Confidentiality and Non-Disclosure Policy – Humanics Global Advisors LLC

HGA Confidentiality and Non-Disclosure Policy

Purpose and Scope

This Confidentiality and Non-Disclosure Policy (“Policy”) establishes the requirements for protecting confidential and sensitive information within Humanics Global Advisors (HGA). HGA’s mission as an AI-driven global advisory firm is to connect skilled consultants with development opportunities through a secure digital platform and a success-fee business model. In doing so, HGA handles sensitive personal data, client project information, bid/proposal documents, and other confidential materials that must be safeguarded to maintain trust and comply with legal and ethical standards.

Scope: This Policy applies to all individuals and entities with access to HGA’s information or systems, including but not limited to: – HGA employees and internal staff, – External consultants engaged by or via HGA, – Partner organizations, clients, or donor representatives using HGA’s digital platform or services, – Any other authorized users of the HGA Digital Platform (formerly known internally by a different project name).

All such persons are collectively referred to as “Users” or “Authorized Users” under this Policy. Compliance with this Policy is mandatory. Each User must read, understand, and adhere to these rules as a condition of their engagement with HGA. The Policy covers all forms of information (electronic, paper, oral) related to HGA’s business, and it remains in effect at all times, including outside of normal business hours and after a person’s contract or employment with HGA ends. The goal is to protect the confidentiality, integrity, and availability of information assets while enabling HGA’s collaborative, technology-driven operating model.

Definitions

For the purposes of this Policy, the following key terms are defined:

Confidential Information: Confidential Information means any non-public information related to HGA or its business partners that is disclosed, learned, or developed in the course of HGA’s operations, and which a reasonable person would understand to be private or proprietary in nature. This includes, without limitation, HGA’s business strategies, financial information (e.g. pricing, fees, margins), client or donor lists and contacts, project opportunities, proposals and bids, internal processes, software code or algorithms, and any proprietary templates or tools used by HGA[1]. It also includes information entrusted to HGA by others: for example, Consultant information (such as personal data in CVs, identification documents, professional references, or any proprietary methodologies a consultant shares with HGA for a project)[2], and Client information (such as project requirements, technical data, reports, records, trade secrets, or any deliverables and work product prepared for a client’s project)[3]. Bid and project materials (including proposals, contracts, and project deliverables prepared for clients) are considered Confidential Information of HGA and/or the client. Information need not be marked “confidential” to be protected; if its nature or the circumstances of access imply it is sensitive, it should be treated as Confidential Information.

Certain standard exceptions apply: Confidential Information does not include information that (a) becomes publicly available without breach of any obligation (e.g. published reports or information released by the owner); (b) was rightfully known or possessed by the receiving party before disclosure by HGA or its clients, as evidenced by written records; (c) is independently obtained from a third party who had the legal right to disclose it without confidentiality restrictions; or (d) is independently developed by a receiving party without use of or reference to HGA’s or a client’s confidential information[4].

Personal Data: Personal Data refers to any information that relates to an identified or identifiable individual. This includes, for example, contact details (names, addresses, telephone numbers, email), personal identifiers (date of birth, government ID or social security numbers, passport or tax ID numbers), biographical data (resumes/CVs, educational and work history, certifications, photos), financial account information, and any other data that can be used to identify a person[5]. Personal Data is considered a special category of Confidential Information that requires a high degree of protection. Under this Policy and applicable laws, Personal Data must be handled with strict confidentiality and care, and its use is limited to the purposes for which it was collected. (Note: In some jurisdictions Personal Data may be referred to as “personally identifiable information” or “personal information.” All such terms are encompassed herein.)
Authorized Users: Authorized Users are individuals who have been granted access to HGA’s information, network, or digital platforms by virtue of their role or relationship with HGA. This includes HGA employees and contractors, registered consultants using the HGA Digital Platform, approved representatives of client or partner organizations, HGA’s business associates, and any other persons who have been given login credentials or permission to handle HGA data. Authorized Users are only permitted to access information and systems as necessary for their duties (see Section 3 on Access Control) and must be covered by appropriate agreements (employment contracts, consulting agreements, platform user terms, NDAs, etc.) that include confidentiality obligations. Each Authorized User is individually responsible for safeguarding the credentials and data entrusted to them.
HGA Digital Platform (“the Platform”): The secure online platform provided by HGA that enables consultants, organizations (clients/donors), and HGA staff to collaborate on consulting opportunities and projects. Users of the Platform can create and manage consultant profiles, post and apply for consultancy listings, exchange communications, store project documents, and track deliverables and payments in a centralized system[6][7]. The HGA Digital Platform incorporates advanced features such as AI-driven matching of consultants to opportunities (including automated generation of tailored resumes and applications) and robust security controls. All data on the Platform is hosted in a secure environment with encryption, authentication, and audit logging (see Section 6 Security Controls). Use of the Platform is subject to this Policy and any applicable Terms of Use. (Note: The Platform was previously referred to under a development codename; this Policy will only refer to it as the HGA Digital Platform.)

Other definitions: In this Policy, “HGA” or the “Company” refers to Humanics Global Advisors (and its affiliated entities), and “Users” refers collectively to all persons within scope of this Policy. The term “information” may encompass data in any form, including oral discussions. “Systems” or “IT systems” refers to HGA’s computers, network, cloud services, communication tools, and the HGA Digital Platform itself. “Policy Administrator” is the HGA management designee responsible for this Policy (e.g. Data Protection Officer or Security Officer).

Access Control and Authorized Use

HGA restricts access to Confidential Information strictly to Authorized Users on a need-to-know basis. Role-Based Access Control (RBAC): Access rights are granted according to each user’s role and responsibilities in the organization or project. The HGA Digital Platform and other systems implement RBAC so that users (e.g. Consultants, Organization representatives, various HGA staff roles) can only view or interact with information relevant to their role[8]. For example, a consultant user will have access to their own profile data and relevant project application information, but not to other consultants’ private data; a client organization user may see the proposals submitted to their project listing, but not projects of other organizations; internal HGA managers have administrative access as needed to coordinate projects, but each such access is governed by least privilege.

User Authentication: All Authorized Users must use unique credentials to access HGA systems. Sharing of login credentials (user IDs, passwords, authentication tokens) is strictly prohibited. The Platform and other key systems utilize Multi-Factor Authentication (MFA) to enhance security[9]. Users are required to follow HGA’s authentication procedures, which include choosing strong passwords/passphrases, protecting those passwords from disclosure, and periodically updating passwords if prompted or required. MFA (such as one-time codes sent to devices or an authenticator app) must be enabled where available; users shall not attempt to disable or bypass MFA requirements.

Account Security: Users are responsible for all activities performed under their accounts. They must log out or lock their sessions when leaving a device unattended. If any User suspects that their account credentials have been compromised (e.g. a lost/stolen laptop or phone, suspected password leak, anomalous account activity) or detects any unauthorized access to systems, they must immediately notify HGA’s IT Security team or management so that the account can be locked or passwords reset. HGA may issue company-managed devices or security tokens to certain users; any such devices or tokens should be safeguarded and not shared.

Need-to-Know and Least Privilege: Users should access only the minimum amount of information necessary to perform their job duties or project tasks. It is a violation of this Policy to attempt to access data or systems that you are not authorized to view. HGA’s system administrators will maintain user access profiles and promptly revoke or adjust access when a person’s role changes or when they no longer require access. For example, when a consultant’s engagement ends, or an employee leaves HGA, or a partner user’s project is completed, HGA will terminate their platform account and any other access rights. The individual must not attempt to access the Platform or retain confidential data thereafter (see Section 9 on Data Return/Deletion).

Monitoring of Access: Access to HGA’s digital systems is logged. The Company may monitor usage of its systems and network (in accordance with applicable law) to detect unauthorized activities, troubleshoot issues, ensure compliance with this Policy, and protect security. Users should be aware that there is no expectation of privacy when using company-provided systems for communications or data storage, aside from the privacy of personal data which HGA protects as described in this Policy. Any monitoring will be done in compliance with legal requirements and solely for legitimate purposes (such as detecting breaches or investigating suspected misconduct).

