Data Security Policy

Last Updated: January 1, 2026

1. Introduction

ResolvMD currently implements the data security safeguards in this Data Security Policy.

2. Security Safeguards Assessments

ResolvMD uses reasonable commercial efforts to:

1. routinely identify internal and external risks that threaten the protection of Customers Data against loss or theft, unauthorized access, disclosure, copying, use or modification;

2. assess the adequacy of the data security safeguards set out in this Data Security Policy to address such risks taking into account, inter alia, the sensitivity of the information, the nature, size, and complexity of ResolvMD’s business operations and Applicable Laws; and

3. modify the data security safeguards of ResolvMD to reasonably mitigate any such new internal and external risks.

3. Data Security Safeguards

To protect Customer Data against loss or theft, unauthorized access, disclosure, copying, use or modification, ResolvMD uses:

1. Third Party Materials that are at least certified for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1, with physically secure data centers located in Canada;

2. HTTPS encryption for secure data in-transit; and

3. uses reasonable commercial efforts to secure the office, computers, equipment and other materials used by ResolvMD’s directors, officers and employees to perform the Services.

4. Record Keeping and Notifications

If ResolvMD detects or becomes aware of a breach of, or failure to establish, security safeguards leading to loss or theft, unauthorized access, disclosure, copying, use or modification of any Customer Data in ResolvMD’s possession (each, a “Breach of Security Safeguards”), then ResolvMD will:

1. in respect of each and every Breach of Security Safeguards:

   1. prepare a record of such Breach of Security Safeguards;

   2. maintain such record for 24 months after the date on which such Breach of Security Safeguards occurred; and

   3. provide a copy of such report to CUSTOMER; and

2. if the Breach of Security Safeguards involved any Customer Data containing Personal Information, provide the Office of the Information and Privacy Commissioner with access to or a copy of the record thereof upon request;

3. if the Breach of Security Safeguards involved any Customer Data containing Personal Information, in consultation with CUSTOMER, conduct a risk assessment to determine whether it is reasonable in the circumstances to believe that such Breach of Security Safeguards creates a real risk of significant harm to any individual (which includes, among other harms, humiliation, damage to reputation or relationships and identify theft taking into account, inter alia, the sensitivity of the information, the probability of misuse and any other prescribed factors) and, if it does:

   1. in consultation with CUSTOMER, prepare and send to the Office of the Information and Privacy Commissioner a report which contains:

      1. the circumstances of the breach and, if known, the cause;

      2. the date or period during which the breach occurred or, if neither is known, the approximate period;

      3. the personal information that is the subject of the breach, to the extent that the information is known;

      4. the number of individuals affected by the breach or, if unknown, the approximate number;

      5. the steps that have been taken to reduce risk or mitigate harm to individuals that could result from the breach;

      6. the steps that have been taken or will be taken to notify affected individuals; and

      7. the name and contact information of person who can answer questions about such Breach of Security Safeguards.

   2. in consultation with CUSTOMER, prepare and deliver, directly or indirectly, as required by Applicable Laws, to the affected individuals a notification containing:

      1. a description of the circumstances of the breach;

      2. the day on which, or period during with, the breach occurred or, if neither is known, the approximate period;

      3. a description of the personal information that is the subject of the breach to the extent that the information is known;

      4. a description of the steps the organization has taken to reduce the risk of harm that could result from the breach;

      5. a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and

      6. contact information that the affected individual can use to obtain further information about the breach.

4. take commercially reasonable steps to minimize harm and secure the Customer Data.

5. Amendments

This Data Security Policy may be amended from time to time by the Board of Directors of ResolvMD.

6. Data Security Officer

The Board of Directors of ResolvMD is responsible for structuring, designing and managing the data security safeguards.