Policies, Certifications and Workload Processes

Policies, Certifications & Workload Processes.

Corporate Policies

At Smart Canvas, we are committed to operating with the highest standards of professionalism, security, and ethical integrity. As a technology company focused on delivering advanced software solutions, our responsibility extends beyond code—it includes how we protect our data, serve our clients, manage our people, and interact with the world. This section consolidates the official policies and standardized workload processes that govern our organization. Each element herein reflects our dedication to regulatory compliance, operational excellence, and continuous improvement.

The following corporate policies apply universally to all operational entities under the Smart Canvas and Celadon brands, including Smart Canvas Solutions, S.A. located in Guatemala, Smart Canvas Solutions, LLC in the United States, Smart Canvas International, S.L. in Spain, CeladonSoft in both Portugal and Poland, and Celadon Line Software House in the United Arab Emirates. These policies ensure consistent compliance, ethical governance, and operational integrity across all jurisdictions where these entities conduct business, aligning with both international standards and local regulatory frameworks.

Information Security Policy

Effective Date: March 22, 2013
Last Reviewed: January 20, 2025
Approved by: Executive Management Team

1. Purpose

The purpose of this Information Security Policy (“Policy”) is to establish a comprehensive framework that safeguards Smart Canvas’s information assets from all forms of threats, whether internal or external, deliberate or accidental. The Policy aims to:

Protect the confidentiality, integrity, and availability (CIA) of information.
Promote responsible information handling and security practices among all stakeholders.
Align with international standards including ISO/IEC 27001, NIST SP 800-series, and applicable data protection regulations such as GDPR and local data privacy laws.
Enable business continuity and minimize business damage by preventing and limiting the impact of information security incidents.

2. Scope

This Policy applies to all individuals with access to Smart Canvas’s information systems, including but not limited to employees, contractors, temporary staff, third-party service providers, and external consultants. It also covers:

All information systems and infrastructure owned, leased, or operated by Smart Canvas.
Data stored, processed, or transmitted on any media or platform, including cloud-based services, SaaS applications, and mobile devices.
Operations conducted at corporate headquarters, remote offices, and virtual environments.

3. Governance

Smart Canvas maintains an Information Security Governance framework overseen by the Chief Information Security Officer (CISO), who is empowered with full authority to implement, manage, and audit all aspects of this Policy. Responsibilities include:

Developing, maintaining, and enforcing the organization’s information security strategy.
Reporting quarterly to executive leadership and annually to the Board of Directors on the security posture, KPIs, and incident trends.
Establishing a Security Steering Committee to coordinate cross-functional security initiatives and review critical risk assessments.

4. Core Principles

The foundation of Smart Canvas’s information security philosophy is the CIA Triad:

Confidentiality: Access to sensitive information is restricted to authorized users only. Unauthorized disclosure, both intentional and accidental, is strictly prohibited.
Integrity: Information must be accurate and protected from unauthorized modification or corruption during processing, storage, and transmission.
Availability: Systems and data must be reliably accessible to authorized users when needed, with redundancy and disaster recovery strategies in place to ensure resilience.

5. Access Control

Access to information systems must follow the principle of least privilege:

All user accounts shall be provisioned based on defined roles using Role-Based Access Control (RBAC).
Multi-Factor Authentication (MFA) is required for all systems, especially those handling sensitive or administrative functions.
Automated provisioning and deprovisioning workflows must be in place, with quarterly access certification reviews.
Privileged access is subject to enhanced logging, monitoring, and approval workflows.

6. Data Classification & Handling

Data shall be categorized according to its sensitivity and criticality:

Data is classified into four categories: Public, Internal, Confidential, and Restricted.
Handling protocols, including labeling, storage, and transmission requirements, are defined for each classification tier.
Encryption must be implemented using FIPS 140-2 validated cryptographic modules for data at rest and in transit.
Data retention and secure disposal must follow regulatory and business requirements.

7. Incident Response

Smart Canvas maintains a formal Incident Response Plan (IRP):

All incidents must be reported within 30 minutes of detection.
The IRP includes defined roles, escalation paths, containment procedures, forensic protocols, and communication strategies.
Tabletop exercises are conducted biannually to test the IRP under realistic threat scenarios.
Post-incident reviews are mandatory to identify root causes, update policies, and improve defensive capabilities.

8. Risk Management

Information security risks are identified, evaluated, and managed as part of a continuous process:

A comprehensive risk assessment must be conducted at least annually or upon significant system change.
Risks are prioritized based on likelihood and impact using industry frameworks such as CVSS and FAIR.
Risk treatment plans are developed collaboratively with business units and tracked to closure.
A centralized risk register is maintained and reviewed by the Security Steering Committee.

9. Employee Awareness & Training

Security is a shared responsibility:

All new hires must complete security orientation during onboarding.
Annual refresher courses are mandatory for all personnel, with advanced modules for privileged users.
Simulated social engineering and phishing tests are conducted periodically to assess awareness.
Non-compliance with training requirements may result in disciplinary measures.