Handling and Storage of Confidential Information

All Users are obligated to handle Confidential Information with the utmost care to prevent unauthorized disclosure, theft, or misuse. The following principles and practices must be observed when dealing with HGA-related information:

Use for Intended Purpose Only: Confidential Information may only be used for the legitimate business purpose for which it was provided or obtained, and only within the scope of a User’s role at HGA[10]. For example, if a consultant receives client data as part of a project, they must use it only for that project’s work and not for any personal or outside purposes. Users shall not exploit Confidential Information for personal gain or for the benefit of any third party outside of HGA’s authorized business activities.
No Unauthorized Sharing: Users shall not disclose or release Confidential Information to any person or entity who is not an Authorized User with a need-to-know that information. Even within HGA or a project team, share confidential data only with those team members or colleagues who require it for their duties, and ensure they are aware the information is confidential. If you are unsure whether someone has the right to access certain information, consult a supervisor or the Policy Administrator before sharing. In particular, client information should not be shared with other clients or consultants outside the project, and consultant personal information (like CVs, references) should not be shared outside of HGA and the specific client engagement where it’s needed.
Third-Party Confidentiality: In cases where an Authorized User needs to involve a third party who is not already under agreement with HGA (for example, a consultant engages a subcontractor or assistant, or a partner organization involves a subcontractor on a project), prior written approval from HGA is required. Any such approved third party must sign a confidentiality or non-disclosure agreement that is at least as stringent as this Policy before being given access to HGA or client information[11]. The primary User remains responsible for ensuring the third party upholds confidentiality. Unauthorized subcontracting or sharing of data with external parties is prohibited.
Care in Storage (Electronic): All electronic Confidential Information should be stored only on HGA-approved secure systems. This includes the HGA Digital Platform itself (which provides secure document storage for project materials) and any HGA-managed cloud storage or document management systems. Users should avoid downloading or saving sensitive files to unapproved locations. Do not use personal cloud storage accounts or consumer file-sharing services (e.g. personal Dropbox, Google Drive, personal email) to store or transfer HGA or client documents. If there is a business need to use an external storage or transfer method, it must be reviewed and authorized by HGA’s IT/Security team in advance. All HGA-managed storage solutions employ access controls and encryption to protect data (for example, documents uploaded to the HGA Platform are stored in secure Amazon S3 buckets with encryption at rest and strict access permissions[12]).
Care in Storage (Physical): Printed documents or physical media (USB drives, notebooks, etc.) containing Confidential Information must be secured from unauthorized access. Keep such materials in a locked file cabinet, desk, or office when not in use. Do not leave sensitive documents out in the open where others could read them, especially in shared workspaces or public areas. When traveling, keep physical documents and electronic devices with you or locked away; never leave them unattended in cars, hotel rooms, or other unsecured locations. If mailing or shipping confidential physical items, use trusted couriers and consider tracking or encryption as appropriate.
Handling Personal Data: Because Personal Data is highly sensitive, extra precautions should be taken (see also Section 5 on transmission security and Section 9 on retention). Avoid unnecessary copying or distribution of documents containing Personal Data (for example, a consultant’s passport copy or a client’s employee list). Such data should remain within HGA’s secure systems. If you must temporarily download or print Personal Data (e.g. to review a CV), ensure it is not accessible to others and securely delete or destroy it when finished. Personal Data should never be posted in public forums or channels and must not be included in communications unless absolutely necessary and sent via secure means.
Degree of Care: Users must protect Confidential Information using at least the same degree of care as they would protect their own sensitive information of a similar nature, and in no event less than a reasonable standard of care[13]. This means being vigilant and proactive: for example, using strong passwords on your devices, not writing down passwords where they can be found, being aware of who might overhear a conversation, and generally thinking about potential risks to the data. If you are handling especially sensitive information (e.g. a client’s trade secrets or a large dataset of personal details), consider what additional protections might be warranted (such as storing it in an encrypted form, or splitting information so that identifying details are separate from other data).
Proprietary Tools and Methods: If you are given access to HGA’s proprietary tools, software, algorithms (including any AI systems on the Platform), or databases, these are part of HGA’s Confidential Information. You must not attempt to copy, reverse engineer, or extract such proprietary content for use outside of HGA. Likewise, any proprietary methodologies or know-how that a consultant or partner shares with HGA in a project must be handled as confidential and not divulged or used beyond the agreed scope without permission.

In summary, treat all HGA-related information as confidential unless you are certain it is public. When in doubt, err on the side of caution and consult an HGA manager before any disclosure. The obligations in this section apply to information in all formats and media.

Secure Communication and Data Transmission

When transmitting or discussing Confidential Information, Users must ensure that appropriate security measures are in place. Electronic Transmission: All digital communications of sensitive data should be done through secure channels. HGA’s systems are configured so that data transmitted over networks is protected using encryption (for example, the HGA Platform and email systems use SSL/TLS encryption for data in transit)[14]. Users should utilize HGA-provided communication tools wherever possible, as these are designed to be secure.

Email: If you have an official HGA email account, use it for all business communications. HGA’s email system supports encrypted transmission (TLS) between servers and is monitored for security. Do not forward HGA emails or attachments to personal email accounts or other unauthorized recipients. If you must send Confidential Information via email to someone outside the HGA network (e.g. to a client’s email), double-check the recipient’s address, include only the minimum necessary information, and consider using additional protection for highly sensitive attachments (such as password-protected files or encryption tools). The password for any protected file should be communicated via a different channel or by phone, not in the same email. Users should not use personal email addresses for HGA business unless explicitly authorized, and even then, the above security precautions apply.

Internal Messaging and Platform Communication: The HGA Digital Platform includes an internal messaging system and notification features for communication between consultants, HGA staff, and client organizations[15]. Users are encouraged to use this platform messaging for project-related communications, as it keeps the conversation within a secure environment and automatically ties it to the relevant project record. Treat platform messages with the same care as email – do not share screenshots or content of internal messages outside authorized circles. Remember that all messages on the platform are subject to confidentiality; even if you perceive a message to be informal, it may contain sensitive information (e.g. discussion of a client’s requirements or a consultant’s rate).

Encrypted File Transfers: For large files or when a higher level of security is needed (e.g. transferring a database of Personal Data or a draft contract with sensitive terms), consult HGA’s IT team about using an approved secure file transfer service. HGA may provide secure FTP, an encrypted file-sharing link, or a collaboration platform with access control. Never use public file-sharing links (like open Google Drive links or Dropbox public folders) for confidential files unless they are properly restricted (e.g. link is access-controlled to specific users and password-protected).

Voice and Video Communications: When discussing confidential matters via phone, video conference, or in person, ensure that the conversation cannot be overheard by unauthorized individuals. Use private meeting rooms or headsets as needed. For conference calls, verify the participants and use provided passcodes. Many web conferencing tools offer features like meeting passwords or locked meetings – utilize these for sensitive discussions. Do not record meetings or calls that involve confidential discussions unless there is a legitimate need and you have prior permission from HGA management and any external participants. If a meeting is recorded (audio or video), that recording becomes Confidential Information and must be stored securely and shared only as necessary.

Public Networks and Remote Access: Exercise caution when accessing HGA systems from public or untrusted networks (such as airport or café Wi-Fi). Ideally, use a Virtual Private Network (VPN) or secure remote access tool provided by HGA to create an encrypted tunnel for your traffic if you must use such networks. Many of HGA’s web services already enforce encryption (as noted above), but a VPN adds an extra layer of security and can protect against certain local network attacks. If a VPN is not available, avoid accessing particularly sensitive content until you are on a trusted network. Never access HGA systems from a public computer (such as a library or kiosk) where you cannot be sure of the device’s integrity.

Social Engineering and Phishing: Be vigilant for attempts by unauthorized persons to trick you into divulging confidential information. This could come as phone calls, emails, or messages pretending to be from HGA colleagues, clients, or tech support (phishing). Always verify suspicious requests through a known channel – for example, if you get an email asking for sensitive data or password reset that seems odd, contact the supposed sender via phone or separate email to confirm. HGA will provide periodic security awareness training on these topics, and Users are expected to apply that training (e.g. recognizing phishing emails and reporting them)[16]. Never send passwords or sensitive personal data in plaintext emails. If you receive a suspicious communication about HGA information, report it to the IT/Security team.

Avoiding Inadvertent Disclosures: Do not discuss confidential HGA matters in public places (e.g. elevators, airports, social events) where you might be overheard. Similarly, be careful with screen sharing or projecting information in meetings – ensure only authorized people can see the screen. When using collaboration tools (like shared online documents or Slack/Teams chats), ensure that only intended team members have access to the workspace. Double-check email recipients and file share settings to prevent accidental exposure to outsiders.

By following these guidelines for secure communications, Users help ensure that Confidential Information remains protected during transmission. If you are unsure of the best way to send or discuss certain information securely, seek advice from the IT/Security team. Security measures (like encryption) are most effective when combined with user vigilance and good judgment.

