4.1.

Murphy processes personal data in accordance with the following principles:

(a)

Lawfulness, Fairness and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner.

(b)

Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

(c)

Data Minimisation: Personal data collected and processed is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

(d)

Accuracy: Personal data is kept accurate and, where necessary, up to date, with reasonable steps taken to ensure inaccurate data is erased or rectified without delay.

(e)

Storage Limitation: Personal data is retained only for as long as necessary for the purposes for which it is processed, or as required by law.

(f)

Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

(g)

Accountability: Murphy is responsible for and able to demonstrate compliance with the data protection principles.

5.1.

Classification Framework

(a)

Murphy classifies data according to its sensitivity and business criticality into three categories: Confidential, Restricted, and Public.

(b)

Customer Data and all personal data are classified as Confidential and subject to the highest level of protection.

(c)

Information systems and applications are classified according to the highest classification of data they store or process.

5.2.

Confidential Data Handling

(a)

Access to Confidential Data is restricted to specific employees, roles, or departments based on documented business need and appropriate authorization.

(b)

Confidential systems do not permit unauthenticated or anonymous access.

(c)

Confidential Data is encrypted both at rest and in transit over public networks in accordance with Murphy's cryptographic standards.

(d)

Mobile device hard drives containing Confidential Data are encrypted.

(e)

Mobile devices accessing Confidential Data are protected by authentication mechanisms (password, passcode, or biometric) and configured to lock after fifteen (15) minutes of inactivity.

(f)

Backups of Confidential Data are encrypted.

(g)

Confidential Data is not stored on removable media, including USB drives, CDs, or DVDs.

(h)

Paper records containing Confidential Data are labeled, securely stored, and disposed of in a secure manner.

(i)

Hard drives and mobile devices used to store Confidential Data are securely wiped prior to disposal or physically destroyed.

(j)

Transfer of Confidential Data outside the Company is permitted only in accordance with legal contracts, customer authorization, or as required by law.

Murphy processes Customer Data and all personal data and customer data in connection with the provision of its services (see clause 2) based on the following applicable legal bases:

(a)

Performance of a contract: processing is necessary for performing the contract to which the customers are a party (art. 6.1 (b) GDPR).

(b)

Compliance with applicable legal obligations to which Murphy is subject (art. 6.1 (c) GDPR): if applicable, Murphy will process personal data to comply with its applicable legal obligations.

(c)

Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by Murphy (art. 6.1 (f) GDPR). In particular, such legitimate interests are security and service improvement purposes.

7.1.

Cryptographic Controls

(a)

Murphy employs strong cryptography with associated key-management processes to protect the confidentiality, authenticity, and integrity of data.

(b)

Encryption is performed in accordance with industry standards, including guidance from the United States National Institute of Standards and Technology (NIST).

(c)

Confidential and Customer Data is encrypted using Advanced Encryption Standard (AES) with 256-bit keys when stored at rest.

(d)

Data transmitted over public networks is protected using Transport Layer Security (TLS) with cipher suites rated grade B or higher on recognized security assessment tools.

(e)

Web certificates utilize RSA or Elliptic Curve Cryptography (ECC) with SHA-2 or stronger signature algorithms, with key lengths of 2048 bits or greater for RSA and 256 bits or greater for ECC.

(f)

Passwords are hashed using industry-standard algorithms such as Bcrypt, PBKDF2, Scrypt, or Argon2, with appropriate stretching and unique cryptographic salt.

(g)

Access to cryptographic keys and secrets is controlled in accordance with Murphy's access control requirements.

7.2.

Access Controls

(a)

Access to information and information processing systems is limited to authorized personnel based on business requirements and the principle of least privilege.

(b)

Access for roles not pre-approved requires documented authorization from appropriate management.

(c)

All access to production systems and Customer Data is authenticated; anonymous access is prohibited.

(d)

System-level and user-level passwords comply with Murphy's password requirements.

(e)

Users are prohibited from sharing passwords or allowing others to use their accounts.

7.3.

Asset Management

(a)

Murphy maintains an inventory of assets associated with information processing facilities that store, process, or transmit Confidential Data.

(b)

All assets in the inventory have designated owners responsible for their protection.

(c)

Company-issued devices are subject to acceptable use requirements and must be returned upon termination of employment or engagement.

(d)

Loss, theft, or unauthorized disclosure of Company devices or data must be reported immediately.

7.4.