10. Vendor & Third-Party Security

Vendors must meet Smart Canvas’s security standards:

A third-party risk assessment is mandatory before onboarding any vendor with access to systems or data.
Security clauses and Data Processing Agreements (DPAs) must be embedded in all contracts.
Vendors are subject to periodic security audits and must notify Smart Canvas within 24 hours of any breach.
Critical suppliers must provide Business Continuity and Disaster Recovery plans.

11. Compliance & Audit

Smart Canvas enforces a strict compliance regime:

The organization undergoes regular internal audits and engages independent external auditors annually.
Compliance assessments cover policy adherence, technical controls, user behavior, and third-party compliance.
Any policy violation is investigated, and corrective actions are tracked to closure under the direction of Legal and Compliance.

12. Continuous Improvement

Security policies must evolve with the threat landscape:

This Policy shall be reviewed at least annually or after major incidents or regulatory changes.
Feedback from audits, incident reports, and employee input is used to update policies.
The CISO must maintain a roadmap for future security enhancements aligned with business objectives and technological innovations.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Privacy and Data Protection Policy

Effective Date: March 22, 2013
Last Reviewed: January 22, 2025
Approved by: Executive Management Team

1. Purpose

This Privacy and Data Protection Policy (“Policy”) establishes the principles and rules that govern the collection, processing, storage, sharing, and deletion of personal data by Smart Canvas. Its objective is to:

Ensure full compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other regional privacy frameworks.
Protect the fundamental rights and freedoms of individuals whose personal data is handled by Smart Canvas.
Reinforce trust and transparency in our data processing practices across all services, platforms, and geographies.

2. Scope

This Policy applies to all Smart Canvas employees, contractors, service providers, and business units that access, process, or manage personal data. It encompasses:

Any personal data collected through our websites, platforms, applications, client services, or internal operations.
Data subjects including but not limited to clients, users, partners, employees, and applicants.
Personal data held in both electronic and physical formats.

3. Legal Basis for Processing

Smart Canvas processes personal data only when a valid legal basis exists, including:

Consent: Explicit, informed consent from the data subject.
Contractual Necessity: Data required for the performance of a contract.
Legal Obligation: Compliance with legal or regulatory requirements.
Legitimate Interest: Where the company’s legitimate interests are not overridden by the rights of the data subject.
Vital Interests: Where processing is necessary to protect the life or physical integrity of a data subject.

4. Data Collection & Use

Personal data must be collected lawfully, fairly, and transparently.
Data collection is limited to what is necessary, relevant, and proportionate to the intended purpose.
Smart Canvas maintains a Record of Processing Activities (ROPA) detailing each category of data processed, its purpose, legal basis, retention period, and recipients.
Personal data is never sold or monetized.

5. Data Subject Rights

Smart Canvas upholds and facilitates the following rights of data subjects:

Right of Access
Right to Rectification
Right to Erasure (“Right to be Forgotten”)
Right to Restriction of Processing
Right to Data Portability
Right to Object
Right not to be subject to automated decision-making without meaningful human intervention

All data subject requests must be acknowledged within 72 hours and fulfilled within the statutory deadlines.

6. Data Retention & Minimization

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected.
Retention schedules are defined and reviewed annually.
Anonymization or secure deletion techniques are applied at the end of the retention period.

7. Data Protection by Design and by Default

All products and services must implement privacy-enhancing technologies and techniques at the design stage.
The principle of least privilege, pseudonymization, and data minimization must be embedded in all data flows and system architecture.

8. Security of Processing

Appropriate technical and organizational measures are applied to protect personal data from unauthorized access, alteration, disclosure, or destruction.
Encryption, access controls, activity logging, and intrusion detection systems are enforced across all environments.
Data breaches are governed by the Smart Canvas Incident Response Plan and must be reported to relevant authorities and affected data subjects as required by law.

9. Roles and Responsibilities

The Data Protection Officer (DPO) is responsible for overseeing the implementation of this Policy, ensuring ongoing compliance, and serving as the primary point of contact for supervisory authorities and data subjects.
All employees must complete mandatory privacy training and are accountable for compliance with data protection requirements.

10. Compliance, Audit & Enforcement

Regular audits and compliance reviews are conducted to ensure adherence to this Policy.
Violations of this Policy may lead to disciplinary measures, including termination of employment or contractual relationships.
Serious infractions may also result in regulatory fines or legal action.

11. Policy Review and Updates

This Policy will be reviewed annually or in response to significant legal, operational, or technological changes.
Updates will be communicated to all employees and relevant stakeholders, and training will be provided where necessary.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Acceptable Use Policy (AUP)

Effective Date: April 15, 2015
Last Reviewed: January 10, 2025
Approved by: Executive Management Team

1. Purpose

This Acceptable Use Policy (“Policy”) defines the standards of conduct for the use of Smart Canvas’s information systems, networks, software, devices, and digital services. Its primary objectives are to:

Protect the integrity, security, and availability of company technology assets.
Ensure lawful, ethical, and responsible use of technology.
Prevent misuse, abuse, or unauthorized access to systems and data.
Promote operational efficiency and protect the company’s reputation.

