Data Protection And Security Policy
Effective Date: January, 1, 2026
Purpose and Policy Objective
This Data Protection and Security Policy establishes the standards and controls used by Afintrix Advisory Analytics LLC (“Afintrix,” “we,” “us,” or “our”) to safeguard information handled in connection with its operations and engagements.
Afintrix is an advisory, analytics, and governance firm providing structured oversight, compliance, and financial analysis support. The objective of this policy is to protect the confidentiality, integrity, and availability of information while supporting lawful use, documentation integrity, and risk management.
Scope of Application
This policy applies to:
- All data created, received, stored, processed, or transmitted by Afintrix
- All employees, contractors, and authorized representatives
- All systems, devices, applications, and storage environments used by the firm
- All client, vendor, personnel, and operational information handled by Afintrix
This policy applies regardless of whether information is maintained in electronic, physical, or other form.
Information Covered
Information subject to this policy may include, but is not limited to:
- Client-provided financial, accounting, or operational records
- Analytical outputs, reports, and working materials
- Personally identifiable information and sensitive data
- Business, governance, and compliance documentation
- Access credentials, system logs, and security-related records
Information is handled strictly within the scope of defined engagements and operational needs.
Data Protection Principles
Afintrix applies the following core data protection principles:
- Lawfulness: Information is collected and used only for legitimate business, compliance, or operational purposes.
- Data Minimization: Collection and use are limited to what is necessary for defined purposes.
- Accuracy: Reasonable steps are taken to maintain data accuracy based on available information.
- Confidentiality: Information is protected against unauthorized access or disclosure.
- Integrity: Safeguards are applied to prevent unauthorized alteration or destruction.
- Availability: Information is maintained so it can be accessed when required for legitimate purposes.
Access Controls
Access to information is restricted based on role, responsibility, and need-to-know principles.
Controls may include:
- Role-based access permissions
- Authentication and credential management
- Segregation of access to sensitive information
- Periodic review of access rights
Access is removed or adjusted promptly when roles change or access is no longer required.
Technical and Administrative Safeguards
Afintrix maintains reasonable administrative, technical, and organizational safeguards designed to protect information, which may include:
- Secure system configuration and maintenance
- Use of encryption or secure transmission methods where appropriate
- Network and endpoint protection controls
- Monitoring for unauthorized access or anomalous activity
- Documented procedures for information handling and storage
Safeguards are implemented in proportion to risk and operational context.
Use of Third Parties
Where third-party service providers support Afintrix operations, reasonable steps are taken to evaluate their data protection practices.
Third parties are permitted to access information only to the extent necessary to perform contracted functions and are expected to maintain appropriate confidentiality and security controls.
Incident Identification
Afintrix maintains procedures to identify, assess, and respond to suspected or confirmed data security incidents.
Response actions may include:
- Containment and mitigation measures
- Assessment of scope and potential impact
- Documentation of findings and response actions
- Notification to affected parties or authorities where required by law
Incident handling is conducted in a controlled and documented manner.
Data Retention and Disposal
Information is retained only for as long as necessary to support operational, legal, regulatory, or documentation requirements.
Retention and disposal practices are governed by the Record Retention and Document Management Policy. Secure disposal methods are used to prevent unauthorized access to discarded information.
Personnel Responsibilities
All personnel with access to information are responsible for:
- Complying with this policy and related procedures
- Protecting information from unauthorized access or disclosure
- Reporting suspected security incidents or control weaknesses
- Using information systems and data responsibly
Failure to comply with this policy may result in disciplinary action.
Policy Review
This policy is reviewed periodically and updated as necessary to reflect changes in legal requirements, risk exposure, technology, or firm operations.