Endpoint Security

(a)

All end-user devices (laptops, desktops, mobile phones, tablets) accessing Company systems or Customer Data must comply with Murphy's security requirements.

(b)

Devices must be protected with passwords (or biometric authentication) and configured to lock after fifteen (15) minutes of inactivity.

(c)

Devices must be locked when left unattended.

(d)

Confidential Data must not be stored locally on mobile devices or USB drives.

(e)

Antivirus software must be installed, configured to perform periodic scans, and kept up to date on all computers accessing Company systems.

(f)

Users must not disable or modify organizational security controls such as firewalls or antivirus software on Company-owned devices.

7.5.

Remote Access

(a)

Remote access to Company systems requires the use of Company-approved technologies configured with multi-factor authentication.

(b)

Users accessing Company systems from public computers must not save data locally, must log out of all sessions, and must not select "remember me" options.

(c)

Remote workers must follow clear desk and clear screen protocols to prevent unauthorized access or disclosure.

7.6.

Network Security

(a)

Murphy employs network security controls including firewalls, network segmentation, and monitoring to protect against unauthorized access.

(b)

Security event data and log data are retained in accordance with Murphy's retention standards.

7.7.

Physical Security

(a)

Murphy implements physical security controls to prevent unauthorized physical access to facilities and equipment that store or process Confidential Data.

(b)

Physical access is restricted to authorized personnel.

8.1.

Retention Principles

(a)

Murphy retains data only for as long as necessary for the purposes for which it was collected, to meet regulatory or contractual requirements, or as required by law.

(b)

Retention periods are determined based on business need, legal obligations, and contractual commitments.

(c)

Personal data is deleted or de-identified when it no longer has a legitimate business use.

8.2.

Customer Data Retention

(a)

Customer Data is retained during the term of the applicable service agreement.

(b)

Upon termination of a customer contract, Customer Data is deleted within ninety (90) days unless otherwise required by law or agreed in writing.

(c)

Deletion is performed using secure methods to ensure data is not recoverable.

8.3.

Retention Schedule

(a)

Murphy maintains documented retention periods for different categories of data.

(b)

Data retention requirements are reviewed annually.

8.4.

Legal Holds

(a)

Data subject to legal holds, litigation, or regulatory investigations is exempt from standard deletion requirements and retained as required by legal counsel.

9.1.

Data classified as Confidential or Restricted is securely deleted when no longer needed.

9.2.

Where feasible, all Confidential and Restricted Data is securely deleted from devices prior to disposal.

9.3.

Hard drives and storage media are either:

(a)

securely wiped using approved data sanitization methods in accordance with industry standards (such as NIST SP 800-88); or

(b)

physically destroyed, with certificates of destruction obtained when destruction is performed by third parties.

9.4.

Paper records containing Confidential Data are shredded or otherwise disposed of using secure methods.

9.5.

Third parties used for data disposal must meet Murphy's requirements for secure data disposal as assessed under Murphy's third-party management procedures.

10.1.

Murphy respects the rights of data subjects under the GDPR and applicable data protection laws.

10.2.

Where Murphy acts as a data processor, Murphy assists customers in responding to data subject requests in accordance with the applicable data processing agreement.

10.3.

Data subjects may exercise the following rights (subject to applicable legal limitations):

(a)

the right to access their personal data;

(b)

the right to rectification of inaccurate personal data;

(c)

the right to erasure (right to be forgotten);

(d)

the right to restriction of processing;

(e)

the right to data portability;

(f)

the right to object to processing; and

(g)

the right to lodge a complaint with a single supervisory authority (in Spain, the Spanish Data Protection Authority).

10.4.

Requests from data subjects are handled promptly and in accordance with GDPR timelines.

10.5.

Personal data is securely deleted in response to verified erasure requests, where Murphy does not have a legitimate business interest or legal obligation to retain the data.

11.1.

Due Diligence and Assessment

(a)

Murphy performs appropriate due diligence prior to engaging any third party that will access, process, store, or transmit Confidential Data or Customer Data.

(b)

Risk assessments consider the third party's security controls, compliance with applicable regulations, and ability to meet Murphy's data protection requirements.

11.2.

Contractual Requirements

(a)

Murphy does not share or transmit Confidential Data to third parties without a written contract, statement of work, or service agreement that includes:

(i)

acknowledgment of the third party's responsibilities for data confidentiality;

(ii)

commitments regarding integrity, availability, and privacy controls;

(iii)

information security requirements aligned with Murphy's standards; and

(iv)

the third party's obligations to protect Customer Data in accordance with applicable data protection laws.