2. Scope

This Policy applies to all individuals who access or use any Smart Canvas information technology (IT) resources, including but not limited to:

Employees, contractors, consultants, temporary personnel, and interns.
All hardware, software, cloud services, mobile devices, and remote access systems.
On-premise, virtual, and third-party platforms integrated with Smart Canvas operations.

3. Authorized Use

IT resources shall be used exclusively for legitimate business purposes aligned with employee roles and responsibilities.
Reasonable personal use is permitted, provided it does not interfere with work performance, consume significant resources, or violate any company policies or applicable laws.
All usage is subject to monitoring, logging, and review by authorized personnel for security, legal, or operational purposes.

4. Prohibited Conduct

Users are strictly prohibited from engaging in any activity that:

Compromises the confidentiality, integrity, or availability of information systems.
Circumvents or disables technical controls (e.g., firewalls, antivirus, MFA, encryption).
Accesses or attempts to access unauthorized accounts, systems, or data.
Engages in hacking, phishing, malware distribution, or other malicious actions.
Uses company systems for personal financial gain, political activities, or illegal purposes.
Sends or stores obscene, harassing, defamatory, or discriminatory material.
Violates intellectual property rights or licensing agreements.
Connects unauthorized devices (e.g., USB drives, mobile hotspots) to corporate systems.

5. Data Protection

Users must adhere to data handling and classification guidelines as defined in the Privacy and Information Security Policies.
Sensitive or confidential data must not be stored on unencrypted personal devices or transmitted over insecure channels.
Files must be stored only in approved storage locations (e.g., encrypted drives, company-authorized cloud services).

6. Remote Access & BYOD

Remote access is permitted only through approved VPNs and secure authentication mechanisms.
Bring Your Own Device (BYOD) use is allowed only upon registration, mobile device management (MDM) enrollment, and adherence to company security policies.
Lost or stolen personal devices that contain company data must be reported within 12 hours.

7. Monitoring and Privacy

All user activity on corporate systems is subject to monitoring for compliance, performance, and security purposes.
While the company respects user privacy, users should have no expectation of privacy when using corporate devices or systems.
Monitoring data may be used in audits, investigations, and disciplinary procedures.

8. Enforcement and Violations

Violations of this Policy may result in disciplinary action up to and including termination of employment or contract.
Criminal activities will be referred to the appropriate law enforcement agencies.
Incidents involving non-compliance must be reported to the IT Security team or the CISO immediately.

9. Policy Acknowledgment

All users must read, understand, and sign the Acceptable Use Policy upon onboarding.
Annual reaffirmation of this Policy is required.
Continued access to systems is conditional on compliance with this Policy.

10. Review and Updates

This Policy shall be reviewed annually by the Information Security and Legal teams.
Updates will be communicated to all users and integrated into onboarding and training materials.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Anti-Corruption and Anti-Bribery Policy

Effective Date: May 14, 2014
Last Reviewed: January 13, 2025
Approved by: Executive Management Team

1. Purpose

This Anti-Corruption and Anti-Bribery Policy (“Policy”) outlines the principles, obligations, and procedures adopted by Smart Canvas to ensure full compliance with global anti-corruption laws and ethical business practices. The primary purpose is to:

Prevent, detect, and respond to bribery and corruption in all business dealings.
Promote a culture of integrity, transparency, and accountability.
Ensure compliance with applicable legislation, including the U.S. Foreign Corrupt Practices Act (FCPA), UK Bribery Act 2010, and regional anti-corruption frameworks.

2. Scope

This Policy applies globally to:

All Smart Canvas employees, executives, directors, and board members.
Contractors, suppliers, consultants, agents, joint ventures, intermediaries, and any other third parties acting on behalf of or representing the company.

3. Definitions

Bribery: Offering, promising, giving, requesting, or receiving anything of value to influence the actions of an individual in a position of trust.
Corruption: Abuse of entrusted power for private gain, including embezzlement, kickbacks, favoritism, or conflicts of interest.
Facilitation Payments: Small unofficial payments made to expedite routine government actions are strictly prohibited.

4. Prohibited Conduct

Smart Canvas strictly prohibits:

Direct or indirect offering, paying, soliciting, or accepting bribes in any form.
Use of third parties to engage in corrupt practices on behalf of the company.
Providing gifts, hospitality, or donations with the intention of influencing a business decision.
Concealment or misrepresentation of transactions in the company’s books and records.
Making political contributions without prior approval from the Legal and Compliance teams.

5. Permissible Activities

While Smart Canvas encourages positive business relationships:

Gifts and hospitality must be reasonable, infrequent, and transparently recorded.
All charitable contributions must be pre-approved and documented.
Interactions with public officials must be handled with heightened scrutiny and transparency.

