DATA PROTECTION POLICY

BACKSTAGE Bookkeeper LLC

1. PURPOSE

This Data Protection Policy (the ‘Policy’) is maintained by MISTRNICK LLC dba BACKSTAGE Bookkeeper (‘the Company,’ ‘we,’ or ‘us’) and aims to ensure that the Company complies with all applicable data protection laws and regulations and safeguards the personal data of individuals, including employees, customers, suppliers, and other stakeholders. It outlines the procedures for collecting, processing, storing, and disposing of personal data to ensure its confidentiality, integrity, and security.

2. SCOPE

This policy applies to all employees, contractors, consultants, temporary staff, and other workers at the Company, including all personnel affiliated with third parties. It covers all personal data the company processes, regardless of the medium (electronic, paper, etc.) or location.

3. DATA PROTECTION PRINCIPLES

We are committed to adhering to the following data protection principles:

Lawfulness, Fairness, and Transparency

Personal data must be processed lawfully, fairly, and transparently regarding the data subject. The purpose of data collection and processing must be clear and communicated to the data subject.

Purpose Limitation

Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in an incompatible manner.

Data Minimization

Only personal data necessary for the purposes it is processed should be collected. Data collection should be adequate, relevant, and limited to necessary information.

Accuracy

Personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be corrected or deleted without delay.

Storage Limitation

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.

Integrity and Confidentiality

Personal data must be processed to ensure its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Accountability

The Company is responsible for and must be able to demonstrate compliance with these data protection principles.

4. LEGAL BASIS FOR DATA PROCESSING

We will only process personal data where there is a legal basis to do so, including:

  • Consent: The data subject has given clear consent to process their personal data for a specific purpose.
  • Contract: The processing is necessary to perform a contract with the data subject or to take steps at the data subject's request prior to entering into a contract.
  • Legal Obligation: The processing is necessary for compliance with a legal obligation to which the company is subject.
  • Legitimate Interests: The processing is necessary for the purposes of legitimate interests pursued by us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
  • Professional Collaboration: Processing is necessary to coordinate financial data with the Client’s authorized third-party representatives, such as CPAs or tax attorneys, to fulfill the contract.

5. DATA SUBJECT RIGHTS

Data subjects have the following rights regarding their personal data:

  • Right to Access: Data subjects can request access to their personal data and obtain a copy of it.
  • Right to Rectification: Data subjects can request the correction of inaccurate or incomplete personal data.
  • Right to Erasure: Subject to certain conditions and federal/state financial record retention requirements, data subjects have the right to request the deletion of their personal data.
  • Right to Restriction of Processing: Under certain conditions, data subjects have the right to request the restriction of the processing of their personal data.
  • Right to Data Portability: Data subjects can receive their personal data in a structured, commonly used, and machine-readable format and transfer it to another data controller.
  • Right to Object: Data subjects have the right to object to processing their personal data in certain circumstances, including for direct marketing purposes.
  • Right to Withdraw Consent: Data subjects can withdraw their consent to data processing anytime.

6. DATA SECURITY

We are committed to ensuring the security of personal data through the implementation of appropriate technical and organizational measures, including:

  • Access Control: Limiting access to personal data to authorized personnel only.
  • Encryption: Encrypting personal data both in transit and at rest to protect it from unauthorized access.
  • Data Anonymization: Where possible, anonymizing personal data to reduce the risk of identification.
  • Regular Audits: Conduct regular audits and assessments of data processing activities to ensure compliance with this policy and data protection laws.

7. DATA BREACH RESPONSE

In the event of a data breach, we will:

  • Take immediate steps to contain and mitigate the breach.
  • Notify the relevant supervisory authority of the breach without undue delay and, where feasible, within 72 hours of becoming aware.
  • Communicate to the affected data subjects if the breach will likely result in a high risk to their rights and freedoms.
  • Conduct a thorough investigation to determine the cause of the breach and implement corrective measures to prevent future incidents.

8. THIRD-PARTY DATA PROCESSORS

We will ensure that any third-party service providers or contractors that process personal data on behalf of the company adhere to the same data protection standards as set out in this policy. Written agreements will be in place with all third-party data processors to ensure compliance with data protection laws.

9. TRAINING AND AWARENESS

We will provide regular data protection training to all employees, ensuring they understand their responsibilities under this policy and data protection laws. New employees will receive data protection training as part of their onboarding process.

10. COMPLIANCE AND MONITORING

The Security Coordinator (as designated in our Written Information Security Plan) oversees compliance with this policy.

Regular audits and assessments will be conducted to monitor compliance and identify areas for improvement.

Non-compliance with this policy may result in disciplinary action, including termination of employment.

11. REVIEW AND AMENDMENT

This Data Protection Policy will be reviewed annually and updated as necessary to reflect changes in data protection laws, company operations, or best practices. Amendments will be approved by the Company’s principal.