(b)

Contracts with third parties specify protections for Murphy's data, service availability, and (where possible) advance notification of material changes to service delivery, including changes to sub-contractors or data storage locations.

11.3.

Sub-Processor Management

(a)

Third-party service providers are assessed to ensure they maintain reasonable organizational and technical controls.

(b)

Murphy evaluates third-party security practices through review of audit reports (such as SOC 2 Type II reports), certifications, security questionnaires, or direct assessments.

(c)

For cloud service providers, Murphy evaluates shared responsibility models and ensures appropriate customer-side controls are implemented.

11.4.

Ongoing Management

(a)

Third-party service delivery is monitored and reviewed on at least an annual basis.

(b)

Material changes to third-party services are assessed for risk and addressed through contract modifications where necessary.

12.1.

Incident Response

(a)

Murphy maintains an incident response capability to detect, respond to, and recover from information security incidents.

(b)

All employees and contractors are required to report known or suspected security incidents, including data breaches, immediately to Murphy's designated security contact.

(c)

Murphy investigates and responds to security incidents in accordance with documented incident response procedures.

12.2.

Breach Notification

(a)

In the event of a personal data breach, Murphy will:

(i)

assess the nature and severity of the breach;

(ii)

take immediate steps to contain and mitigate the breach;

(iii)

notify affected customers without undue delay where Murphy acts as a data processor; and

(iv)

comply with applicable breach notification requirements under the GDPR and other applicable laws.

(b)

Notifications to customers will include:

(i)

a description of the nature of the breach;

(ii)

the categories and approximate number of data subjects and personal data records affected;

(iii)

the likely consequences of the breach; and

(iv)

measures taken or proposed to address the breach and mitigate harm.

12.3.

Incident Documentation

(a)

Security incidents are documented, including details of the incident, response actions, and lessons learned.

(b)

Incident records are retained in accordance with applicable legal and regulatory requirements.

13.1.

Murphy processes data in accordance with applicable legal requirements for cross-border data transfers.

13.2.

Where personal data is transferred outside the European Economic Area (EEA), Murphy implements appropriate safeguards such as:

(a)

European Commission-approved Standard Contractual Clauses;

(b)

adequacy decisions issued by the European Commission; or

(c)

other legally recognized transfer mechanisms.

13.3.

Customers may request information about data transfer mechanisms by contacting Murphy.

14.1.

Murphy provides information security and data protection training to employees and contractors with access to Customer Data or Company systems.

14.2.

Training covers:

(a)

data protection principles and requirements;

(b)

secure handling of Confidential Data and personal data;

(c)

recognition and reporting of security incidents; and

(d)

compliance with Murphy's information security policies.

14.3.

Employees and contractors acknowledge their responsibility to comply with Murphy's data protection and security requirements.

15.1.

Murphy incorporates data protection principles into the design and development of its systems and services.

15.2.

Security is integrated into the development lifecycle for applications and information systems.

15.3.

Default settings and configurations are designed to minimize data collection and maximize privacy protection.

15.4.

Technical and organizational measures are implemented to ensure that, by default, only personal data necessary for each specific purpose is processed.

16.1.

This Policy is approved by Murphy's executive management.

16.2.

This Policy is reviewed at least annually and updated as necessary to reflect:

(a)

changes in legal or regulatory requirements;

(b)

changes in Murphy's data processing activities or services; and

(c)

findings from audits, assessments, or incident investigations.

16.3.

Material updates to this Policy will be communicated to customers as appropriate.

16.4.

Murphy measures and verifies compliance with this Policy through ongoing monitoring and both internal and external audits.

17.1.

Requests for exceptions to this Policy must be submitted to Murphy's designated security delegate for review and approval.

17.2.

Exceptions are documented and reviewed periodically to ensure they remain appropriate.

18.1.

Violations of this Policy may result in disciplinary action, up to and including termination of employment or engagement.

18.2.

Murphy investigates reported violations and takes appropriate corrective action.

19.1.

Questions, concerns, or requests related to this Policy or Murphy's data protection practices may be directed to:

(a)

Email: legal@getmurphy.ai

(b)

Address: Murphy Ventures, S.L., Pamplona 98, 08018 Barcelona, España.

19.2.

Customers may also contact their designated Murphy account representative for data protection inquiries.

​

Last updated: 13.02.2026