall be
destroyed or deleted at the earliest opportunity consistent with
business needs or legal retention requirements.
O Paper-based records shall be securely destroyed
By shredding at the end of their service life.
O Electronic records shall be securely destroyed
By deleting the file directory.

Personnel Accountability Policy

No PII will be disclosed without authenticating the receiving party
and without securing written authorization from the individual
whose PII is contained in such disclosure. Access is restricted for
areas in which personal information is stored, including file rooms,
filing cabinets, desks, and computers with access to retained PII. An
escort will accompany all visitors while within any restricted area of
stored PII data.

The Firm will take all possible measures to ensure that employees
are trained to keep all paper and electronic records containing PII
securely on premises at all times. When there is a need to bring
records containing PIl offsite, only the minimum information
necessary will be checked out. Records taken offsite will be
returned to the secure storage location as soon as possible. Under
no circumstances will documents, electronic devices, or digital
media containing PII be left unattended in an employee’s car, home,
or in any other potentially insecure location.

All security measures in this WISP shall be reviewed annually,
beginning 2025-02-01 to ensure that the policies contained in the
WISP are adequate and meet all applicable federal and state
regulations. Changes may be made to the WISP at any time they
are warranted. When the WISP is amended, employees will be
informed in writing. The DSC and principal owners of the firm will be
responsible for the review and modification of the WISP, including
any security improvement recommendations from employees,
security consultants, IT contractors, and regulatory sources.

NETTAXES shares Employee PIl in the form of employment records,
pension and insurance information, and other information required
of any employer. The Firm may share the PIl of our clients with the
state and federal tax authorities, Tax Software Vendor, a
bookkeeping service, a payroll service, a CPA firm, an Enrolled
Agent, legal counsel, and/or business advisors in the normal course
of business for any Tax Preparation firm. Law enforcement and
governmental agencies may also have customer PII shared with
them in order to protect our clients or in the event of a lawfully
executed subpoena. An IT support company may occasionally see
PIl in the course of contracted services. Access to Pll by these thirdparty organizations will be the minimum required to conduct
business. Any third-party service provider that does require access
to information must be compliant with the standards contained in
this WISP at a minimum. The exceptions are tax software vendors
and e-Filing transmitters; and the state and federal tax authorities,
which are already compliant with laws that are stricter than this
WISP requires. These additional requirements are outlined in IRS
Publication 1345

PII Disclosure Policy

A copy of the WISP will be distributed to all current employees and
to new employees on the beginning dates of their employment. It
will be the employee’s responsibility to acknowledge in writing, by
signing the attached sheet, that he/she/they received a copy of the
WISP and will abide by its provisions. Employees are actively
encouraged to advise the DSC of any activity or operation that
poses risk to the secure retention of PII. If the DSC is the source of
these risks, employees should advise any other Principal or the
Business owner.

The firm will create and establish general Rules of Behavior
and Conduct regarding policies safeguarding PIl according to
IRS Pub. 4557 Guidelines.

The Firm will screen the procedures prior to granting new
access to PIl for existing employees.
The Firm will conduct Background Checks on new employees
who will have access to retained PII.

The Firm may require non-disclosure agreements for
employees who have access to the Pll of any designated client
determined to have highly sensitive data or security concerns
related to their account.

The DSC or designated authorized representative will immediately
train all existing employees on the detailed provisions of the Plan.
All employees will be subject to periodic reviews by the DSC to
ensure compliance.

All employees are responsible for maintaining the privacy and
integrity of the Firm’s retained PII. Any paper records containing PII
are to be secured appropriately when not in use. Employees may
not keep files containing Pll open on their desks when they are not
at their desks. Any computer file stored on the company network
containing PIl will be password-protected and/or encrypted.
Computers must be locked from access when employees are not at
their desks. At the end of the workday, all files and other records
containing PIl will be secured by employees in a manner that is
consistent with the Plan’s rules for protecting the security of PlI.

