Information Security Policy

Information Security & Payment Security Policy

Last updated: Feb 4th, 2026

  1. Purpose

This policy outlines how My Studio Party Inc. protects information security and customer data and defines our approach to payment security. We are committed to safeguarding customer information, maintaining trust, and aligning with applicable security and privacy standards.

  1. Scope

This policy applies to:

  • All employees, contractors, and authorized users
  • All company-owned or company-used systems
  • All customer-facing digital platforms operated by the company

This policy covers administrative, technical, and organizational safeguards relevant to our business operations.

  1. Payment Processing Model

My Studio Party Inc. does not store, process, or transmit cardholder data.

All payment transactions are processed exclusively through PayPal, a PCI DSS–compliant third-party payment service provider.

  • Customers are redirected to PayPal’s secure hosted payment environment to enter payment details.
  • Cardholder data is entered directly into PayPal systems.
  • Our systems never receive or store credit card numbers, CVV codes, expiration dates, or sensitive authentication data.

The company only receives non-sensitive transaction metadata, such as payment confirmation and transaction reference details.

 

 

  1. Cardholder Data Storage Prohibition

The storage of cardholder data or sensitive authentication data is strictly prohibited within company systems, including but not limited to:

  • Databases
  • Servers
  • Email systems
  • File storage
  • Paper records
  • Backups or offline media

Any deviation from this model would require formal review, documented approval, and policy updates.

  1. Third-Party Service Providers

All third-party service providers involved in payment processing must:

  • Be PCI DSS–compliant
  • Assume responsibility for the security of cardholder data they process
  • Use cardholder data solely for authorized transaction purposes

PayPal is currently the sole payment service provider used for card payments.

  1. Access Control and User Management
  • Access to company systems is limited to authorized users only.
  • Access is granted based on role and business need.
  • User accounts are unique and protected by strong passwords.
  • Access is revoked promptly upon termination of employment or contract.

Administrative access to PayPal accounts is restricted to designated personnel.

 

 

  1. Acceptable Use of Systems

Authorized users must:

  • Use company systems responsibly and lawfully
  • Protect login credentials
  • Avoid installing unauthorized software or tools
  • Lock devices when unattended
  • Report any suspected security incidents promptly

Company systems may be monitored to ensure security and compliance.

  1. Data Protection and Transmission
  • Sensitive payment data is never transmitted through company systems.
  • Cardholder data must not be sent via email, messaging platforms, or file-sharing tools.
  • All website and administrative access uses secure, encrypted connections.
  1. Physical Security
  • Access to company equipment is restricted to authorized individuals.
  • Devices are protected against unauthorized access.
  • Visitors, where applicable, are supervised.

No physical locations handle card-present transactions.

  1. Data Retention and Disposal
  • Cardholder data is not retained by the company.
  • Non-sensitive business records are retained only as required for legal, regulatory, or operational purposes.
  • When no longer required, data is securely deleted or disposed of in a manner that prevents recovery.
  1. Security Awareness
  • Personnel are expected to follow this policy and applicable security procedures.
  • Security responsibilities form part of onboarding and ongoing awareness.
  • Any suspected or actual security incidents must be reported immediately.
  1. Incident Response

In the event of a suspected security incident:

  • The issue is investigated promptly
  • Appropriate containment and mitigation steps are taken
  • Relevant third parties are notified if applicable

If a payment-related incident were suspected, PayPal and appropriate parties would be engaged in accordance with applicable requirements.

  1. Policy Review

This policy is reviewed periodically and updated as needed to reflect changes in business operations, technology, or regulatory requirements.

This policy reflects our current operational model, which relies exclusively on PCI DSS–compliant third-party payment providers. We intentionally minimize data exposure to protect our customers and our business.