Use of the HGA Digital Platform

All Users of the HGA Digital Platform must adhere to the platform’s usage guidelines, which are designed to protect data and ensure fair, productive use of the system. The Platform is a central repository of sensitive information (consultant profiles with personal data, client project details, automated application materials, contracts, etc.), so the following rules apply:

Authorized Access Only: Only registered and authorized Users may log in to the Platform. Each User must only use their own account and credentials – never attempt to use another user’s account. Do not share your Platform password or MFA device with anyone (see Section 3). If you require a colleague to perform tasks on your behalf, proper delegated access must be set up by HGA (if available) or the tasks should be reassigned; never give out your login information. Likewise, do not use scraping tools, automated bots, or any technology to access data in the Platform beyond the provided user interface and API (if one is provided for legitimate use). Any form of hacking, penetration testing, or vulnerability scanning of the Platform by users is strictly prohibited (HGA will conduct its own security testing internally or via authorized third parties).
User Roles and Data Visibility: The Platform is structured by user roles (Consultant, Organization, various HGA staff roles)[17]. Users should respect these role boundaries. For example, if you are a consultant, you might see project listings and be able to apply, but you should not try to access other consultants’ data or internal HGA modules. If you find that you have access to information you believe you should not (e.g., a client user can see another client’s project), you must immediately stop and report this to HGA – accessing data due to a system oversight is still unauthorized if it’s not intended for your role. HGA will periodically review role permissions to maintain least privilege access.
Data Input Accuracy and Integrity: Users are responsible for the accuracy and appropriateness of the data they enter into the Platform. For consultants, this means keeping your profile and documents truthful and up-to-date (false information can create security and reputation risks). For client/organization users, ensure that project listings or any data you upload do not violate any third-party rights or confidentiality – e.g., do not upload documents to the Platform that your organization considers confidential unless it is necessary for the consulting opportunity, and if you do, recognize those become accessible to HGA under this Policy (HGA will treat them as your Confidential Information). Do not use the Platform to store or transmit content that is unrelated to HGA’s business (no personal files, unrelated media, etc.), and certainly no illegal or malicious content.
AI-Generated Content and Usage: The Platform may utilize an AI Agent to assist in matching consultants to projects and generating application materials (like tailored CVs, cover letters, and emails)[18]. These AI-driven outputs are based on the data provided by users (consultant profiles, job listings, etc.) and are considered Confidential Information. Consultants should review AI-generated applications on their behalf when possible to ensure they are comfortable with the content. All Users must treat AI-generated documents (resumes, proposals, etc.) the same as any other confidential proposal material – they are for the use of the intended client and involved parties only. Users are prohibited from using HGA’s AI features to process or extract data in a way that violates confidentiality (for example, one should not attempt to prompt the AI to reveal information about other consultants or projects that one is not authorized to see). The AI system’s algorithms and configurations are proprietary to HGA; tampering with or reverse engineering the AI features is forbidden.
Platform Communications: Communications through the Platform (messages, comments on project listings, support tickets, etc.) should remain professional and within the scope of project work. Do not post any Confidential Information in areas of the Platform that are public or visible to unauthorized users. Generally, the Platform is designed so that only involved parties see each communication, but always double-check recipient lists (for example, when sending a message, ensure it’s going to the intended user or group). The Platform’s support module is available for technical or administrative help – when using it, you may describe an issue but do not include unnecessary confidential details in a support ticket (support staff will have access to your account context as needed). HGA support staff handling tickets are themselves bound by confidentiality.
Downloads and External Use: If you download any documents or data from the Platform (for example, a consultant downloading a client contract, or a client downloading a consultant’s CV or a deliverable), you become responsible for protecting that downloaded copy under this Policy. The Platform logs document access and downloads for security[19]. Do not download documents unless needed, and after use, either securely delete them or store them in an approved secure location. For client users: any consultant information (CVs, proposals) downloaded should only be used for the purpose of evaluating and onboarding that consultant for your project and should not be shared outside your organization’s relevant team. For consultants: any client files (terms of reference, contracts, data sets) downloaded should be used only for executing that project and must not be retained beyond the project’s needs. In all cases, avoid transferring files from the Platform via unapproved means (e.g., don’t take a screenshot of a private profile to send to someone outside the Platform).
System Misuse: The HGA Digital Platform must not be used to engage in any activity that could harm the security or integrity of the system or the data it contains. Prohibited misuse includes attempting to introduce malware, viruses, or malicious code; attempting to manipulate financial transactions or records; sending spam or unauthorized communications to other users; or performing actions that degrade the system’s performance for others (such as automated excessive data requests). The Platform’s financial tools must be used honestly and accurately – any attempt to falsify invoices, payments or to circumvent the success-fee model is a serious violation. The system is monitored for unusual activity[20], and HGA reserves the right to suspend account access if misuse is detected, pending investigation.
Compliance with Platform Terms: Users may be required to agree to specific Terms of Service or User Agreements when using the Platform. This Policy is intended to be consistent with and complementary to any such terms. In case of any conflict, the stricter provision (from either this Policy or the Platform terms) will generally apply to ensure maximum protection of information. The Platform’s terms may include additional details on acceptable use, intellectual property rights, etc., which users must follow. Remember that by using the Platform, you are effectively agreeing to abide by HGA’s confidentiality and data protection rules, even if you are not directly an HGA employee (consultants, partners, and clients using the system are all within the scope as Authorized Users).

In summary, the HGA Digital Platform is a powerful tool that underpins HGA’s operations, and its proper use is essential to maintaining confidentiality and trust. By following these rules, users help ensure that the Platform remains a secure environment for collaboration between consultants, HGA, and client organizations.

Use of Email and Document Storage Systems

Beyond the HGA Platform, Users often rely on email and other document storage or collaboration tools to conduct business. The following rules govern the use of these systems in a manner consistent with our confidentiality obligations:

Official Email Use: HGA provides corporate email accounts to employees and certain contractors. These accounts (typically ending in an HGA domain) should be used for all HGA-related correspondence. Using official email ensures that communications are secured, archived, and accessible for compliance as needed. Do not use personal email addresses (Gmail, Yahoo, etc.) for business matters involving Confidential Information. If a consultant or partner does not have an HGA-issued email, they should take care to use their business-affiliated email (if any) and to implement security measures (like strong passwords and enabling encryption options) on their email accounts. Never configure an HGA email account to auto-forward to a personal account, as this could result in HGA losing control over the data. HGA’s IT team may actively block automatic forwarding rules to external domains for security.
Email Confidentiality Notices: HGA email signatures may include a confidentiality notice. While such notices themselves do not guarantee protection, they serve to remind recipients that the content may be confidential. Users should still use discretion — do not assume that adding a disclaimer allows free sharing of sensitive info. Always verify recipients before sending: double-check email addresses, especially when sending to mailing lists or external domains, to avoid misdirected emails. If you realize you sent an email with Confidential Information to the wrong party, notify HGA Security immediately (so we can attempt remediation) and inform your supervisor; do not just recall the message and ignore the incident.
Secure Email Practices: Use the email encryption features available. For highly sensitive information, HGA can provide encrypted email solutions or you can encrypt attachments as noted in Section 5. If you need to send a password or access token to someone, never send it in the same email as the link or file it protects. Consider using a phone call or an SMS for the password, or sending it in a separate email if absolutely necessary (and in that case, mention it vaguely, e.g., “The password is the project code plus 99” rather than writing it explicitly).
Avoid Unapproved Communication Channels: Do not use messaging apps (WhatsApp, WeChat, Telegram, etc.) or social media to conduct official HGA business or to share Confidential Information, unless HGA has expressly approved a channel as secure and necessary. While we recognize that consultants and team members may sometimes communicate through convenient channels, any substantive transfer of documents or discussions of sensitive details should be moved to official channels (email, Platform messaging, or a recorded call). If you do use a messaging app for a quick discussion (e.g. to arrange a meeting), avoid detailed confidential specifics and ensure that the app has end-to-end encryption and that you are messaging the correct person. In no case should you create group chats or forums on external apps to discuss HGA projects without management approval.
Document Management Systems: HGA may utilize secure document management systems (such as an internal SharePoint site, Google Workspace/Drive with enterprise controls, or other cloud collaboration tools) for storing and collaborating on documents outside of the main Platform. When using any such system, follow the access permissions as configured – do not attempt to broaden access to documents unless it is for authorized colleagues. For instance, if a folder is shared with only your project team, do not re-share individual files from it to people outside the team without permission. If you need to collaborate with someone new, ask the document owner or IT admin to grant proper access rather than sharing copies. Always prefer to use links with access control (where the recipient must log in) over sending file attachments, since links can be centrally revoked if needed. Ensure that any sync clients (like OneDrive, Google Drive backup, etc.) on your device are themselves secured (the device is not shared, and has a login).
Local Storage and Backups: Avoid storing HGA Confidential Information on the local hard drive of personal computers or unencrypted USB drives. If you must do so (for example, working offline on a document), ensure your device is encrypted (see Section 8 on Device Security) and move the file back to the secure server or Platform as soon as feasible, then wipe the local copy. Do not leave copies in “Downloads” folders or recycle bins. If you back up data, use only IT-approved backup solutions – never back up HGA data to personal backup services. Note that HGA’s IT department performs regular backups of central systems[21], so there is rarely a need for users to create their own separate backups of emails or shared drive content. If you are worried about preserving something, contact IT rather than saving extra copies.
Printing and Physical Documents: Only print confidential documents if absolutely necessary. Collect printouts immediately from printers, and use secure print functions (where you enter a code at the printer to release the job) if available, especially for printers in shared offices. Be mindful of printer logs and output trays – leaving a confidential report on a printer could expose it. If you prepare physical reports or binders for a client, clearly mark them “CONFIDENTIAL” and seal them during transit. Keep a record of how many copies exist and retrieve them at the end of the meeting if possible. Physical documents should be returned to HGA for secure storage or shredding when no longer needed (see Section 9 on Destruction).
Email and Data Retention: While Section 9 details retention, note that email servers and document systems often auto-archive or delete older items as per policy. Users should not attempt to circumvent these retention settings by storing data offline or in personal locations. If something needs to be retained longer for legal reasons, notify management – don’t just squirrel away a copy. Conversely, do not delete or purge business emails and files in an attempt to hide them; records must be kept in compliance with retention rules and potential legal holds. If you receive a notice to preserve documents (for litigation or investigation), strictly follow it.