6. Due Diligence and Third-Party Risk

All third parties must undergo integrity due diligence and risk assessment prior to engagement.
Written contracts must include anti-bribery clauses, audit rights, and termination provisions for breach.
Ongoing monitoring of high-risk relationships is mandatory.

7. Recordkeeping and Financial Controls

All financial transactions must be accurately recorded in accordance with accounting standards and internal controls.
Off-the-books accounts and false documentation are strictly forbidden.
Internal audits will be conducted periodically to detect irregularities and enforce compliance.

8. Reporting and Whistleblower Protection

Employees and partners are required to report suspected violations immediately through the anonymous reporting system or directly to the Compliance Officer.
Smart Canvas maintains a zero-tolerance approach to retaliation against whistleblowers.
All reports are investigated promptly, confidentially, and without bias.

9. Training and Awareness

Mandatory anti-corruption training is required for all employees upon hiring and annually thereafter.
Specialized training is required for high-risk roles and external partners.
The Compliance team shall provide ongoing education, updates, and support materials.

10. Enforcement and Disciplinary Action

Violations of this Policy will result in disciplinary actions, including termination of employment or contract.
Severe breaches may lead to civil or criminal prosecution, regulatory penalties, and reputational damage.
The company reserves the right to pursue legal action against individuals or entities involved in misconduct.

11. Governance and Oversight

The Compliance Officer is responsible for the implementation, monitoring, and continuous improvement of this Policy.
Regular reviews and updates are performed in response to changes in law, best practices, or company operations.
Executive leadership holds ultimate accountability for ensuring adherence across all levels of the organization.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Anti-Money Laundering (AML) Policy

Effective Date: June 10, 2015
Last Reviewed: January 25, 2025
Approved by: Executive Management Team

1. Purpose

This Anti-Money Laundering (“AML”) Policy outlines the principles, controls, and procedures established by Smart Canvas to prevent, detect, and report any instances of money laundering, terrorist financing, or related financial crimes. The Policy is designed to:

Ensure compliance with all applicable AML regulations, including but not limited to the USA PATRIOT Act, EU AML Directives, FATF Recommendations, and local financial crime legislation.
Protect Smart Canvas and its stakeholders from being used, intentionally or unintentionally, in criminal financial schemes.
Maintain the integrity and transparency of our financial operations and client relationships.

2. Scope

This Policy applies to all Smart Canvas employees, contractors, executives, and relevant third-party service providers. It governs:

All transactions, customer interactions, onboarding processes, and financial operations.
Operations involving high-risk jurisdictions, politically exposed persons (PEPs), and unusual financial patterns.
Any business activity that may be exposed to money laundering or financial abuse risks.

3. Definitions

Money Laundering: The process of disguising the origins of illegally obtained money to make it appear legitimate.
Terrorist Financing: The provision or collection of funds intended to be used, directly or indirectly, to support terrorist acts.
Beneficial Owner: The individual(s) who ultimately owns or controls a customer or legal entity.
KYC (Know Your Customer): The process of verifying the identity, background, and risk level of clients and partners.

4. Risk-Based Approach

Smart Canvas implements a risk-based approach (RBA) to AML compliance:

Customers and transactions are assessed and categorized into low, medium, and high risk.
Enhanced Due Diligence (EDD) is mandatory for high-risk categories, including PEPs, offshore entities, and transactions from high-risk jurisdictions.
Ongoing monitoring is proportionate to the assessed risk level.

5. Customer Due Diligence (CDD)

Prior to entering into any commercial relationship, Smart Canvas will:

Verify the identity of the customer and, where applicable, beneficial owners.
Collect, validate, and retain supporting documentation (e.g., government ID, proof of address, corporate registration).
Conduct screening against global sanctions lists, PEP lists, and adverse media databases.

6. Ongoing Monitoring

All customer accounts and transactions are continuously monitored for suspicious activity.
Patterns such as rapid movement of funds, structuring, round-dollar transactions, or inconsistencies with business profiles are flagged for review.
AML software tools are employed to assist in automated screening, anomaly detection, and case management.

7. Suspicious Activity Reporting (SAR)

Any suspicious behavior must be reported immediately to the AML Compliance Officer.
A formal investigation will be launched, and where warranted, a Suspicious Activity Report (SAR) will be filed with the appropriate financial intelligence unit (FIU).
Employees are protected under whistleblower provisions and are encouraged to report without fear of retaliation.

8. Training and Awareness

All employees must complete AML training upon onboarding and participate in mandatory annual refresher courses.
Role-specific training is required for finance, legal, compliance, and client-facing teams.
The AML team shall provide updates, guidance, and scenario-based workshops.

9. Recordkeeping

All CDD documentation, transaction records, and SAR filings must be securely retained for a minimum of five (5) years or longer if required by jurisdictional law.
Access to AML records is restricted and managed under strict confidentiality protocols.