Any employee who willfully discloses PII or fails to comply with
these policies will face immediate disciplinary action up to and
including:
O Verbal warning.
O Written warning.
O Termination of employment.

Terminated employees’ computer access logins and passwords will
be disabled at the time of termination. Physical access to any
documents or resources containing PII will be immediately
discontinued. Terminated employees will be required to surrender
all keys, IDs or access codes or badges, and business cards that
permit access to the firm’s premises or information. Terminated
employees’ remote electronic access to personal information will be
disabled; voicemail access, e-mail access, Internet access, Tax
Software download/update access, accounts and passwords will be
inactivated. The DSC or designee shall maintain a highly secured
master list of all lock combinations, passwords, and keys, and will
determine the need for changes to be

Reportable Event Policy
If there is a Data Security Incident that requires notifications under
the provisions of regulatory laws such as The Gramm-Leach-Bliley
Act, there will be a mandatory post-incident review by the DSC of
the events and actions taken. The DSC will determine if any
changes in operations are required to improve the security of
retained PII for which the Firm is responsible. Records of and
changes or amendments to the Information Security Plan will be
tracked and kept on file as an addendum to this WISP.
The DSC is responsible for maintaining any Data Theft Liability
Insurance, Cyber Theft Insurance Riders, or Legal Counsel on
retainer as deemed prudent and necessary by the principal
ownership of the Firm.
The DSC will also notify the IRS Stakeholder Liaison, and state and
local Law Enforcement Authorities in the event of a Data Security
Incident, coordinating all actions and responses taken by the Firm.
The DSC or person designated by the coordinator shall be the sole
point of contact with any outside organization not related to Law
Enforcement, such as news media, non-client inquiries by other
local firms or businesses and other inquirers.
VI. OUTSIDE THE FIRM RISK MITIGATION
To combat external risks from outside the firm network to the security,
confidentiality, and/or integrity of electronic, paper, or other records
containing PII, and improve -where necessary- the effectiveness of the
current safeguards for limiting such risks, the Firm has implemented the
following policies and procedures.
Network Protection Policy
All system security and software products shall be up to date and
installed on any computer that accesses, stores, or processes PII
data on the Firms network. This includes:
O Any Third-Party Devices connected to the network.
O Operating system security patches.
O Anti-virus software.
O Anti-malware software.
O Internet security software.
Secure user authentication protocols will be in place to:
O Control username ID, passwords and Two-Factor
Authentication processes.
O Restrict access to currently active user accounts.
O Require strong passwords in a manner that conforms to
accepted security standards, including:
Ο
Upper-case letters.
Lower-case letters.
Numbers.
Special characters.
Twelve or more characters in length.
No common passwords such as “Password” or
“12345.”
Change all passwords at least every Year or more often if
conditions warrant, such as user requests or when there is
evidence of a compromise.
O Unique firm related passwords must not be used on other
sites; or personal passwords used for firm business. Firm
passwords will be for access to Firm resources only and not
mixed with personal passwords.
All computer systems will be continually monitored for unauthorized
access or unauthorized use of PII data. Event Logging will remain
enabled on all systems containing PII. Review of event logs by the
DSC or IT partner will be scheduled at random intervals not to
exceed 90 days.
The Firm will maintain a firewall between the internet and the
internal private network. This firewall will be secured and
maintained by the Firm’s IT Service Provider. The Firewall will follow
firmware/software updates per vendor recommendations for
security patches. Workstations will also have a software-based
firewall enabled.
Operating System (OS) patches and security updates will be
reviewed and installed continuously. The DSC will conduct a topdown security review at least every 30 days.
Firm User Access Control Policy
The Firm will use 2-Factor Authentication (2FA) for remote login
authentication via a cell phone text message, or an app, such as
Google Authenticator or Duo, and will adhere to Federal Trade
Commission 15 U.S.C § 6805. Section 314.4(c.5) regarding the
implementation of multi-factor authentication to ensure only
authorized devices can gain remote access to the Firm’s systems.
All users will have unique passwords to the computer network. The
firm will not have any shared passwords or accounts to our
computer systems, internet access, software vendor for product
downloads, and so on. The passwords can be changed by the
individual without disclosure of the password(s) to the DSC or any
other Firm employee
at any time.
Passwords will be refreshed every Year at a minimum and more
often if conditions warrant in accordance with the National Institute
of Standards and Technology (NIST) guidelines. The DSC will notify
employees when accelerated password reset is necessary.
If a Password utility program, such as LastPass or Password Safe, is
utilized, the DSC will first confirm that:
O Username and password information is stored on a secure
encrypted site.
Ο 2-factor authentication of the user is enabled to authenticate
new devices.

