Personal Data Security - the state of protection of personal data from unauthorized actions, characterized by the ability of users, technical means, and information systems to ensure the confidentiality, integrity, and availability of personal data during their processing, regardless of the form of their presentation.

Personal Data Information System - a set of personal data contained in databases and ensuring their processing by information technologies and technical means.

Personal Data Processing - any action (operation) or set of actions (operations) performed with personal data, using automation tools or without using such tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Personal Data - any information related to directly or indirectly identified or identifiable natural person (personal data subject).

Personal Data Processing Process - a business process of the Company within which personal data processing is carried out.

Personal Data Subject - a natural person who is directly or indirectly identified or identifiable using personal data. Personal data subjects include: contractors, representatives and relatives of contractors, Company employees and job candidates, employees of Company contractors, and other individuals whose personal data is processed in the Company (information about the complete list of subjects is presented in section 4 of the Policy).

Cookie Files - small text files transmitted from a website, network application, or through network services to a user's computer or mobile device, in which information about the user's actions on the website, in the network application, or network services is recorded and stored.

The following designations and abbreviations are used in this Policy:

PD IS - personal data information system;
Company - LLC "Carbon";
PD - personal data;
Policy - Policy in the field of personal data processing and protection.

This Policy establishes the procedure for the processing and protection of personal data at LLC "Carbon" (TIN: 9719013728; legal address: Shcherbakovskaya St., Bld. 3, Fl. 8, Rm./Ofc. II/2, Sokolinaya Gora municipal district, Moscow, 105318, RUSSIA; website address: https://carbonmicro.ru), hereinafter referred to as the Company. The document with the Policy is available for review both on the Company's website and in the Company's offices.

In compliance with the requirements of the Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data", the Labor Code of the Russian Federation, orders of the Federal Security Service (FSB) and the Federal Service for Technical and Export Control (FSTEC), other legislative acts of the Russian Federation in the field of personal data processing and protection, as well as internal documents, the Company ensures the legitimacy of personal data processing and their security in its activities.

The principles of personal data processing in the Company are as follows:

• Personal data processing is carried out on a lawful and fair basis;
• Processing of personal data is limited to achieving specific, predetermined, and lawful purposes;
• Confidentiality and security of personal data are ensured during their processing;
• Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed;
• Combining databases containing personal data processed for incompatible purposes is not permitted;
• Only those personal data are subject to processing that correspond to the purposes of their processing;
• The content and scope of processed personal data correspond to the declared purposes of processing. Excessiveness of processed personal data in relation to the stated purposes of their processing is not allowed;
• Accuracy, sufficiency, and, where necessary, relevance of personal data to the purposes of processing are ensured, and necessary measures are taken to delete or clarify incomplete or inaccurate personal data;
• Personal data is stored in a form that allows identifying the subject of personal data for no longer than required by the purposes of personal data processing, unless the storage period of personal data is established by federal law, consent to the processing of personal data, or a contract, the party to which, the beneficiary or the guarantor of which is the subject of personal data;
• Processed personal data is destroyed or depersonalized upon achieving the purposes of processing or in case the need to achieve these purposes is lost, unless otherwise provided by federal law;
• Personal data processing is not used for causing material and/or moral harm to the subjects of personal data, hindering the exercise of their rights and freedoms;
• Activities in the field of personal data processing and protection are documented.

In accordance with the principles of personal data processing in the Company, the composition of processed personal data and the purposes of their processing are defined. The composition and purposes of processing personal data comply with the requirements of Russian legislation in the field of personal data processing and protection.

The Company processes personal data solely for the purposes defined before the start of data collection. Subsequent changes in purposes are possible only to a limited extent and require justification and informing the data subject.

The Company processes only those personal data presented in the approved List of Personal Data processed at LLC "Carbon". The processing of such personal data is carried out through mixed processing (without using automation tools and with their usage) and is performed both in personal data information systems and outside of them.

Legal grounds are established for each category of personal data subjects, in connection with which the Company processes their personal data. Processing of personal data by the Company without proper legal grounds is not allowed.