In essence, treat email and document systems as an extension of HGA’s controlled environment. Be disciplined in how you share and store files. When in doubt, consult IT or a manager about the proper way to handle a particular communication or document. By using only approved channels and being careful with how we disseminate information, we reduce the risk of a confidentiality breach.

Device Security Requirements

Every device used to access HGA’s systems or to store HGA-related information must be secured in line with industry best practices. This applies to company-issued equipment as well as personal devices used for work (Bring Your Own Device, BYOD), if any are authorized. Key requirements include:

Authentication and Locking: Devices such as laptops, desktops, tablets, and smartphones must be protected by a password, PIN, or biometric lock (fingerprint, facial recognition) such that unauthorized persons cannot easily access them. Configure devices to automatically lock after a short period of inactivity (e.g., 5-15 minutes for computers, 1-2 minutes for mobile devices). Users should manually lock their device (Windows: Win+L, Mac: Ctrl+Cmd+Q, or simply close the laptop lid) whenever stepping away. Use strong passwords/passcodes for device logins — not simple or easily guessable ones (no “1234” PINs or “password” passwords). Where available, enable full-disk encryption (most modern laptops and phones have this by default with the OS password; ensure it’s turned on).
Antivirus and Updates: Keep all devices updated with the latest security patches and antivirus/anti-malware software. For HGA-issued devices, the IT department will typically manage updates and antivirus centrally – do not ignore or delay system update prompts. For personal devices approved for use, you are responsible for ensuring updates for the operating system and critical apps are promptly installed. Running an antivirus solution and performing regular scans is required on computers. Do not jailbreak or root phones/tablets as that compromises built-in security. Allow HGA’s mobile device management (MDM) profile or software to be installed if required; this helps enforce security settings and allows remote wipe in case of loss (for BYOD, HGA will only manage company data, not your personal content).
Physical Safeguards: Prevent theft or loss of devices. When traveling or in public places, never leave a laptop bag or phone unattended. Use cable locks for laptops in insecure locations if you must leave them (e.g., in a conference room during a break). Do not put devices in checked luggage. If staying at a hotel, consider using the room safe for portable devices or at least for external storage media. Avoid letting others (even family or friends) use your work devices, as they might accidentally access something or introduce malware. For desktop computers in offices, log out or lock the screen when not in use; offices should be locked when unattended if sensitive info is present.
Secure Connections: As mentioned in Section 5, ensure network connections are secure. Use VPN on laptops when not on a trusted network. Turn off features like Bluetooth, Wi-Fi, or file sharing on your device when they are not needed, to reduce attack surface. For mobile devices, be cautious of connecting to unknown charging stations or computers (USB charging can sometimes allow data transfer – use “charge only” mode or a USB data blocker if available).
Data Storage on Devices: Only keep Confidential Information on a device as long as needed. If your device has removable media (USB drives, external hard drives, SD cards), ensure those are encrypted or password-protected if they contain sensitive data. Label devices with contact info or a “If found, call/email…” message if possible, to aid recovery if lost. Use tracking and remote wipe features on mobile devices (e.g., Find My iPhone/Android) and on laptops if available. HGA’s IT can initiate a remote wipe on company devices; for personal devices with company email, note that connecting to our Exchange server may give us the right to wipe the synced data in case of loss.
No Unauthorized Software or Configuration: Do not install unapproved software, especially those that could access or transmit data (e.g., cloud storage sync tools, peer-to-peer file sharing, remote control software) without clearance. Also avoid browser extensions or mobile apps that are not trusted, as they might scrape data. Follow any IT policies on what software is allowed/prohibited. If you need a tool, request it through IT channels. Similarly, do not alter security settings set by IT (e.g., don’t disable the firewall, don’t turn off antivirus, don’t change group policy settings on company machines). For personal devices, at least ensure a personal firewall is on and default security settings are not weakened.
Incident Response for Devices: If your device (or any storage media) that contains HGA information is lost, stolen, or you suspect it’s been compromised by malware or hacking, you must report this to HGA IT/Security immediately. Time is of the essence for lost devices – if reported quickly, we might remotely lock or wipe the device before someone accesses it. Delay in reporting could result in a serious data breach. When reporting, provide as much detail as possible (what device, what data might be on it, when/where it was lost, any backup of data available, etc.). HGA will not penalize a user for promptly reporting an accidental loss; our primary goal is to secure the data. However, failure to report or negligence in device care could lead to disciplinary action.
Personal Device Use: If you use your personal laptop or phone for any HGA business (which should only be done with permission and if your role is such that HGA doesn’t provide a device), you must still abide by all these security measures. Understand that HGA may require you to install certain security software or configurations. If this is unacceptable, you should request a dedicated device from HGA rather than use your own. HGA reserves the right to enforce security compliance on any device handling its data. This could include periodic inspections or requiring evidence of compliance (like showing that encryption is enabled). If a personal device cannot meet HGA’s security requirements, it must not be used for HGA work.

In summary, a chain is only as strong as its weakest link – an unsecured device can be an easy entry point for data breaches. By following these device management practices, Users help protect not just their own device, but the entire network and data ecosystem of HGA. Remember, even the most robust server encryption is defeated if someone can simply open your unlocked laptop or if malware on your phone screenshots confidential messages. Be proactive and conscientious in how you manage your work devices.

Data Retention and Destruction

HGA is committed to retaining data only for as long as necessary for business purposes or to meet legal and compliance requirements, and to disposing of data securely once retention is no longer required. This section outlines how Users should manage the retention and disposal of Confidential Information and Personal Data:

Retention Periods: Different categories of data may have different retention requirements. As a general policy, business and project records (contracts, proposals, deliverables, communications) are retained for at least the duration of the project or engagement and for some period afterward (often several years) to satisfy potential legal, contractual, or operational needs. Specific retention schedules may be defined in HGA’s records management guidelines. For example, ordinary Confidential Information (that is not Personal Data or a trade secret) might be retained for a certain number of years after a project ends; by contrast, Personal Data and certain highly sensitive information may have shorter retention if not needed, but their confidentiality obligations last indefinitely[22]. HGA will align retention with principles of data minimization – we aim not to keep Personal Data longer than necessary for the purpose it was collected, unless required by law or legitimate interests (such as defending a legal claim).
Personal Data and Right to Erasure: In compliance with global privacy best practices (e.g. GDPR’s “right to be forgotten”), HGA will honor requests from individuals to delete their Personal Data when applicable, provided that the data is not required to be retained by HGA for legal or contractual reasons[23]. For instance, a consultant who is no longer engaged may request removal of their profile data from the Platform; HGA will evaluate and if no overriding need exists, will erase or anonymize that data. However, certain records (like payment transactions or contracts with that consultant’s name) might need to be kept for financial or legal record-keeping. Those will be retained securely for the required period but still protected as confidential. All Users must cooperate with HGA in fulfilling data subject rights requests—meaning, if you receive a request from an HGA client or data subject to access or delete data, forward it to the Data Protection Officer; do not delete data on your own without authorization.
Secure Disposal: When information is no longer needed, it must be disposed of in a secure manner that prevents any reconstruction or retrieval of sensitive data. For electronic data, simply hitting “Delete” is often insufficient (since data can linger in backups or be forensically recovered). Instead:

Use approved data wiping tools or processes for electronic files. HGA’s IT team can assist in properly deleting digital records (for example, by overwriting or shredding files). Many systems have secure delete functions or HGA may implement automatic deletion after a retention period.
When decommissioning storage media (hard drives, SSDs, USB sticks) that contained Confidential Information, they must be securely erased (multiple overwrite or cryptographic wipe) or physically destroyed. HGA typically follows NIST or DoD guidelines for media sanitization.
For cloud-based data, ensure that deletion is complete (data is not retained in trash folders beyond the allowed time). Where cloud providers retain backups, HGA will rely on their data lifecycle practices, and such residual backup copies remain subject to confidentiality until they are automatically overwritten.