10. Governance and Oversight

The AML Compliance Officer is responsible for the implementation, supervision, and enforcement of this Policy.
Quarterly AML compliance reports must be presented to executive leadership.
Independent audits of AML controls are conducted annually.

11. Enforcement

Breaches of this Policy may result in disciplinary action, contract termination, regulatory fines, and/or criminal prosecution.
Smart Canvas maintains a zero-tolerance stance on complicity with money laundering or financial crime.

12. Policy Review

This Policy shall be reviewed annually and updated as needed in response to regulatory developments or changes in operational risk.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Sustainability and Human Rights Policy

Effective Date: May 18, 2017
Last Reviewed: January 19, 2025
Approved by: Executive Management Team

1. Purpose

This Sustainability and Human Rights Policy (“Policy”) articulates Smart Canvas’s commitment to ethical, inclusive, and environmentally responsible business practices. It provides a framework to promote respect for human rights and the advancement of sustainability across all operations, supply chains, and stakeholder engagements. The objectives are to:

Uphold internationally recognized human rights as defined in the Universal Declaration of Human Rights and the UN Guiding Principles on Business and Human Rights.
Support the United Nations Sustainable Development Goals (SDGs).
Foster responsible environmental stewardship and social equity.

2. Scope

This Policy applies to all Smart Canvas operations worldwide, including:

Employees, directors, contractors, suppliers, and business partners.
Physical locations, digital services, product lifecycle activities, and supply chain interactions.
Community impact initiatives and stakeholder engagement activities.

3. Human Rights Commitments

Smart Canvas is committed to:

Non-discrimination: Ensuring equal opportunity, regardless of race, gender, age, religion, sexual orientation, disability, or nationality.
Freedom of association: Supporting workers’ rights to form and join labor unions and engage in collective bargaining.
Safe working conditions: Providing a healthy, safe, and harassment-free workplace.
No forced or child labor: Prohibiting all forms of modern slavery and child labor, in accordance with ILO conventions.
Privacy and dignity: Protecting personal data and respecting individual privacy.

4. Environmental Sustainability

Smart Canvas shall:

Reduce carbon emissions, energy usage, and resource consumption across all operations.
Implement circular economy principles in product design and waste management.
Source materials and services from environmentally responsible vendors.
Comply with applicable environmental laws and voluntarily adhere to global sustainability frameworks (e.g., GRI, CDP, ISO 14001).
Continuously assess and improve environmental performance through audits and reporting.

5. Supply Chain Responsibility

Suppliers must adhere to Smart Canvas’s Supplier Code of Conduct, which includes human rights and environmental standards.
High-risk suppliers are subject to social and environmental audits.
Procurement decisions consider ethical sourcing, fair labor practices, and sustainability certifications.

6. Stakeholder Engagement

Smart Canvas promotes transparent and inclusive dialogue with:

Employees, to foster a culture of ethics and sustainability.
Clients and investors, through ESG disclosures and reporting.
Communities, via local engagement, volunteering, and impact initiatives.
NGOs and regulatory bodies, to support advocacy and compliance efforts.

7. Training and Awareness

All employees receive onboarding and recurring training on human rights and sustainability principles.
Leadership receives enhanced training on ESG responsibilities, due diligence, and impact mitigation.
Educational materials and campaigns reinforce ethical and sustainable behaviors.

8. Governance and Oversight

A designated ESG Officer shall oversee the execution, monitoring, and continuous improvement of this Policy.
The Board of Directors will receive annual updates on ESG performance and risks.
Performance metrics are integrated into operational reviews and strategic planning.

9. Reporting and Remediation

Employees and stakeholders may report violations or concerns confidentially and without fear of retaliation.
Smart Canvas commits to timely and transparent investigation of all reports.
Where violations are found, appropriate corrective actions and remediation will be implemented.

10. Policy Review

This Policy is reviewed annually and revised as needed to reflect evolving legal requirements, stakeholder expectations, and environmental conditions.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Code of Conduct and Ethical Business Policy

Effective Date: September 18, 2016
Last Reviewed: January 20, 2025
Approved by: Executive Management Team

1. Purpose

This Code of Conduct and Ethical Business Policy (“Policy”) defines the principles and expectations that guide ethical decision-making and professional behavior at Smart Canvas. It ensures that all individuals acting on behalf of the company uphold the highest standards of integrity, respect, and accountability in all interactions.

2. Scope

This Policy applies to:

All Smart Canvas employees, officers, directors, contractors, consultants, and business partners.
All interactions with colleagues, clients, suppliers, regulators, and the public.
All business activities, whether onsite, remote, or in third-party environments.

3. Core Ethical Principles

Smart Canvas expects all representatives to:

Act with Integrity: Uphold honesty, fairness, and transparency in all actions.
Respect Others: Foster a workplace free from harassment, discrimination, and disrespect.
Comply with Laws: Obey all applicable local, national, and international laws, regulations, and company policies.
Avoid Conflicts of Interest: Disclose any relationships or interests that could interfere with objective judgment.
Protect Company Assets: Use corporate resources responsibly and for legitimate business purposes only.