Electronic Exchange of PII Policy

It is Firm policy that PII will not be in any unprotected format, such
as e-mailed in plain text, rich text, html, or other e-mail formats
unless encryption or password protection is present.
Passwords MUST be communicated to the receiving party via a
method other than what is used to send the data; such as by phone
call or SMS text message (out of stream from the data sent).
The Firm may use a Password Protected Portal to exchange
documents containing Pll upon approval of data security protocols
by the DSC.
MS BitLocker or similar encryption will be used on interface drives,
such as a USB drive, for files containing PII.
Wi-Fi Access Policy
Wireless Access (Wi-Fi) points or nodes, if available, will use strong
encryption.
O Firm Wi-Fi will require a password for access.
All devices with wireless capability will have default factory
passwords changed to Firm-assigned passwords. All default
passwords will be reset, or the device will be disabled from wireless
capability, or the device will be replaced with a non-wireless
capable device can include, but is not limited to the following:
O Printers.
OAll-in-one copiers and printers.
O Smart devices such as TVs, refrigerators, and any other
devices with Smart Technology.

Remote Access Policy

The DSC and the Firm’s IT contractor will approve use of Remote
Access utilities for the entire Firm.
Remote access using tools that encrypt both the traffic and the
authentication requests (ID and Password) used will be the standard.
Remote Access will not be available unless the Office is staffed and
systems are monitored.
Remote access will only be allowed using 2 factor Authentication (2FA)
in addition to username and password authentication.

Connected Devices Policy

Any new devices that connect to the Internal Network will undergo a
thorough security review before they are added to the network.
The Firm will ensure the devices meet all security patch standards and
login and password protocols before they are connected to the
network.
“AutoRun” features for USB ports and optical drives like CD and DVD
drives on network computers and connected devices will be disabled to
prevent malicious programs from self-installing on the Firm’s systems.
The Firm or a certified third-party vendor will erase the hard drives or
memory storage devices the Firm removes from the network at the
end of their respective service lives.
If any memory device is unable to be erased, it will be destroyed by
removing its ability to be connected to any device, or circuitry will be
shorted, or it will be physically rendered unable to produce any
residual data still on the storage device.
The firm runs approved and licensed anti-virus software, which is
updated on all servers continuously. Virus and malware definition
updates are also updated as they are made available. The system is
tested weekly to ensure the protection is current and up to date.

Information Security Training Policy

All employees will be trained on maintaining the privacy and
confidentiality of the Firm’s PII. The DSC will conduct training regarding
the specifics of paper record handling, electronic record handling, and
Firm security procedures at least annually. All new employees will be
trained before PII access is granted, and periodic reviews or refreshers
will be scheduled until all employees are of the same mindset
regarding Information Security. Disciplinary action may be
recommended for any employee who disregards these policies.

IMPLEMENTATIO

Effective 2025-01-13, NETTAXES has created this Written Information Security
Plan (WISP) in compliance with regulatory rulings regarding implementation
of a written data security plan found in the Gramm-Leach-Bliley Act and the
Federal Trade Commission Financial Privacy and Safeguards Rules.