For physical documents: use a cross-cut shredder or a professional shredding service to destroy paper records. Do not throw confidential papers directly into trash or recycling bins un-shredded. CDs, DVDs, or other physical media should be shredded or defaced (for example, by drilling holes in them) before disposal.

Return of Information: In many cases, especially with external consultants or partner organizations, HGA may request that all confidential materials be returned or deleted at the end of an engagement. Upon the conclusion of a project, contract, or upon an individual’s separation from HGA, the individual must promptly return all HGA and client Confidential Information in their possession, including documents, files, equipment, and any other tangible items. If return is not feasible (e.g., you created analysis documents on your own system), you must destroy them as described above. HGA may ask for written certification of destruction from departing individuals or from vendors – this certification attests that no HGA or client data was retained. For example, a consultant finishing a contract should remove any client data files from their personal devices and confirm to HGA that this has been done[24].
Archival Copies and Legal Holds: Notwithstanding the above, there are scenarios where data might be retained in archives or backups:

Backups: HGA’s systems perform regular backups for disaster recovery[25]. These backup files are encrypted and stored securely. It is not practical to individually delete data from backups; instead, if data was deleted from live systems, it will naturally age out of backups as those roll over. Backup data is not used for active purposes and is accessible only by IT administrators if needed for restoration. Any Confidential Information in backups remains subject to this Policy indefinitely.
Legal Holds and Compliance: If HGA is aware of potential litigation, investigation, or audit that requires preservation of certain records, those records must not be deleted even if they surpass normal retention schedules. HGA will issue a “legal hold” notice in such cases, and all relevant Users must preserve the specified data (do not alter or delete it until cleared). This legal hold supersedes routine deletion. Additionally, some laws/regulations mandate retention (e.g., financial records for 7 years, etc.); such requirements will be followed.

Residual Information: Users are not expected to purge data from automatic archival systems that they cannot control (for instance, server backups or email server archives), but they are expected to ensure that any data they personally stored in non-controlled areas (like a personal device or personal cloud) is removed when no longer needed.
Continuing Confidentiality: Critically, even when data is deleted or a person no longer has access, the obligation to keep it confidential remains. As noted, Personal Data and trade secrets remain protected indefinitely until they legitimately enter the public domain[22]. Users who leave HGA (or finish a project) cannot “un-know” the sensitive information they were exposed to, and thus they must continue to honor the confidentiality of that information forever (or until it falls under an exception like public knowledge through no fault of theirs). This Policy’s confidentiality clauses survive the termination of any contract or employment. In practical terms: if you had access to client data or HGA plans, you cannot later share or use that data just because you’ve left HGA.

To summarize, HGA strives to keep data only as long as needed and to dispose of it securely. All Users play a role by not stockpiling unnecessary information and by following through on deletion/return instructions. When in doubt about whether you can delete something or how to do so safely, contact the Policy Administrator or IT. Never just dump data (physically or digitally) in a way that could compromise confidentiality.

Prohibited Activities and Unauthorized Disclosures

To reinforce points from prior sections, the following activities are strictly prohibited and will be treated as serious violations of this Policy:

Unauthorized Disclosure: Revealing or disclosing any Confidential Information to unauthorized parties, whether intentionally or through negligence. This includes posting such information on social media, forums, blogs, or speaking to journalists or outside individuals without approval. It also includes indirect disclosures – e.g., telling a friend or family member details about a client project, or confirming something “off the record” that is confidential. Any external communication of confidential HGA or client information must be approved by management or covered by an appropriate NDA. Even within HGA, do not discuss confidential matters with colleagues who are not involved or don’t have a need-to-know.
Using Information for Personal Gain or Outside Benefit: Exploiting Confidential Information for personal advantage or to benefit a third party. For example, using knowledge of an upcoming client project to position yourself for a job with that client, or giving a friend inside information to help them win a contract, or using client data to build a database for a side business. HGA’s information and connections are not to be used outside official HGA activities. This also includes insider trading and similar issues – if in your work you learn material non-public information about a company (e.g., a client’s planned merger or a World Bank funding decision), you cannot trade stocks or advise others based on that information.
Reusing Client Materials Without Authorization: Taking client deliverables, reports, datasets, or other materials that were developed through HGA engagements and using them outside that client’s context without permission. For instance, a consultant must not take a report prepared for Client A and then use or publish it for another purpose, or share a client’s data with another client, unless such reuse is explicitly allowed. All work product is usually owned by the client or HGA as per contracts, and is confidential. (If consultants wish to include sanitized versions in their portfolio, that must be pre-approved by HGA and the client, see Section 11 on permitted disclosures).
External Communications and Public Statements: Unless you are specifically authorized as a spokesperson, do not speak on behalf of HGA or about HGA’s confidential work in any public venue. This prohibition covers conferences, panel discussions, publications, or online posts. It’s fine to discuss knowledge that is already public (for example, general knowledge about development consulting), but not specific details of HGA projects or internal strategies. If you are asked to present or write an article involving HGA work, coordinate with management to ensure no confidential data is inadvertently disclosed.
Data Dumping and Mass Export: Downloading, exporting, or saving large portions of HGA’s databases or records onto external drives or non-approved locations, especially near the end of your engagement, is forbidden and may be interpreted as theft of information. Users should only export what is needed for immediate authorized use. For example, running a report of all consultants and copying it to a spreadsheet on your personal drive with no valid reason would violate this Policy. HGA monitors for unusual data export activity[26].
Circumventing Security Controls: Any attempt to disable or bypass security measures (encryption, access controls, DLP systems, etc.) put in place by HGA is prohibited. This includes using unauthorized tools to crack passwords, using personal email to send files to bypass size limits or monitoring, or building your own backdoor into systems. If a security measure is hindering your work, discuss with IT – do not simply turn it off. Also, do not encourage or assist others in circumventing controls.
Introduction of Unapproved Software/Hardware: Do not connect unauthorized hardware to HGA’s network (like rogue Wi-Fi routers, USB drives of unknown origin, personal laptops on internal network without approval). Similarly, do not install unapproved software that could pose a security risk or has not been vetted. These actions could introduce malware or open vulnerabilities.
Engaging Third-Parties Without NDA: As noted, sharing info with any third party (subcontractor, freelancer, translator, etc.) not under contract/NDA with HGA is prohibited. If you need to involve someone new, get them under contract first through HGA’s processes.
Misuse of Personal Data: Any handling of Personal Data that violates privacy laws or this Policy is prohibited. For example, extracting emails of consultants or users from the system to create a marketing mailing list without consent, or analyzing personal profiles for discriminatory purposes, or failing to secure personal data properly. Personal Data should never be sold, rented, or shared externally except as allowed (e.g., providing a consultant’s CV to a client for a bid is allowed; selling our consultant database to a recruiter would be not).
Ignoring Breach or Policy Violation: It is also considered a violation if you become aware of a likely breach of confidentiality (by yourself or others) and do not report it (see Section 12). Concealing a security incident or not cooperating in an investigation can compound the issue and will be treated seriously.

This list is not exhaustive, but provides examples of forbidden conduct. Engaging in any of the above (or any behavior that common sense would flag as jeopardizing confidentiality or data security) will trigger disciplinary action (Section 14) and potentially legal consequences. When in doubt whether something is allowed, assume it is not until you confirm with the Policy Administrator.

Compliance with Laws and Best Practices

HGA operates across multiple jurisdictions and is committed to complying with all applicable data protection and confidentiality laws, while adopting a highest-standard, jurisdiction-neutral approach. This means HGA and all Users should follow not only the letter of the law in their country, but also the spirit of internationally recognized privacy and security principles.

