Appendix No. 4

1.1. This Policy defines the basic principles and measures for ensuring cybersecurity when users interact with the “modme.uz” Service (hereinafter referred to as the Service) and applies to all clients, employees, and partners of MODME LLC (TIN 307442900) (hereinafter referred to as “MODME”).

1.2. The purpose of this document is to ensure the integrity, availability, and confidentiality of data, as well as to prevent incidents related to the loss, alteration, or unauthorized disclosure of information processed by the Service.

1.3. This Policy is an appendix to the Public Offer and the Agreement and is publicly available on the website https://modme.uz.

1.4. This Policy has been drafted in accordance with:

• The Law of the Republic of Uzbekistan “On Cybersecurity”;
• The Law of the Republic of Uzbekistan “On Personal Data”;
• other regulatory acts and internal regulations of MODME.

In ensuring data security, MODME is guided by the following principles:

• Continuity of protection: security is built into all stages of the Service’s lifecycle—from design to maintenance.
• Confidentiality: access to data is granted only to authorized persons.
• Integrity: prevention of unauthorized changes to data and program code.
• Availability: ensuring uninterrupted operation of the Service with minimal downtime.
• Transparency: users are informed about security measures and incidents that may affect their data.
• Accountability: every person with access to MODME systems is personally responsible for complying with security rules.

3.1. Technical Measures:

• use of secure communication protocols (HTTPS, SSL/TLS);
• data backup at least once a day;
• storing data on servers located within the territory of the Republic of Uzbekistan;
• using firewalls, antivirus, and anti-DDoS protection;
• regularly updating software and operating systems.

3.2. Organizational Measures:

• restricting access to administrative panels via IP filtering;
• mandatory two-factor authentication for employees and partners;
• password rotation and access key management;
• maintaining event logs and storing them for at least 12 months;
• annual security testing and audits conducted by independent specialists.

4.1. Upon detecting a security incident or signs thereof (data breach, hacking, virus attack, equipment failure), MODME shall immediately:

• record the event in the incident log;
• block the sources of the threat;
• notify affected customers (if their data is affected);
• initiate an internal investigation and address the consequences.

4.2. The cybersecurity officer prepares an incident report and takes measures to prevent similar incidents.

4.3. In the event of incidents involving personal data or threatening the information infrastructure, MODME notifies the State Cybersecurity Center and other competent authorities in accordance with the procedure established by the legislation of the Republic of Uzbekistan.

5.1. Users are required to:

• keep their usernames and passwords confidential;
• not share access with third parties;
• use modern and secure devices and browsers;
• immediately notify MODME support ([email protected]) upon detecting suspicious activity.

5.2. The user is responsible for actions performed under their account until MODME is notified of a security breach.

6.1. MODME engages only certified providers of hosting, telecommunications, SMS notification, and payment system services that ensure an adequate level of cybersecurity.

6.2. Data transfer to third parties is carried out exclusively under contract and in accordance with internal approval and security audit procedures.

7.1. All MODME employees receive cybersecurity training upon hiring and undergo annual refresher training.

7.2. Employees sign a non-disclosure agreement regarding confidential information and personal data.

7.3. MODME conducts internal incident response tests and drills at least once a year.

8.1. The person designated by order is responsible for organizing and overseeing cybersecurity measures.

8.2. MODME conducts an internal cybersecurity audit and submits a report to the company director at least once a year.

8.3. Employees and contractors are subject to disciplinary and other liability for violations of this Policy in accordance with the laws of the Republic of Uzbekistan and the company’s internal regulations.

9.1. This Policy is publicly available on the website https://modme.uz in the “Documents” section.