4. Conflicts of Interest

Employees must disclose any personal, financial, or familial relationships that may influence business decisions.
Participation in outside employment or advisory roles must be pre-approved by Human Resources.
Gifts or hospitality from clients or suppliers must be modest, infrequent, and recorded transparently.

5. Anti-Harassment and Non-Discrimination

Smart Canvas maintains a zero-tolerance policy toward harassment, bullying, or discrimination.
All employees have the right to work in an inclusive, safe, and respectful environment.
Incidents must be reported immediately and will be addressed promptly and confidentially.

6. Confidentiality and Data Protection

All proprietary information, client data, and trade secrets must be protected against unauthorized access or disclosure.
Information may only be shared on a need-to-know basis and with appropriate safeguards.
Compliance with the company’s Privacy and Information Security Policies is mandatory.

7. Financial Integrity and Reporting

Employees must ensure accurate, timely, and complete recording of all financial transactions.
Falsifying documents, misreporting, or manipulating records is strictly prohibited.
Any concerns related to accounting or audit irregularities must be reported to the Compliance Officer.

8. Workplace Conduct and Professionalism

Employees must behave professionally, courteously, and responsibly at all times.
Substance abuse, violence, or unethical behavior in the workplace is not tolerated.
Use of company systems must comply with the Acceptable Use Policy.

9. Reporting Misconduct

Employees and stakeholders are encouraged to report concerns or violations via the anonymous whistleblower channel.
Retaliation against individuals who raise good-faith concerns is strictly prohibited.
Investigations will be conducted with fairness, confidentiality, and urgency.

10. Training and Acknowledgment

All new hires must complete ethics and conduct training during onboarding.
Annual recertification is mandatory for all employees.
Signed acknowledgment of this Policy is a condition of continued access to corporate systems and responsibilities.

11. Policy Enforcement

Breaches of this Policy may result in disciplinary action, including termination of employment or contract.
Serious violations may lead to legal action, regulatory penalties, and reputational harm.

12. Review and Updates

This Policy will be reviewed annually or following significant legal, regulatory, or organizational changes.
Updated versions will be communicated promptly to all employees and relevant stakeholders.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Remote Work and Flexible Work Policy

Effective Date: September 18, 2016
Last Reviewed: January 20, 2025
Approved by: Executive Management Team

1. Purpose

This Remote Work and Flexible Work Policy (“Policy”) establishes the framework for enabling flexible work arrangements while maintaining productivity, accountability, and security at Smart Canvas. The goal is to empower employees to balance personal and professional responsibilities without compromising the quality or integrity of work.

2. Scope

This Policy applies to all employees of Smart Canvas globally, regardless of role or level. It encompasses:

Fully remote, hybrid, and flexible scheduling models.
Use of personal or company-provided devices.
Compliance with applicable labor, tax, and data protection regulations in all operational jurisdictions.

3. Eligibility and Approval

Remote work arrangements are available to all employees whose job responsibilities can be effectively performed outside the office.
Approval is granted by direct supervisors and HR based on role suitability, performance history, and team needs.
Periodic reviews ensure that remote work arrangements remain aligned with business objectives.

4. Work Hours and Availability

Employees must maintain a regular work schedule aligned with their department and team expectations.
Core local hours of availability (10:00 AM – 6:00 PM local time) must be observed, unless otherwise agreed upon.
Flexibility outside of core hours is permitted, subject to deliverable timelines and team coordination.

5. Productivity and Performance

Remote employees are accountable for meeting deadlines, attending virtual meetings, and achieving performance metrics.
Managers will provide clear goals, frequent feedback, and performance evaluations.
Tools such as project management software, virtual collaboration platforms, and productivity trackers will support alignment.

6. Communication and Collaboration

Employees must be reachable via email, messaging platforms, and video conferencing during work hours.
Weekly team check-ins and one-on-one meetings with supervisors are mandatory.
Employees must notify teams in advance of any absences or deviations from their agreed schedule.

7. Data Security and Confidentiality

Remote employees must adhere to all data protection, cybersecurity, and information security policies.
Use of secure Wi-Fi connections, VPNs, encrypted devices, and multi-factor authentication is mandatory.
Confidential information must not be printed, stored, or discussed in non-secure environments.

8. Equipment and IT Support

Employees may be provided with company-issued devices and peripherals, based on operational requirements.
BYOD (Bring Your Own Device) arrangements must meet minimum security and compatibility standards.
IT support is available remotely, and issues must be reported via official channels.

9. Health, Safety, and Ergonomics

Employees must maintain a safe and ergonomic remote work environment.
Smart Canvas may provide resources or reimbursement guidelines to support home office setups.
Regular self-assessments and safety declarations may be required.