Global Data Protection Laws: HGA handles personal data of individuals from various countries (consultants, client contacts, etc.), and therefore adheres to key privacy regulations including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), among others[27]. Even if a particular law (like GDPR or CCPA) may not strictly apply to a given situation due to jurisdiction, HGA’s policy is to voluntarily align with the core principles of those regulations[28][29]. Such principles include lawfulness, fairness, and transparency in processing personal data; purpose limitation (using data only for the purposes collected); data minimization; accuracy; storage limitation; integrity and confidentiality (ensuring security); and accountability. For example, we will provide notice to individuals about how their data is used, obtain consent or have a legitimate basis for processing personal data, allow individuals to access and correct their data, and honor opt-out or deletion requests as described in Section 9.
Cross-Border Data Transfer: By the nature of HGA’s work, personal data may be transferred across international borders (e.g., a consultant in one country may have their CV shared with a client in another country, and stored on cloud servers in a third country). HGA ensures that such transfers comply with applicable transfer laws and mechanisms. Users consent to the international transfer of personal data as needed for HGA’s operations[28], and HGA will use safeguards such as standard contractual clauses or trusted cloud providers to protect data in transit and at rest. If your jurisdiction has data residency requirements, HGA will attempt to accommodate them or will inform you if data will be stored elsewhere. Users handling data should be aware of where they are sending it – do not, for example, email a list of EU citizens’ data to someone in a country with poor data protection without consulting our DPO, as that could violate GDPR’s transfer rules.
Industry Standards and Certifications: In addition to laws, HGA follows industry best practices and standards for information security. For instance, HGA’s handling of payment card information (if any) complies with the Payment Card Industry Data Security Standard (PCI DSS)[30]. We undergo regular security assessments and audits to ensure compliance with such standards[31]. While these certifications and audits are handled by HGA management, Users must do their part by following all security protocols – many standards require staff awareness and compliance.
Client and Donor Requirements: Many of HGA’s clients (such as international development agencies, World Bank, UN, etc.) have their own rules about confidentiality, data protection, and ethics. It is HGA’s policy that we and our consultants comply with any such contractual requirements. For example, if a donor’s policy requires that all project data be kept confidential for 10 years, or that no project information be released without donor consent, those requirements flow down to every User involved. If a client asks a consultant to sign a separate Non-Disclosure Agreement (NDA) to cover their information, the consultant must do so[32] (HGA will inform and coordinate, as needed). Violation of a client’s confidentiality requirements is considered a violation of this Policy. Always familiarize yourself with any specific confidentiality clauses in the contracts or terms of a project you are working on.
Intellectual Property and Copyright: Respect intellectual property laws related to the information you handle. Do not copy or distribute documents in a way that infringes copyrights (for example, don’t take a training manual given under license for a project and reuse it elsewhere without permission). HGA’s standard contracts ensure that deliverables and materials are properly owned or licensed; as a User, you must abide by those terms. If uncertain, ask whether certain materials can be reused or if they need clearance.
Export Controls and Sanctions: Although not common in everyday consulting tasks, be mindful that certain technical data or software could be subject to export control laws (e.g., encryption technology, certain technical schematics, data about sensitive sectors). If you work on a project involving such elements, HGA will advise on any export control licenses or restrictions. Likewise, sanctions laws may prohibit sharing information with certain parties or countries. All Users are expected to comply with any such legal restrictions that HGA communicates (for instance, if told not to email project data to a person in a sanctioned country, that must be heeded).
Ethical Conduct: Compliance goes hand in hand with ethical behavior. In handling information, adhere to professional ethics. For example, avoid conflicts of interest where confidential information from one client might tempt you to assist another competing client. Do not misuse any privileged information (like a client’s internal plans) in ways that could be deemed unethical or illegal. HGA has zero tolerance for activities like bribery or fraud – while those are outside this Policy’s main topic, they often involve misuse of information (e.g., sharing bid information with a competitor in exchange for a kickback is both an ethical and confidentiality breach).
Whistleblowing: If a User needs to report misconduct and that involves sharing information that would otherwise be confidential (for instance, reporting financial wrongdoing to authorities), HGA’s policy is not to impede such legally protected whistleblowing. This Policy is not intended to prevent anyone from reporting legal violations to appropriate government authorities or from cooperating in investigations. However, outside those specific scenarios, confidentiality must be maintained.

Global Data Protection Laws: HGA handles personal data of individuals from various countries (consultants, client contacts, etc.), and therefore adheres to key privacy regulations including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), among others[27]. Even if a particular law (like GDPR or CCPA) may not strictly apply to a given situation due to jurisdiction, HGA’s policy is to voluntarily align with the core principles of those regulations[28][29]. Such principles include lawfulness, fairness, and transparency in processing personal data; purpose limitation (using data only for the purposes collected); data minimization; accuracy; storage limitation; integrity and confidentiality (ensuring security); and accountability. For example, we will provide notice to individuals about how their data is used, obtain consent or have a legitimate basis for processing personal data, allow individuals to access and correct their data, and honor opt-out or deletion requests as described in Section 9.
Cross-Border Data Transfer: By the nature of HGA’s work, personal data may be transferred across international borders (e.g., a consultant in one country may have their CV shared with a client in another country, and stored on cloud servers in a third country). HGA ensures that such transfers comply with applicable transfer laws and mechanisms. Users consent to the international transfer of personal data as needed for HGA’s operations[28], and HGA will use safeguards such as standard contractual clauses or trusted cloud providers to protect data in transit and at rest. If your jurisdiction has data residency requirements, HGA will attempt to accommodate them or will inform you if data will be stored elsewhere. Users handling data should be aware of where they are sending it – do not, for example, email a list of EU citizens’ data to someone in a country with poor data protection without consulting our DPO, as that could violate GDPR’s transfer rules.
Industry Standards and Certifications: In addition to laws, HGA follows industry best practices and standards for information security. For instance, HGA’s handling of payment card information (if any) complies with the Payment Card Industry Data Security Standard (PCI DSS)[30]. We undergo regular security assessments and audits to ensure compliance with such standards[31]. While these certifications and audits are handled by HGA management, Users must do their part by following all security protocols – many standards require staff awareness and compliance.
Client and Donor Requirements: Many of HGA’s clients (such as international development agencies, World Bank, UN, etc.) have their own rules about confidentiality, data protection, and ethics. It is HGA’s policy that we and our consultants comply with any such contractual requirements. For example, if a donor’s policy requires that all project data be kept confidential for 10 years, or that no project information be released without donor consent, those requirements flow down to every User involved. If a client asks a consultant to sign a separate Non-Disclosure Agreement (NDA) to cover their information, the consultant must do so[32] (HGA will inform and coordinate, as needed). Violation of a client’s confidentiality requirements is considered a violation of this Policy. Always familiarize yourself with any specific confidentiality clauses in the contracts or terms of a project you are working on.
Intellectual Property and Copyright: Respect intellectual property laws related to the information you handle. Do not copy or distribute documents in a way that infringes copyrights (for example, don’t take a training manual given under license for a project and reuse it elsewhere without permission). HGA’s standard contracts ensure that deliverables and materials are properly owned or licensed; as a User, you must abide by those terms. If uncertain, ask whether certain materials can be reused or if they need clearance.
Export Controls and Sanctions: Although not common in everyday consulting tasks, be mindful that certain technical data or software could be subject to export control laws (e.g., encryption technology, certain technical schematics, data about sensitive sectors). If you work on a project involving such elements, HGA will advise on any export control licenses or restrictions. Likewise, sanctions laws may prohibit sharing information with certain parties or countries. All Users are expected to comply with any such legal restrictions that HGA communicates (for instance, if told not to email project data to a person in a sanctioned country, that must be heeded).
Ethical Conduct: Compliance goes hand in hand with ethical behavior. In handling information, adhere to professional ethics. For example, avoid conflicts of interest where confidential information from one client might tempt you to assist another competing client. Do not misuse any privileged information (like a client’s internal plans) in ways that could be deemed unethical or illegal. HGA has zero tolerance for activities like bribery or fraud – while those are outside this Policy’s main topic, they often involve misuse of information (e.g., sharing bid information with a competitor in exchange for a kickback is both an ethical and confidentiality breach).
Whistleblowing: If a User needs to report misconduct and that involves sharing information that would otherwise be confidential (for instance, reporting financial wrongdoing to authorities), HGA’s policy is not to impede such legally protected whistleblowing. This Policy is not intended to prevent anyone from reporting legal violations to appropriate government authorities or from cooperating in investigations. However, outside those specific scenarios, confidentiality must be maintained.

In summary, all Users should treat compliance as a core duty. When you are handling data, ask yourself: are we doing this in a way that respects privacy laws and HGA’s high standards? If unsure, seek guidance. HGA’s commitment to being “jurisdiction-neutral” means we often take the most conservative or protective approach. It is better to be overly cautious than to violate someone’s privacy rights or break a law. By following this Policy, you will inherently be following the applicable laws and best practices, as it has been designed to encompass them[29]. Non-compliance not only risks legal penalties for HGA, but can also result in personal liability for individuals in some cases (for example, certain privacy laws have fines for responsible persons). Thus, adherence is in everyone’s interest.

