IT Compliance & Cybersecurity Policy

1. Purpose and Scope

This Information Technology Compliance and Cybersecurity Policy ("Policy") has been established by Darkstone Arabia Ltd. ("Company") to ensure the secure, appropriate, and authorized use of all Company-owned information technology assets. This Policy applies to all employees, contractors, consultants, and any individual granted access to Company devices, networks, systems, or data, without exception.

The purpose of this Policy is to protect the Company's intellectual property, confidential information, and technology infrastructure from unauthorized access, data breaches, cybersecurity threats, and misuse. All users are required to comply with these provisions as a condition of employment and continued access to Company resources.

2. Software and Application Management

2.1 Authorized Software Policy

All software applications installed on Company devices must be pre-approved by the IT & Cybersecurity Department. Employees are strictly prohibited from downloading, installing, or activating any unauthorized applications, regardless of perceived urgency or business need.

2.2 Software Installation Request Procedure

Any request for software installation or activation must be submitted in writing to the IT & Cybersecurity Department via email at technical@darkstone.com.sa with the following information:

Full Name of the requester
Corporate email address
Contact phone number
Laptop/Desktop model (optional - can be found via Windows Key → "About Your PC")
Detailed description of the software and business justification for the request

2.3 Request Processing and Response Time

The IT & Cybersecurity Department will evaluate all software requests and provide a response within a maximum of three (3) business days. The Department reserves the right to approve or decline any request based on security assessment, licensing compliance, and business necessity.

CRITICAL NOTICE: In the event that a software installation request is declined by the IT & Cybersecurity Department, employees have no authority to override this decision, appeal through emotional requests, or escalate through reporting managers to force installation. All decisions made by the IT & Cybersecurity Department regarding software authorization are final and made in the best interest of Company security.

3. Data Protection and Confidentiality

3.1 Prohibited Data Transfer Methods

Employees are expressly prohibited from transferring, sharing, or storing any Company confidential data, proprietary information, or work-related files using the following methods or platforms:

USB flash drives, external hard drives, or any removable storage media
Personal cloud storage services (including but not limited to Google Drive, Microsoft OneDrive, WeTransfer, Dropbox)
Personal email accounts
Messaging applications not approved by the Company
Any third-party file sharing platforms

3.2 Authorized File Sharing Platform

All file sharing, collaboration, and data storage must be conducted exclusively through the Company's authorized cloud platform: cloud.darkstone.com.sa. This platform ensures proper encryption, access control, audit trails, and compliance with Company security standards.

3.3 Personal Use Restrictions

Company devices, including laptops, desktops, and mobile devices, are provided solely for business purposes. Employees shall not store personal data, install personal applications, or use Company devices for personal activities. Any such usage constitutes a violation of this Policy and may result in disciplinary action.

4. Email Security and Communication Standards

4.1 Official Company Email Domains

Darkstone Arabia Ltd. operates under two official email domains:

@darkstone-ltd.com
@darkstone.com.sa

4.2 Phishing and Social Engineering Protection

Employees must exercise extreme caution regarding any email communications that appear suspicious, even if they claim to originate from Company executives or departments. Any email received from domains other than the two official Company domains, requesting urgent action, link clicks, file downloads, or credential verification, must be treated as potentially malicious.

SECURITY ALERT: If you receive any email claiming to be from HR, the CEO, or any Company department asking you to click links, download files, or provide credentials, and the sender address does not match our official domains, DO NOT take any action. Immediately report such communications to the IT Incident Response Team at technical@darkstone.com.sa.

4.3 Alternative Email Access

In the event of Microsoft Outlook connectivity issues or performance degradation, employees may access their email through the authorized web portal: webmail.darkstone.com.sa

4.4 Email Forwarding and External Communication Restrictions

Employees are prohibited from forwarding Company emails, sharing meeting links, or transmitting any business-related information to personal email accounts (including Gmail, Yahoo, etc.) or previous employer email addresses without explicit written permission or acknowledgment from the IT & Cybersecurity Department.

