DATE OF LAST UPDATE: DECEMBER 9, 2025

Password Management Policy

1. Purpose

The purpose of this Password Management Policy is to define the guidelines and procedures for managing authentication in Finpace’s information systems. This policy enhances the confidentiality and integrity of Finpace’s data, replacing traditional passwords with a passwordless two-factor authentication (2FA) system.

2. scope

This policy applies to all personnel, including employees, contractors, and third-party service providers, who have access to Finpace’s information systems, networks, and data.

3. Policy Statements

       3.2. Passwordless Authentication

‍

• Implementation: Finpace employs a passwordless 2FA system utilizing one-time temporary codes sent via email.
• Code Validity: One-time codes are valid for 180 seconds from the time of generation.
• Access Guidelines:
  
  • Users must ensure their registered email accounts are secure.
  • Codes are single-use and tied to the specific authentication session.

       Unique Accounts

• Account Ownership:
  
  • Each user must have a unique account.
  • Sharing access credentials is strictly prohibited.
• Activity Responsibility:
  
  
  • Users are accountable for all activities performed under their accounts.

      3.3. Authentication Practices

‍

• Temporary Access: If temporary access codes are required, these codes will follow the same 180-second validity policy and must not be reused.
• Reporting Compromises:
  
  • Any suspected unauthorized access must be reported immediately.
  • Users must report if they suspect their email account is compromised.

      3.4. Code Storage and Handling

‍

• Prohibited Practices:
  
  • One-time codes must not be stored or shared.
  • Avoid forwarding authentication emails to other users.

       3.5. Reporting and Response

‍

• Incident Reporting:
  
  • Users must report any incidents related to authentication promptly.
  • The IT department will take appropriate measures to address and mitigate issues.

4. Responsibilities

• Employees:
  
  • Secure their registered email accounts.
  • Report any authentication-related issues promptly.
• IT Department:
  
  • Monitor and enforce authentication security practices.
  • Investigate and respond to reported incidents.

5. Review and Compilance

• Policy Review:
  
  • This policy will be reviewed periodically to align with evolving technology and security standards.
• Compliance:
  
  • All personnel must adhere to the requirements outlined in this policy.

6. Approval and Communication

• • This Password Management Policy is approved by the current CEO at Finpace: B. Forrest Tuten. The IT department is responsible for ensuring this policy is communicated to all relevant personnel.

‍