Roles and Responsibilities

Maintaining confidentiality and information security is a collective responsibility. This section outlines the general roles and responsibilities of various parties under this Policy:

All Users (General Responsibility): Every individual subject to this Policy (employees, consultants, partners, platform users) is responsible for understanding and complying with the Policy in full. You must exercise sound judgment in handling information, stay vigilant for security risks, and integrate confidentiality into your daily workflow. If you are unsure about any requirement or how to handle a specific situation, you should seek guidance from your supervisor or the Policy Administrator. All Users are responsible for participating in required trainings or acknowledgments related to confidentiality. Additionally, if you observe any other person (whether a colleague or external party) violating this Policy or handling information inappropriately, you have a duty to report it (see Section 13). Compliance with this Policy is a condition of continued employment or engagement; each User must sign the acknowledgment (Section 15) and renew it if the Policy is substantively updated in the future.
HGA Management: HGA’s leadership (executives, managers, team leads) are responsible for fostering a culture of confidentiality and ensuring that the Policy is enforced. Management must ensure that all their team members (including new hires or contractors) receive and sign this Policy and any related training. Managers should lead by example in following data protection practices. They are also tasked with implementing operational controls that align with the Policy – for example, setting up access permissions correctly for their team’s folders, verifying that outdated records are purged, etc. If a breach or issue occurs, management must coordinate with the Security and Legal teams to address it. Certain managers may have designated roles such as Data Protection Officer (DPO) or Information Security Officer – those individuals have specific responsibility to oversee privacy compliance and security measures, including conducting periodic audits, updating policies, and handling data subject requests.
IT and Security Team: HGA’s IT department (including cybersecurity personnel) is responsible for the technical implementation of many controls in this Policy. This includes maintaining secure infrastructure (firewalls, encryption, access control systems, anti-malware, backup solutions), monitoring systems for breaches or suspicious activity, and responding to technical security incidents. They also manage user account provisioning and deactivation (ensuring timely removal of access when someone leaves or changes roles). The IT/Security team will provide tools for encryption, secure communication, and secure file deletion as needed, and make sure that the HGA Digital Platform’s technical specifications meet our security requirements (as outlined in Section 6). They are also tasked with staying up-to-date on evolving threats and compliance requirements, and advising management if changes to security posture are needed. Users should cooperate with IT directives, such as installing security updates or switching to new secure tools when rolled out. The IT/Security team, in conjunction with the DPO, will also be involved in investigating any breaches and preparing any required notifications (Section 13).
Human Resources (HR): For employees, HR ensures that confidentiality obligations are included in employment contracts and that departing employees go through exit procedures that include return of equipment and data. HR, in collaboration with IT, ensures that access to systems is removed promptly when someone leaves. HR is also involved in enforcing disciplinary actions for policy violations (Section 14). For consultants or contractors, the department handling contractor engagement (could be HR or the relevant business unit) should similarly ensure contracts have NDA clauses and that this Policy is distributed and signed. HR may also organize periodic training refreshers on confidentiality and data protection topics.
Consultants and Partner Organizations: While they are encompassed as “Users” above, it’s worth highlighting that consultants engaged through HGA and representatives of partner or client organizations who use the Platform have the same confidentiality responsibilities as HGA’s own staff. Consultants should treat HGA and client information with the same care as if they were an employee of HGA. Partner organizations (clients) who receive consultant information (like CVs, proposals) are expected to keep those confidential as well — typically, NDAs or confidentiality clauses in our mutual contracts cover this, but this Policy reinforces it. If a client or partner org delegate is using the Platform, they must not share their access or our data with others in their organization beyond what’s authorized. HGA will communicate any specific requirements to partners as needed, but we expect reciprocity in confidentiality.
Policy Administrator/Data Protection Officer: HGA may appoint a Policy Administrator or DPO to coordinate the implementation of this Policy. This person or team is a point of contact for any questions about the Policy, is responsible for keeping the Policy updated to reflect new laws or business practices, and monitors compliance. They might also handle requests from data subjects or clients about our data practices. Users should know how to contact the DPO or Policy Admin (for instance, via a dedicated email like privacy@humanicsgroup.org) for any privacy concerns or clarifications.
Compliance/Audit Function: If HGA has a compliance officer or internal audit team, they have the right and responsibility to audit adherence to this Policy. They might perform spot checks, request evidence of processes (e.g., checking if devices are encrypted, if certain records were properly disposed of, etc.), and report findings to management. All Users are expected to cooperate with any such audits or inquiries.

By clearly delineating these roles, HGA ensures that everyone understands how they contribute to safeguarding information. Ultimately, protecting confidentiality is a team effort – one weak link can cause a breach. So, open communication and accountability are encouraged. If you are a manager, regularly remind your team of these duties. If you are an individual contributor and feel you need more support or resources to comply (like encryption tools or training), bring that up to your manager or the DPO. Our joint goal is zero incidents of unauthorized disclosure.

Incident Reporting and Response

Despite best efforts, incidents can happen – a lost laptop, a hacker intrusion, an accidental email to the wrong person, etc. What is critical is how we respond. HGA has established procedures for incident response, and timely reporting by Users is the first step in containing any damage.

Immediate Reporting Obligation: If you know of or even suspect a security incident or breach of confidentiality, you must report it immediately to HGA management or the designated incident response team. An incident includes, but is not limited to: – Suspected loss or theft of devices containing HGA data, – Accidental sending of Confidential Information to an unauthorized recipient, – Any detection of malware or hacking that might compromise data (e.g., ransomware attack, discovery of a system vulnerability, strange account activity), – Finding confidential documents in an insecure location (e.g., you stumble upon printed client documents in a trash can or a misconfigured server open to the internet), – Any person (internal or external) asking you to share confidential data in a suspicious manner.

HGA will provide specific channels for incident reporting (such as an email like security@humanicsgroup.org or an internal hotline). If those are unavailable, contact your supervisor or any senior manager and clearly communicate the issue. Do not assume someone else will report it – better we receive multiple notifications of the same incident than none at all.

Initial Containment: Upon reporting, if applicable, take any immediate steps to contain the incident that are within your power without compromising your safety or evidence. For example, if you sent an email to the wrong party, you might attempt to recall it (if within the company) or send a follow-up requesting deletion; however, do not negotiate or make promises to the recipient on your own. If a device is lost, try using remote find/wipe features as mentioned, but make sure IT is also doing so. If you notice a system intrusion, do not try to hack back or publicize it; simply disconnect the affected system from the network if you can and wait for IT. Preserve all evidence – do not delete logs or files that might relate to the incident (unless instructed as part of containment). IT may ask you to capture screenshots or forward suspicious emails for analysis.

HGA Incident Response Plan: HGA has a formal Incident Response Plan in place[33]. Once an incident is reported, the internal response team (consisting of IT security, relevant managers, DPO, etc.) will: 1. Assess and Verify: Determine the nature and scope of the incident – what data is involved, who is affected, is it ongoing. 2. Contain: Take systems offline if needed, revoke compromised credentials, isolate affected devices, apply patches or blocks to stop further leakage. 3. Eradicate and Recover: Remove malware, fix vulnerabilities, restore from backup if needed (for data loss situations), and bring systems back to normal operation once secure. 4. Investigation and Documentation: Collect evidence (system logs, user reports, forensic data) to understand exactly what happened and who/what was responsible. Users are expected to cooperate in good faith – this might include interviews or providing access to your device for forensic imaging if it was involved. 5. Notification: Determine if any notifications are required. This depends on the severity and legal requirements. For example, under GDPR, if Personal Data was breached, we may need to notify the relevant supervisory authority within 72 hours and possibly the affected individuals. HGA will handle any external breach notifications to regulators, clients, or individuals as needed, but may need your help in identifying those affected and in crafting the message. (Rest assured that if the breach resulted from a user’s mistake, reporting it and cooperating is always better; cover-ups aggravate situations. We focus on fixing issues, not blame.) 6. Follow-up: Analyze the incident to identify lessons learned and implement improvements. This could result in updates to this Policy, additional training for staff, or technical fixes. If an individual’s actions (or inactions) contributed to the incident, appropriate remedial or disciplinary measures may be taken (discussed in Section 14). Conversely, if you responded swiftly and appropriately, that will be noted and appreciated.

External Communications: Only authorized persons should communicate about an incident externally. If you are approached by a client, media, or any third party about a suspected breach (for example, a client says “we found our data on a public site, were you hacked?”), do not confirm or deny anything on the spot. Instead, take notes of their concern and inform HGA management immediately. A prepared statement or coordinated communication will be crafted by HGA leadership if needed. Similarly, if law enforcement or regulators contact you regarding an incident, refer them to HGA’s management or legal counsel for an official response. Do not provide information or documents without clearance, except in emergency situations (in which case, still inform HGA as soon as possible).

No Retaliation: HGA policy prohibits retaliation against anyone who reports a security incident or potential violation in good faith. We appreciate prompt reporting – it is essential for mitigating harm. Even if it turns out to be a false alarm or your own mistake caused it, you will not face retaliation for reporting. (Discipline might occur for the mistake itself if due to negligence, but never for the act of reporting.) We want an environment where people feel comfortable coming forward with issues.