The Company processes personal data upon reaching the deadlines for the termination of personal data processing or fulfilling the conditions for terminating personal data processing, unless otherwise required by Russian legislation, the consent to the processing of personal data, or it does not arise from a contract, where the data subject is a party, beneficiary, or guarantor. Archival storage of personal data is carried out in cases and in the manner established by law. Confirmation of the destruction of personal data is provided when personal data are destroyed in cases established by Russian legislation.

The Company processes personal data of the following categories of personal data subjects to achieve the processing purposes and in connection with the specified legal grounds:

Candidates for the vacant position

Purposes of processing personal data

• Ensuring interaction with the Subject, including sending notifications, requests, and information related to the Operator's activities to the Subject, as well as processing Subject's inquiries;
• Reviewing surveys/forms/responses and other candidate notifications submitted for employment purposes;
• Maintaining a talent pool for subsequent employment;
• Fulfilling obligations stipulated by federal legislation and other regulatory legal acts;
• Participating in competitive selection processes (reviewing resumes and selecting candidates for vacant positions for further employment);
• Achieving objectives outlined in the current legislation of the Russian Federation.

Legal grounds for processing personal data

• Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data";
• Notification of the candidate in accordance with Federal Law No. 152-FZ "On Personal Data" about the intended processing of their personal data in case the personal data subject's information is received from a third party;
• Personal data subject's initiative to enter into an employment contract with them;
• Implicit consent of the personal data subject to the processing of their personal data (in cases where the company receives personal data at the personal data subject's initiative, for example, when the subject initiates interaction by sending their contact information via email or providing a business card);
• Confirmation in the contract with the staffing agency that the agency has obtained the relevant consent for the processing of personal data;
• Consent to the processing of personal data;
• Other grounds in accordance with the current legislation of the Russian Federation.

Counterparties - legal entities (their employees and/or representatives by power of attorney).

Purposes of processing personal data

• Organizing business events;
• Sending advertising materials to the counterparty and providing information about special offers;
• Managing the contract approval process and fulfilling contract requirements with counterparts and clients;
• Fulfilling obligations under contracts with counterparts;
• Fulfilling obligations stipulated by federal legislation and other regulatory legal acts;
• Conducting entrepreneurial activities;
• Achieving objectives outlined in the current legislation of the Russian Federation.

Legal grounds for processing personal data

• Civil Code of the Russian Federation dated 30.11.1994 No. 51-FZ (Part One), dated 26.01.1996 No. 14-FZ (Part Two);
• Civil Code of the Russian Federation dated December 18, 2006 No. 230-FZ (Part Four);
• Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data";
• Contract with the counterparty;
• Implicit consent of the Personal Data Subject to the processing of their Personal Data (in cases where the company receives Personal Data at the initiative of the subject (for example, if the subject initiates interaction by sending their contact information via email or providing a business card));
• Other grounds in accordance with the current legislation of the Russian Federation.