10. Compliance and Monitoring

All employees must comply with applicable tax, labor, and data privacy laws in their place of residence.
Smart Canvas reserves the right to monitor work outputs, system access, and compliance activities.
Any misuse of remote work privileges may result in disciplinary action.

11. Policy Review and Amendments

This Policy will be reviewed annually or as business needs and regulatory environments evolve.
Amendments will be communicated to all employees in a timely manner.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Vendor and Third-Party Risk Management Policy

Effective Date: December 10, 2013
Last Reviewed: January 7, 2025
Approved by: Executive Management Team

1. Purpose

This Vendor and Third-Party Risk Management Policy (“Policy”) establishes the framework for identifying, assessing, mitigating, and monitoring risks associated with external parties providing goods or services to Smart Canvas. The Policy ensures that all third-party engagements align with our standards of security, compliance, and operational excellence.

2. Scope

This Policy applies to all external parties that:

Provide software, hardware, platforms, consulting, or outsourced services.
Process, store, or access Smart Canvas data or systems.
Represent Smart Canvas in any capacity or carry out services on its behalf.

3. Governance and Responsibilities

The Vendor Risk Management function, under the supervision of the Compliance and Procurement teams, oversees implementation of this Policy.
Business units engaging vendors are responsible for initiating due diligence and ensuring contractual compliance.
Executive Management holds final accountability for critical vendor relationships.

4. Due Diligence and Onboarding

A standardized due diligence process is mandatory before engaging any new third party.
Evaluation criteria include financial stability, regulatory compliance, data protection practices, security posture, reputation, and ESG alignment.
Background checks, sanctions screening, and reference verification are required for high-risk vendors.

5. Risk Classification

Vendors are classified as Low, Medium, or High Risk based on their criticality and potential impact on operations, security, or compliance.
High-risk vendors undergo enhanced due diligence and must be approved by the Compliance Officer.
The risk level informs the frequency of reviews and contractual safeguards.

6. Contractual Controls

All vendor contracts must include:
- Confidentiality and data protection clauses.
- Audit rights and incident notification requirements.
- Service Level Agreements (SLAs) and Key Performance Indicators (KPIs).
- Termination clauses for non-compliance or security breaches.
For data processors, contracts must include GDPR-aligned Data Processing Agreements (DPAs).

7. Ongoing Monitoring and Performance Management

Vendor performance is reviewed periodically against contractual obligations.
High-risk vendors are subject to annual risk assessments and security audits.
Any material changes in the vendor’s ownership, services, or risk profile must be reported immediately.
Issues identified during monitoring must be documented, tracked, and resolved.

8. Incident Response and Breach Reporting

Vendors must report any data breaches, service disruptions, or compliance failures within 24 hours.
Smart Canvas reserves the right to conduct investigations and mandate corrective action.
Breach notification obligations must align with legal and regulatory requirements.

9. Termination and Offboarding

Upon termination, vendors must:
- Return or securely destroy all data and assets.
- Revoke system access and certify completion of offboarding activities.
- Comply with post-termination audit rights.

10. Training and Awareness

Internal stakeholders involved in vendor selection and management must receive periodic training on third-party risk management best practices.
Procurement and legal teams are responsible for ensuring that all vendor-related policies are applied consistently.

11. Review and Improvement

This Policy is reviewed annually or in response to regulatory, operational, or organizational changes.
Improvements are informed by audit findings, incident reports, and stakeholder feedback.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Software Quality Assurance and Control Policy

Effective Date: July 7, 2015
Last Reviewed: January 10, 2025
Approved by: Executive Management Team

1. Purpose

This Software Quality Assurance and Control Policy (“Policy”) defines the principles, processes, and standards Smart Canvas adheres to in order to deliver high-quality, reliable, secure, and scalable software solutions. The goal is to ensure that all digital products meet customer expectations, regulatory requirements, and industry best practices.

2. Scope

This Policy applies to:

All software developed, maintained, or integrated by Smart Canvas.
Development teams, quality assurance (QA) personnel, product owners, DevOps engineers, and project stakeholders.
All software lifecycle phases, including design, development, testing, release, and maintenance.

3. Quality Assurance Framework

Smart Canvas adopts a combination of Agile, DevSecOps, and continuous integration/continuous delivery (CI/CD) methodologies.
Quality gates are embedded at every stage of the development pipeline.
Test-driven development (TDD) and behavior-driven development (BDD) are encouraged.

4. Software Development Standards

All code must adhere to internal coding standards and industry-recognized style guides (e.g., OWASP, ISO/IEC 25010).
Secure coding principles must be applied consistently to minimize vulnerabilities.
Code reviews are mandatory for all pull requests and must be conducted by qualified peers.
Open-source components must be vetted, version-controlled, and tracked for known vulnerabilities.

5. Testing and Validation

Comprehensive testing must be applied, including:
- Unit Testing
- Integration Testing
- System Testing
- Regression Testing
- Performance and Load Testing
- Security Testing (e.g., static and dynamic application security testing)
Automated testing frameworks should be used where applicable.
Acceptance criteria and test coverage metrics are tracked and reported.

