This policy sets the rules for how Big Tex's Shop, an automotive business in Prosper, Texas with 14 employees, protects the information it handles. It covers customer personal information, vehicle records, and payment references, the three categories of data the company stores under its current operations.

This policy applies to every employee, contractor, and vendor who touches that data. It is reviewed annually and after any material change to the business, for example a new system, a new vendor, or a regulatory inquiry.

Customer personal information includes names, addresses, phone numbers, email addresses, and any state-issued identification numbers held in service records or invoicing systems. Vehicle records include VIN, make and model, service history, and any diagnostic data. Payment references are the last-four digits and authorization codes retained for reconciliation; full card numbers are never stored.

Authorized personnel are those listed in Section 03. A material change is a new system, a new vendor relationship, or a regulatory inquiry.

Paul Horn, Owner, is the policy owner of record and the final approver of every revision. He reviews this document annually and signs the page below each year.

Of the 14 employees, those whose roles require access to customer or vehicle records are designated authorized personnel. The list is maintained in the company's asset inventory and is reviewed quarterly. Employees who leave the company have their access revoked the same day.

Company devices, accounts, and data are for company business. Incidental personal use of company email is permitted; storage of customer or vehicle data on personal devices is not.

Multi-factor authentication, which the company implemented on 12 April 2026, is mandatory for every account that touches customer information. Sharing of credentials is prohibited.

The company holds three categories of data, each with its own handling rules.

Customer personal information is treated as confidential and is accessible only to authorized personnel. It is protected at rest and in transit by the controls described in Section 06. Vehicle records are treated as confidential when associated with an identifiable customer. Payment references are retained only as long as necessary for reconciliation, then destroyed.

Access to customer and vehicle records is granted only to authorized personnel and only on the basis of role. Multi-factor authentication is enforced on all accounts that hold or process this data. Data-at-rest encryption is presently in progress across all endpoints; the rollout began on 28 April 2026 and is expected to be complete by the end of June.

The company's asset inventory, which lists every device and every account, is reviewed quarterly. The most recent review was performed in April 2026.

In the event of a suspected breach, an unauthorized access to customer or vehicle records, a lost or stolen device, or any malware indication, the discovering employee notifies the Owner within one business hour. The Owner determines whether the event meets the threshold of an incident and proceeds in accordance with the company's separate Incident Response Plan.

The company is registered with the Texas Attorney General's office and will notify under that authority's timelines if and when an incident requires it.

This policy is reviewed and re-approved annually, on or before each anniversary of the date below. It is also reviewed after any material change to the business, a new system, a new vendor relationship, or a regulatory inquiry.

The most recent review was performed on 04 May 2026 and is current.