Employees, relatives of employees, their representatives

Purposes of processing personal data

• Informing about responsible and contact persons, authors, and participants of various educational, presentation, and demonstration materials posted on the Operator's closed web resources, including data about employees on corporate websites, forums, as well as for the purpose of preparing business cards to be provided by the employee at their discretion to a limited circle of individuals;
• Calculating and paying taxes, fees, and contributions to mandatory social and pension insurance as provided by Russian legislation;
• Monitoring the quantity and quality of work performed;
• Ensuring compliance with regulatory and non-regulatory legal acts, as well as decisions, orders, and requests of government authorities and individuals acting on behalf of or at the direction of such authorities;
• Ensuring the safety of property belonging to the Operator;
• Processing personal data by auditors during audits;
• Organizing business events;
• Reflecting information in personnel accounting documents;
• Formalizing and regulating labor relations and other directly related relationships.
• Ensuring life safety and providing safe working conditions;
• Providing personal information as part of tender documentation;
• Providing information to educational institutions when sending employees for training and qualification improvement;
• Providing information to third parties for the conclusion of insurance contracts/policies for the life, health, or property of the employee;
• Submitting legislatively established reports on individuals to government agencies and extra budgetary funds;
• Posting presentation and other materials in printed and electronic informational publications;
• Posting presentation and other materials in various information systems;
• Calculating and charging wages and other payments, providing tax deductions;
• Conclusion, support, modification, termination of employment contracts, which are the basis for the establishment or termination of labor relations between employees and employers;
• Compliance with Russian legislation in the field of social insurance, military registration, pension provision, tax legislation, and the fulfillment of the requirements of other federal laws;
• Employer's compliance with obligations stipulated by local regulations and employment contracts;
• Employer's compliance with obligations stipulated by federal legislation and other regulatory legal acts;
• Arranging business trips, business and personal trips: visas, entry invitations, purchasing air/rail tickets, hotel reservations, and taxis;
• Ensuring compliance with the requirements of the Labor Code of the Russian Federation and other regulatory acts of the Russian Federation;
• Reflecting information in personnel and accounting documents;
• Opening a bank account for conducting banking transactions necessary during the term of the employment contract;
• Issuing powers of attorney (passport copies); Issuing voluntary health and other types of insurance policies;
• Issuing passes;
• Observing the fulfillment of the rights and obligations of the parties to the employment contract;
• Achieving objectives outlined in the current legislation of the Russian Federation.

Legal grounds for processing personal data

• Tax Code of the Russian Federation dated 31.07.1998 No. 146-FZ (Part One), dated 05.08.2000 No. 117-FZ (Part Two);
• Labor Code of the Russian Federation dated 30.12.2001 No. 197-FZ;
• Federal Law No. 109-FZ "On the Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation";
• Federal Law dated 01.04.1996 No. 27-FZ "On Individual (Personalized) Accounting in the Mandatory Pension Insurance System";
• Federal Law dated 06.12.2011 No. 402-FZ "On Accounting";
• Federal Law dated 15.12.2001 No. 167-FZ "On Mandatory Pension Insurance";
• Federal Law dated 22.10.2004 No. 125-FZ "On Archival Affairs in the Russian Federation";
• Federal Law dated 24.07.1998 No. 125-FZ "On Mandatory Social Insurance Against Accidents at Work and Occupational Diseases";
• Federal Law dated 25.07.2002 No. 115-FZ "On the Legal Status of Foreign Citizens in the Russian Federation";
• Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data";
• Federal Law dated 29.11.2010 No. 326-FZ "On Mandatory Medical Insurance in the Russian Federation";
• Resolution of the State Committee of the Russian Federation for Statistics dated 05.01.2004 No. 1 "On Approval of Uniform Forms of Primary Accounting Documentation for Labor and its Payment";
• Resolution of the Government of the Russian Federation dated 15.11.2006 No. 681 "On the Procedure for Issuing Permits for Foreign Nationals to Engage in Temporary Employment in the Russian Federation";
• Order of the Federal Migration Service (FMS of Russia) dated 25.12.2006 No. 370 "On Approval of the Form of the Application Form for Issuing a Work Permit to a Foreign Citizen or Stateless Person and the Form of the Work Permit to a Foreign Citizen or Stateless Person";
• Charter and/or regulations of the company;
• Employment contract;
• Consent to the processing of personal data;
• Consent to the processing of personal data allowed by the personal data subject for distribution;
• Other grounds in accordance with the current legislation of the Russian Federation.

Personal data processing is carried out by the Company on a lawful basis. In cases provided by the current legislation, the Company obtains the subject's consent to process their personal data in the form established by applicable law. If the Company receives personal data from a third party, it requires confirmation from that party that it has all necessary grounds for transferring the personal data to the Company.

When processing personal data, accuracy, sufficiency, and, when necessary, relevance to the purposes of processing are ensured. The Company assumes that the data subject has provided accurate, sufficient, and up-to-date data. If the data subject discovers inaccuracies in the processed personal data and submits a corresponding request, or if such inaccuracies are discovered by the Company itself, the Company will take all necessary measures to ensure the accuracy, sufficiency, and relevance of the personal data.