5. SMS and Mobile Communication Verification

5.1 Official SMS Communications

All legitimate SMS communications from Darkstone Arabia Ltd., including seasonal messages, urgent notifications, incident alerts, and transactional messages, will be delivered exclusively from the sender name: DARKSTONE

5.2 SMS Security Protocol

Any SMS messages claiming to be from the Company but originating from a different sender name, unknown numbers, or requesting sensitive information should be considered suspicious. Employees should ignore, delete, and report such messages to the IT & Cybersecurity Department.

6. Cybersecurity Audits and System Access

6.1 Scheduled and Unscheduled Audits

The IT & Cybersecurity Department conducts regular security audits on a weekly and monthly basis to ensure compliance with this Policy and to identify potential security vulnerabilities. These audits may be scheduled or unscheduled at the sole discretion of the Department.

6.2 Remote Access for Audit Purposes

The IT & Cybersecurity team is authorized to remotely access any Company device for audit, maintenance, or security assessment purposes. While the team will provide temporary notification when feasible, access may be conducted without a formal proposal or advance request in situations requiring immediate attention.

6.3 Employee Cooperation Requirement

Employees must provide full and immediate cooperation during all cybersecurity audits and investigations. Temporary inconvenience to work activities does not constitute grounds for delaying or obstructing audit procedures.

7. Investigation Rights and Data Ownership

7.1 Company Data Ownership

All data, files, communications, and information created, stored, transmitted, or accessed using Company devices, networks, or accounts (including but not limited to emails, documents, cloud storage, and local files) are the exclusive property of Darkstone Arabia Ltd.

7.2 Investigation and Access Rights

The Company reserves the unconditional right to access, review, download, analyze, and retain any and all data stored on Company devices or systems for investigation, security, compliance, or legal purposes. This right extends to all devices and accounts, including:

Laptops and desktop computers
Company-issued mobile devices
Email accounts and communications
Cloud storage (cloud.darkstone.com.sa)
Network activity and access logs

7.3 Universal Application of Investigation Authority

The IT & Cybersecurity Department has the authority to conduct investigations at any organizational level, from board members to managers to individual employees. No position, title, or seniority grants exemption from this Policy.

7.4 Mandatory Cooperation During Investigations

All employees must provide complete and truthful cooperation during security investigations. This includes:

Responding promptly and honestly to all inquiries
Providing access to devices and accounts when requested
Not intentionally denying, withholding, or obfuscating information
Not claiming urgency or time constraints to avoid cooperation
Not destroying, altering, or hiding evidence

NON-COMPLIANCE WARNING: Failure to cooperate with IT & Cybersecurity investigations, intentional obstruction, or destruction of evidence will be treated as a serious violation of Company policy and may result in immediate disciplinary action, up to and including termination of employment and potential legal proceedings.

8. Consequences of Non-Compliance

Violations of this IT Compliance & Cybersecurity Policy will be taken seriously and may result in disciplinary actions including, but not limited to:

Written warning and mandatory security training
Temporary or permanent revocation of access privileges
Suspension without pay
Termination of employment
Legal action and prosecution where applicable

The severity of consequences will be determined based on the nature, intent, and impact of the violation.

9. Policy Updates and Amendments

Darkstone Arabia Ltd. reserves the right to modify, update, or amend this Policy at any time to address evolving security threats, regulatory requirements, or business needs. Employees will be notified of significant changes and will be required to acknowledge and comply with updated versions of this Policy.

10. Contact Information

For questions, concerns, or to report security incidents, please contact the IT & Cybersecurity Department:

Email: technical@darkstone.com.sa
Website: www.darkstone.com.sa
Cloud Platform: cloud.darkstone.com.sa
Webmail Portal: webmail.darkstone.com.sa

11. Employee Acknowledgment and Agreement

I hereby acknowledge that I have read, understood, and agree to comply with all provisions of the Darkstone Arabia Ltd. Information Technology Compliance & Cybersecurity Policy. I understand that violation of this Policy may result in disciplinary action up to and including termination of employment. I acknowledge that all data on Company devices is the property of Darkstone Arabia Ltd. and that the Company has the right to access, review, and investigate such data at any time.