Breach Notification to Affected Parties: If a data breach involving personal data or client confidential info has occurred, HGA will coordinate notifications. Users may be called upon to assist in notifying (for instance, an account manager might notify their client with approved messaging, or we might have consultants help communicate to individuals if they have the relationship). These communications will typically describe what happened, what data was affected, what we are doing about it, and any steps recipients should take (like changing passwords or watching for fraud). It’s crucial that such communications are accurate and consistent, hence why they’re centrally managed.

Incident Recordkeeping: All incidents and responses will be documented by HGA (usually by the Security team or DPO). This helps in compliance (certain laws require documentation of breaches) and analysis for future prevention. Users involved may be asked to provide a written incident report of what they observed or did. Be honest and detailed; the goal is to learn and improve.

By promptly reporting and effectively responding to incidents, HGA can minimize damage and prevent small issues from becoming major crises. Every User plays a vital role in this process – remember that often it’s the front-line staff or consultants who notice something first, not the IT sensors. So speak up and act fast. We stand by a motto: “See something, say something.” The sooner we know, the sooner we can act to secure our environment.

Enforcement and Disciplinary Action

Adherence to this Policy is mandatory, and HGA will enforce it vigorously to protect the organization and its stakeholders. Any violations of this Policy, whether deliberate or due to negligence, can result in serious consequences for the individuals involved. HGA’s approach to enforcement is as follows:

Investigation of Violations: When a potential violation is reported or suspected (via an incident, audit finding, or complaint), HGA will investigate the matter confidentially. This may involve reviewing access logs, emails, or device contents, and interviewing involved personnel. Users are expected to cooperate fully. The investigation will seek to determine the facts: Was there a violation? If so, was it inadvertent, negligent, or intentional? What harm resulted or could have resulted? Investigations will be conducted fairly and impartially, typically by HR in conjunction with the Security team and legal advisors as needed. If you are alleged to have violated the Policy, you will have an opportunity to provide your explanation or defense.
Disciplinary Measures: If a violation is confirmed, HGA will take appropriate disciplinary action, up to and including termination of employment or contract. The severity of discipline will correspond to the severity of the violation and the individual’s intent:

Minor, unintentional, or first-time violations (with no or minimal impact) may result in a warning, mandatory re-training, and a performance note in your file. For example, if someone accidentally left a document on their desk overnight in an otherwise secure building, a stern reminder and training might suffice.
Repeated or more serious violations (or evident carelessness) might lead to formal reprimands, impact on bonuses/advancement, and being placed on a performance improvement plan focused on compliance.
Major violations, especially those involving willful disregard of policy or laws – such as knowingly stealing data, intentionally leaking info to unauthorized parties, or gross neglect leading to a data breach – are likely to result in immediate termination of employment or consulting agreement for cause. Consultants or partners may be removed from projects and potentially blacklisted from future work with HGA in such cases.

In addition to or instead of termination, HGA reserves the right to pursue legal action against individuals whose violations cause harm. This could include filing a lawsuit for damages or seeking an injunction to prevent further disclosure, as applicable. The confidentiality agreements signed (including this Policy acknowledgment) will support such legal remedies. The Parties recognize that an unauthorized disclosure of Confidential Information can cause irreparable harm that monetary damages alone may not fix, so injunctive relief may be sought without the need to prove actual damage[34].
Contractual Remedies: For consultants or vendors, a breach of confidentiality is also a breach of contract. HGA may invoke contractual remedies such as immediate termination of the contract, withholding of payments, or indemnification (requiring the consultant to cover any losses HGA incurred due to the breach) as provided in the agreement. Similarly, if a partner organization’s employee causes a breach, HGA will hold the partner accountable per any partnership agreement. The existence of this Policy doesn’t limit HGA’s rights under those contracts; in fact, it is in addition to them.
Reporting to Authorities: If a violation involves potentially illegal activities (for example, theft, fraud, or violation of privacy laws), HGA may report the matter to law enforcement or regulatory authorities. This could result in external investigations or penalties separate from HGA’s actions. Users should be aware that certain data breaches can incur government fines or sanctions (e.g., GDPR fines), and HGA will cooperate with authorities as required. In some cases, individuals might face personal legal consequences (for instance, if one deliberately misused personal data, some jurisdictions have personal liability provisions).
Recovery of Information: In the event of an unauthorized disclosure, HGA will take steps to recover the information and mitigate the spread. This could mean asking the violator or third parties to return or destroy copies of data, issuing takedown requests to websites, or other remedial actions. All Users are expected to comply if they are on the receiving end of such a request (e.g., if you mistakenly received confidential data not meant for you, you will be directed to delete it and confirm deletion). Failure to comply with remedial instructions is itself a serious offense.
Record of Violations: HGA will keep a record of confidentiality breaches and the actions taken. Multiple minor infractions by the same individual will be viewed cumulatively – pattern of carelessness can lead to stricter measures. Conversely, a strong history of compliance might be considered in leniency for a one-time slip, though not guaranteed. These records may be referenced in performance evaluations or contract renewals.
Learning from Incidents: Enforcement is not only punitive; it’s also preventative. After any significant incident, HGA management will review what went wrong and improve processes or training to help ensure it doesn’t happen again. The outcome might be an update to this Policy, which will be communicated to all Users. We encourage an environment where we learn from mistakes. If you yourself violate the Policy in a minor way and realize it immediately, self-report it – showing accountability can be a mitigating factor in the disciplinary process.
Positive Compliance Acknowledgment: On the flip side, HGA encourages and may formally acknowledge exemplary adherence to security practices. For example, if a team successfully passes an audit with zero findings, or an employee’s vigilance prevented a breach (say, they caught a phishing attempt in time), the company may recognize those contributions. While not exactly an “enforcement” item, it’s part of HGA’s approach to make confidentiality part of our culture, rewarded and recognized – not just a rule to fear.

All Users should understand that HGA takes this Policy very seriously. It is not mere bureaucracy; it protects our reputation, business relationships, and legal compliance. By signing the acknowledgment, you are agreeing that you understand these potential consequences. We truly hope never to have to impose them, and that through mutual diligence we maintain a spotless record. However, be assured that HGA will not hesitate to act when necessary to contain a breach and address misconduct – our clients and partners trust us to do so.

If you have any questions about what constitutes a violation or the disciplinary process, contact HR or the Policy Administrator. And remember: prevention is far better than dealing with enforcement after the fact.

Acknowledgment and Signature

Document Name: HGA_Confidentiality_and_NDA_Policy (Humanics Global Advisors Confidentiality and Non-Disclosure Policy)

By signing below, I acknowledge that I have received, read, and understood the HGA Confidentiality and Non-Disclosure Policy in its entirety. I agree to abide by the terms and obligations set forth in this Policy, as well as any related confidentiality agreements that apply to my role. I understand that compliance with this Policy is a condition of my continued employment, contract, or authorized access with Humanics Global Advisors, and that violation of this Policy may result in disciplinary action up to and including termination and legal action.

I also acknowledge that I have had the opportunity to ask questions and seek clarification on any points in the Policy that were unclear to me, and that I can contact the Policy Administrator or HGA management in the future if any questions arise regarding appropriate handling of information. I commit to maintaining the confidentiality of HGA’s and its clients’ information indefinitely, even after my engagement with HGA ends, in accordance with this Policy.

<div style=”margin-top: 30px;”>
Authorized User Name: ________
 
Role/Title/Organization: _______
 
Signature: _________
 
Date: ________
</div>

[1] [2] [3] [4] [5] [10] [11] [13] [22] [24] [27] [28] [29] [32] [34] HGA_Consultant_Contract_Template.docx

file://file-GA7v2hdnXhXEYmWj3q3gXG

[6] [7] [8] [9] [12] [14] [15] [16] [17] [18] [19] [20] [21] [23] [25] [26] [30] [31] [33] HGA_Digital_Platform_Technical_Specifications.pdf

file://file-LERZnDM52Sh8kLN2RatZB5

Purpose and Scope

Definitions

Access Control and Authorized Use

Handling and Storage of Confidential Information

Secure Communication and Data Transmission

Use of the HGA Digital Platform

Use of Email and Document Storage Systems

Device Security Requirements

Data Retention and Destruction

Prohibited Activities and Unauthorized Disclosures

Compliance with Laws and Best Practices

Roles and Responsibilities

Incident Reporting and Response

Enforcement and Disciplinary Action

Acknowledgment and Signature

Get Global Consulting Updates

Directly to

Directly to

Overview

Purpose

Contact

Services

Industries

Studies

Insights

Thinking

Career

Humanics Global Advisors

Humanics Sénégal

HGA Policy Framework