During its activities, the Company may entrust the processing of personal data to a third party, unless otherwise provided by applicable law. In this case, the mandatory condition for entrusting the processing of personal data (in the form of a contract or power of attorney) to another party is the obligation to maintain confidentiality and ensure the security of personal data during their processing, as well as the obligation of the third party to use the data exclusively for predefined purposes and within predefined scope.

The Company is forbidden to make decisions solely based on automated processing of personal data that produce legal consequences concerning the data subject or otherwise affect their rights and legitimate interests.

If, by its nature, the Company acts as a seller (performer, aggregator) in relation to the data subject who is a consumer, then the Company is not entitled to refuse the data subject in concluding, performing, amending, or terminating an agreement with the data subject due to the data subject's refusal to provide personal data, except in cases where the obligation to provide such data is provided by Russian legislation or directly related to the performance of the agreement with the data subject. The Company is not entitled to refuse service if the data subject refuses to consent to the processing of personal data, if, according to Russian legislation, obtaining the Company's consent to the processing of personal data is not mandatory.

The Company does not allow the processing of special categories of personal data concerning racial, national origin, political opinions, religious or philosophical beliefs, intimate life, except as provided by the current legislation of the Russian Federation. The Company immediately ceases the processing of special categories of personal data upon achieving the purposes of their processing, unless otherwise provided by federal law.

The Company does not allow the processing of biometric personal data (information characterizing the physiological and biological characteristics of a person, based on which their identity can be established), except as provided by the current legislation of the Russian Federation.
The Company does NOT disclose personal data of data subjects without their written consent.
In the course of the Company's activities through local and global computer networks, the following types of cookie files may be used:

• Technical cookies - allow the correct use of website features, network applications, or network services and maintain their operability (for example, determining user hardware and software to check the operability of website features, network applications, or network services);
• Functional cookies - allow remembering the choices the user made in the past (for example, for automatic login to the personal account using saved login and password);
• Statistical cookies - contain information about how the website, network application, or network services are used, which pages are visited, and how many users visit them; the purpose of statistical cookie files is to improve website functions;
• Marketing cookies - remember online activity to help provide the most relevant advertising.

When visiting the website or using network applications, network services, the Company requests user consent for the use of cookie files. To stop using certain cookie files, the user can select the corresponding option in the requested consent. In this case, some functionality of the website, network application, or network services may become unavailable.

The Company organizes processes for interacting with data subjects in such a way that the data subject can contact the Company for all questions provided for by law related to the processing of their personal data (familiarization with personal data related to this data subject, obtaining information about the processed personal data, obtaining information about third parties, making requests for clarification, termination of processing, blocking, and destruction of personal data, etc.). In order to timely and properly fulfill requests and appeals received from data subjects and the authorized body for the protection of the rights of data subjects, the Company has approved a procedure for processing such requests and appeals.

The provision of personal data to state authorities and local self-government bodies, courts, law enforcement agencies, as well as other supervisory authorities is carried out by the Company in cases and in the manner provided by Russian legislation.

A personal data subject has the right to perform actions regarding clarification, blocking, destruction of personal data, objection to automated processing, as well as to familiarize themselves with the characteristics of the procedure of processing their personal data (confirmation of the fact of processing personal data or the absence of processing personal data, legal grounds and purposes of processing, composition of personal data, source of obtaining personal data, processing and storage periods of personal data, nature of processing personal data, information about the methods of performance by the Company of obligations in the field of processing and protection of personal data, etc.).

A personal data subject has the right to notify all persons to whom incorrect or incomplete personal data has previously been communicated about any changes to their personal data.
A personal data subject has the right to appeal to the authority for the protection of the rights of personal data subjects or in court against the unlawful actions or inaction of the Company in processing their personal data.

A personal data subject has the right to withdraw their consent to the processing of personal data at any time.

A personal data subject has other rights defined by Chapter 3 of the Federal Law "On Personal Data".
If you believe that your rights and interests have been violated, you can file a claim (Article 17 of the Federal Law "On Personal Data"). To contact LLC "Carbon", please use the contact information provided in the relevant section of this Policy. LLC "Carbon" will make every effort to respond to your request within 10 (ten) business days from the date of receiving your request. If necessary, this period may be extended for an additional 5 (five) business days, taking into account the complexity of the request and the number of requests. In any case, LLC "Carbon" will inform you promptly about the extension of the deadline.