6. Change and Release Management

All code changes must be tracked via version control systems (e.g., Git) and must follow change management procedures.
Releases are managed through structured deployment pipelines with rollback capabilities.
Release notes and impact assessments must accompany all production deployments.

7. Defect and Incident Management

Bugs and issues must be logged, categorized by severity, and tracked to resolution.
Post-release incidents are subject to root cause analysis (RCA) and corrective action plans.
A defect density threshold must be maintained to ensure production stability.

8. Documentation and Traceability

All software features must be traceable from requirements through design, implementation, and validation.
Technical documentation, user manuals, and API specifications must be maintained and versioned.
QA and development activities must be logged and auditable.

9. Continuous Improvement

Retrospectives and lessons-learned sessions are conducted at the end of each sprint or release cycle.
Metrics such as test coverage, deployment frequency, lead time, and defect rates are used for performance analysis.
Quality KPIs are reported to executive leadership on a quarterly basis.

10. Roles and Responsibilities

QA Leads are responsible for test strategy, execution, and reporting.
Developers are accountable for quality at the code level, including test writing and debugging.
Product Owners validate functional acceptance criteria before release.
DevOps teams ensure automation, observability, and environment parity.

11. Training and Compliance

All technical staff must complete onboarding and ongoing training on secure development, testing tools, and QA protocols.
Internal and external audits may be conducted to validate compliance with this Policy.

12. Review and Updates

This Policy shall be reviewed annually or in response to technological or regulatory changes.
Updates are communicated to all technical teams and integrated into the software development lifecycle (SDLC).

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

Business Continuity and Risk Management Policy

Effective Date: August 7, 2016
Last Reviewed: January 13, 2025
Approved by: Executive Management Team

1. Purpose

This Business Continuity and Risk Management Policy (“Policy”) outlines Smart Canvas’s commitment to safeguarding its operations, people, technology, and clients by proactively managing risks and ensuring resilience in the face of disruptions. The purpose of this Policy is to:

Minimize the impact of unforeseen events on business operations.
Ensure the rapid recovery and continuity of essential services.
Establish a risk-aware culture aligned with strategic objectives.

2. Scope

This Policy applies across:

All Smart Canvas departments, employees, and business units.
All locations, including remote operations and third-party dependencies.
All forms of risk, including operational, technological, financial, reputational, legal, and environmental.

3. Governance and Responsibilities

The Business Continuity and Risk Committee oversees the implementation and monitoring of this Policy.
Risk Owners are assigned for key operational areas and are responsible for local risk identification and mitigation.
The Chief Operating Officer (COO) and Chief Risk Officer (CRO) provide strategic oversight and integration with enterprise planning.

4. Risk Management Framework

Smart Canvas utilizes an Enterprise Risk Management (ERM) framework based on ISO 31000.
Risk identification, assessment, treatment, and monitoring are conducted regularly.
Risk matrices and heatmaps are used to evaluate likelihood and impact.
Risk registers are maintained centrally and updated quarterly.

5. Business Impact Analysis (BIA)

A BIA is conducted to identify critical business functions, interdependencies, recovery time objectives (RTO), and recovery point objectives (RPO).
Essential personnel, suppliers, technologies, and facilities are prioritized.
The findings of the BIA inform continuity planning and resource allocation.

6. Business Continuity Planning (BCP)

Each department must maintain and periodically test a formal Business Continuity Plan.
Plans must include alternate workflows, contact lists, communication protocols, and access recovery procedures.
BCPs are reviewed and updated annually, or upon major changes in business operations.

7. Disaster Recovery (DR)

Smart Canvas maintains DR plans for all critical IT systems and data assets.
Backup and replication strategies are implemented using secure and geographically diverse infrastructure.
DR plans must be tested at least annually through simulation or live failover exercises.

8. Third-Party Risk and Dependencies

Third-party service providers critical to operations must have documented BCPs and SLAs.
Due diligence includes validation of vendor resilience and contingency capabilities.
Supplier continuity risk is evaluated as part of procurement and vendor management processes.

9. Training and Awareness

All employees are trained on their roles in business continuity and incident response.
Key personnel receive specialized training in crisis leadership and operational recovery.
Tabletop exercises and simulations are conducted to reinforce readiness.

10. Monitoring and Review

Continuity metrics (e.g., RTO compliance, incident response time) are tracked.
Risk exposures are monitored through internal audits, external assessments, and compliance reviews.
Audit results and continuity KPIs are reported to executive leadership quarterly.

11. Policy Maintenance

This Policy is reviewed at least annually, and following significant incidents, regulatory changes, or shifts in strategic direction.
All updates are communicated across the organization, with associated training where necessary.

Approved by: Executive Management, Smart Canvas / CeladonSoft
Next Review Date: January 2026

¿Questions? Let's Talk

Tailor-made processes & policies to comply.innovate.bring peace of mind.build.expand.