1. Introduction & Purpose

This Mobile Device & BYOD (Bring Your Own Device) Policy (the "Policy") outlines the standards and guidelines for the use of mobile devices, including both Company-owned and personal devices (BYOD), to access and manage Nexly Corporation ("Nexly" or the "Company") data and systems. Located at 701 South Street Suite 100, Mountain Home, AR 72653, Nexly recognizes the need for employees to have access to Company resources while maintaining appropriate levels of data security and privacy. This Policy is designed to:

• Protect Company Data: Ensure the confidentiality, integrity, and availability of Company data accessed on mobile devices.
• Minimize Security Risks: Minimize the security risks associated with the use of mobile devices, including data breaches, malware infections, and unauthorized access.
• Enable Secure Access: Provide employees with secure access to Company resources on mobile devices, where appropriate.
• Comply with Applicable Laws and Regulations: Ensure compliance with all applicable laws, regulations, and industry standards related to data privacy and security.
• Provide Guidelines for BYOD: Establish clear guidelines for the use of personal devices to access Company data and systems.
• Promote Responsible Use: Encourage the responsible use of mobile devices in the workplace.

This Policy applies to all Nexly employees, contractors, vendors, and other individuals who use mobile devices to access Company data or systems. This Policy is to be read in conjunction with other Company policies, including, but not limited to, the Information Security Policy, the Data Privacy Policy, the Acceptable Use Policy, and the Confidentiality and Non-Disclosure Policy.

2. Definitions

For the purposes of this Policy, the following definitions apply:

• Mobile Device: Any portable electronic device capable of accessing Company data or systems, including smartphones, tablets, and laptops.
• Company-Owned Mobile Device: A mobile device provided by Nexly Corporation to an employee for business use.
• Personal Mobile Device (BYOD): A mobile device owned by an employee that is used to access Company data or systems.
• Company Data: Any information, regardless of its form or the medium on which it is stored, that is created, received, maintained, or used by or on behalf of Nexly Corporation. This includes, but is not limited to, documents, emails, databases, spreadsheets, and system logs.
• Mobile Device Management (MDM): A technology that allows IT departments to remotely manage, secure, and monitor mobile devices.
• Mobile Application Management (MAM): A technology that allows the administration of specific applications on mobile devices.
• Data Encryption: The process of converting data into a code to prevent unauthorized access.
• Multi-Factor Authentication (MFA): A security process requiring users to provide two or more means of identification before gaining access.

3. Company-Owned Mobile Devices

Nexly Corporation will provide Company-owned mobile devices to employees who require them for their job duties.

• 3.1. Security Requirements:
  • MDM Enrollment: All Company-owned mobile devices must be enrolled in the Company's Mobile Device Management (MDM) solution.
  • Strong Passwords/Biometrics: Employees must set strong passwords or use biometric authentication (e.g., fingerprint, facial recognition) to protect access to their devices.
  • Device Encryption: Device-level encryption must be enabled.
  • Automatic Lockout: Configure devices to automatically lock after a period of inactivity.
  • Regular Updates: The operating system and all applications must be kept up-to-date with the latest security patches and updates. The IT Department will handle these updates.
  • Secure Connections: Use secure Wi-Fi networks and avoid connecting to public Wi-Fi networks. Use a VPN for remote access when required.
  • Bluetooth Security: Disable Bluetooth when not in use.
  • Location Services: Disable location services for applications that do not require them.
• 3.2. Permitted Use: Company-owned mobile devices should be used primarily for business purposes. Limited personal use is permitted, provided it does not violate other Company policies or compromise security.
• 3.3. Application Restrictions:
  • Approved Applications: Only install applications that have been approved by the IT Department.
  • Prohibited Applications: Avoid the use of apps from unapproved sources.
  • Review: Regularly review installed apps.
• 3.4. Data Storage:
  • Secure Storage: Store Company data securely on the device, using encryption where appropriate.
  • Cloud Storage: Use only Company-approved cloud storage services.
  • Data Backups: Regularly back up data stored on the device, in accordance with Company backup procedures.
• 3.5. Device Management:
  • IT Management: The IT Department will manage and control all Company-owned mobile devices, including configuration, security updates, and remote wipe capabilities.
  • Remote Wipe: Nexly reserves the right to remotely wipe Company data from a lost, stolen, or compromised device.
  • Lost or Stolen Devices: Report lost or stolen Company-owned devices to the IT Department immediately.
• 3.6. Compliance: All users are expected to abide by all rules within this policy.

4. Bring Your Own Device (BYOD) Program

Nexly Corporation may, at its discretion, allow employees to use their personal mobile devices to access Company data and systems (BYOD). Participation in the BYOD program is voluntary and subject to the following requirements:

• 4.1. Eligibility: Participation in the BYOD program may be limited to certain employees or roles, as determined by the Company. This program will be subject to managerial approval.
• 4.2. Enrollment:
  • MDM Enrollment: Employees who choose to participate in the BYOD program must enroll their personal mobile devices in the Company's Mobile Device Management (MDM) solution.
  • Acceptance of Terms: Employees must accept the terms and conditions of the BYOD program, including the requirements outlined in this Policy.
• 4.3. Security Requirements for BYOD Devices:
  • Device Compatibility: Personal mobile devices must meet the minimum operating system and security requirements established by the IT Department.
  • Strong Passwords/Biometrics: Require the use of strong passwords or biometric authentication (e.g., fingerprint, facial recognition) to protect access to their devices.
  • Device Encryption: Enable device-level encryption.
  • Automatic Lockout: Configure devices to automatically lock after a period of inactivity.
  • Regular Updates: Keep the operating system and all applications up-to-date with the latest security patches and updates.
  • Secure Connections: Use secure Wi-Fi networks and avoid connecting to public Wi-Fi networks. Use a VPN for remote access when required.
  • Bluetooth Security: Disable Bluetooth when not in use.
  • Location Services: Disable location services for applications that do not require them.
  • MDM Agent: Install and maintain the Company-provided MDM agent.
• 4.4. Application Restrictions:
  • Approved Applications: Only install applications approved by the IT Department.
  • Restrictions: Follow all application restrictions put in place by the company.
• 4.5. Data Access and Storage:
  • Company-Approved Access: Access Company data and systems only through Company-approved applications and secure channels.
  • Data Isolation: Take reasonable steps to segregate Company data from personal data on their device.
  • Storage Best Practices: Store company data securely, and make sure any cloud storage is company-approved.
• 4.6. Remote Wipe: Nexly reserves the right to remotely wipe Company data from a lost, stolen, or compromised personal device enrolled in the BYOD program. The employee's personal data will not be affected by the wipe.
• 4.7. BYOD Program Termination:
  • Voluntary Withdrawal: An employee may withdraw from the BYOD program at any time by removing the Company's MDM profile from their personal device.
  • Company Discretion: Nexly reserves the right to terminate an employee's participation in the BYOD program at any time.
  • Data Removal: Upon termination of the BYOD program, the employee must remove all Company data from their personal device. The IT department will assist with this process, if needed.
• 4.8. Support and Assistance:
  • Technical Support: The IT Department will provide limited technical support for BYOD devices related to Company-approved applications and the MDM solution.
  • Limitations: Nexly is not responsible for providing technical support for the employee's personal device, other than for the Company-approved applications and the MDM solution.
  • Third-Party issues: Personal issues or problems with personal devices will not be supported by Nexly IT personnel.
• 4.9. Compensation: Nexly may or may not offer a stipend or other compensation to employees who participate in the BYOD program to offset the costs of using their personal devices for business purposes. If a stipend is provided, the details will be outlined in the BYOD agreement.

5. Data Security Best Practices

All Covered Parties are responsible for adhering to the following data security best practices:

• 5.1. Protecting Devices:
  • Physical Security: Always keep mobile devices physically secure, including protecting them from theft and unauthorized access.
  • Securing Devices: Never leave mobile devices unattended in public places.
  • Reporting Lost or Stolen Devices: Report lost or stolen mobile devices immediately to the IT Department.
• 5.2. Protecting Data:
  • Encryption: Protect sensitive data using encryption.
  • Data Minimization: Store only the minimum necessary data on mobile devices.
  • Data Backups: Back up important Company data regularly, following established procedures.
• 5.3. Access and Usage:
  • Authorized Access Only: Access Company data and systems only on authorized devices.
  • Secure Authentication: Always use strong passwords and multi-factor authentication (MFA) when accessing Company resources.
  • Cautious Use: Use care when accessing company data on mobile devices when traveling or in public places.
  • Avoid Public Wi-Fi: Avoid accessing company data or systems on public Wi-Fi networks. Use a VPN when using public Wi-Fi.
• 5.4. Application Security:
  • Download from Official Sources: Download applications only from official app stores.
  • App Permissions: Carefully review application permissions before installing an app.
  • Updates: Keep applications up-to-date with the latest security patches.
• 5.5. Phishing and Social Engineering:
  • Be Alert: Be wary of phishing emails, text messages, and other social engineering attempts.
  • Verify Requests: Verify the legitimacy of any requests for information or access.
  • Report Suspicious Activity: Report any suspicious activity to the IT Department.

6. Enforcement & Consequences of Non-Compliance

Failure to comply with this Mobile Device & BYOD Policy may result in disciplinary action, up to and including termination of employment or contract.

• 6.1. Violations: Any violation of this Policy will be investigated promptly and thoroughly.
• 6.2. Disciplinary Action: Disciplinary action may include, but is not limited to:
  • Verbal or written warnings.
  • Suspension of access to Company data and systems.
  • Suspension without pay.
  • Termination of employment or contract.
• 6.3. Legal Action: Nexly Corporation reserves the right to pursue all available legal remedies against any individual who violates this Policy.
• 6.4. Recovery: If a breach of this policy results in financial loss to the company, the individual may be required to repay the company.
• 6.5. Reporting to Law Enforcement: In cases of serious breaches, Nexly may report the incident to law enforcement authorities.

7. Policy Review & Amendments

This Mobile Device & BYOD Policy will be reviewed and updated regularly to ensure its continued effectiveness.

• Review Frequency: This Policy will be reviewed at least [Specify Frequency, e.g., annually] or more frequently as needed, such as in response to changes in the mobile device landscape, the Company's business operations, or the regulatory environment.
• Review Process: The review process will involve:
  • Input from Stakeholders: Seeking input from relevant stakeholders, including the Information Security Department, Legal Counsel, IT Department, and representatives from business units.
  • Risk Assessment: Assessing the effectiveness of the Policy.
  • Reviewing Technology Changes: Reviewing technology advancements and new device features.
  • Legal Compliance: Ensuring that the Policy complies with all applicable laws and regulations.
• Policy Amendments and Communication: Any amendments to this Policy will be approved by [Specify Approving Authority, e.g., the Board of Directors or the Executive Leadership Team] and communicated to all Covered Parties through [Specify Communication Channels, e.g., company-wide email, intranet posting, training sessions]. All impacted parties will be expected to acknowledge receipt of the changes.
• Policy Ownership: The Information Security Department, with support from Legal Counsel, is responsible for maintaining and updating this Policy.

**Acknowledgement:** By accessing Company data or systems on a mobile device, all employees, contractors, and vendors are deemed to acknowledge that they have read, understood, and agree to abide by the terms and conditions outlined in this Mobile Device & BYOD Policy.