The Company defines in its internal documents, mandatory for compliance by all employees of the Company, as well as partners, counterparties, and other third parties to the extent that they concern them:

• Procedures for providing access to personal data;
• Procedures for making changes to personal data to ensure their accuracy, reliability, and relevance, including in relation to the purposes of processing personal data;
• Procedures for destruction, anonymization, or blocking of personal data when necessary to perform such procedures;
• Procedures for processing requests from personal data subjects (their legal representatives) for cases provided for by legislation, including the procedure for preparing information on the existence of personal data related to a specific personal data subject, information necessary to provide the opportunity for the personal data subject (their legal representatives) to familiarize themselves with their personal data, as well as procedures for processing requests for clarification of personal data, their blocking, or destruction if the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the established purpose of processing;
• Procedures for obtaining the consent of the personal data subject for the processing of their personal data and for the transfer of their personal data to third parties;
• Procedures for the transfer of personal data between users of the personal data resource, providing for the transfer of personal data only between Company employees who have access to personal data;
• Procedures for the transfer of personal data to third parties;
• Procedures for working with material carriers of personal data.

To ensure the security of personal data during their processing within the Company, the requirements of the current legislation regarding the processing and security of personal data are implemented. For these purposes, the Company has established, operates, and periodically reviews (controls) a system for protecting personal data.

The Company applies necessary and sufficient organizational and technical measures, including:

• Development of internal documents on the processing of personal data, as well as local acts establishing procedures aimed at preventing and detecting violations of legislation, and mitigating the consequences of such violations.
• Protection of personal data from unauthorized access, unlawful processing or transfer, as well as from loss, distortion, or destruction (regardless of whether the automated or non-automated processing of personal data is carried out).
• Identification and implementation, before the introduction of new processes for processing personal data and new information systems for personal data, of technical and organizational measures to ensure the protection of personal data, oriented towards modern technology levels and the necessary degree of data protection.
• Identification of threats to the security of personal data during their processing in personal data information systems.
• Use of information protection means that have undergone the established conformity assessment procedure.
• Establishment of rules for access to personal data processed in personal data information systems, as well as ensuring the registration and accounting of all actions performed with personal data in personal data information systems.
• Monitoring and evaluation of the effectiveness of applied measures (including involving audit checks).
• Detection of unauthorized access to personal data (and other incidents involving personal data) and taking measures.
• Restoration of personal data.
• Regarding the confidentiality of processing, the Company takes measures aimed at preventing unauthorized collection, processing, or use of personal data, including:
• Providing access to personal data only in cases and in the manner provided by law.
• Familiarizing the Company's employees directly involved in the processing of personal data with the provisions of legislation on personal data, including requirements for the protection of personal data, documents defining the Company's policy regarding the processing of personal data, local acts on issues of processing personal data, and/or training of these employees.

The Company has appointed a person responsible for organizing the processing of personal data and a person responsible for ensuring the security of personal data. The Company's management is interested in ensuring the security of personal data processed within the framework of the Company's main activities, both from the perspective of the requirements of current legislation and from the perspective of risk minimization.

The Company may amend this Policy from time to time without prior notice, and any changes shall become effective upon their posting on the Company's website (https://carbonmicro.ru) or at the Company's offices.

The control of compliance with the requirements of this Policy, as well as its timely updating, is carried out by the person responsible for organizing the processing of personal data. The responsibility of the Company's employees who have access to personal data for non-compliance with the requirements of the norms regulating the processing and protection of personal data is determined in accordance with the legislation of the Russian Federation and the internal documents of the Company.

Any inquiries regarding the processing of personal data should be directed via email to the contact provided on the Company's website (https://carbonmicro.ru), as well as during personal visits to the Company's offices or by mail to the legal address of the Company: Shcherbakovskaya St., Bld. 3, Fl. 8, Rm./Ofc. II/2, Sokolinaya Gora municipal district, Moscow, 105318, RUSSIA.