Security and trust

Data Security Policy

Effective: July 13, 2026 · Last reviewed: July 13, 2026

Bapu Company maintains a risk-based security program intended to protect personal, business and authorized utility information against unauthorized access, use, alteration, disclosure or destruction.

1. Governance and accountability

Responsibility for information security is assigned within management. Security practices are reviewed as systems, vendors, risks and legal obligations change. Personnel and contractors with access to protected information are expected to follow confidentiality and acceptable-use requirements.

2. Access control

3. Data protection

4. Systems and network security

We use layered safeguards that may include firewalls, secure configurations, endpoint protection, software updates, vulnerability review, restricted remote access, logging and monitoring. Internet-facing services are limited to those necessary for business purposes and are periodically reviewed.

5. Utility and PG&E data

PG&E Share My Data information is accessed only after valid customer authorization and is used only for the authorized purpose. Access is limited to approved users and services. We maintain records needed to support authorization, operations and compliance, and we stop future collection after a valid revocation is processed.

6. Service providers

Providers that host, transmit or support protected information are selected with consideration for security and privacy. Where appropriate, agreements require confidentiality, limited use, safeguards, incident notification and deletion or return of information.

7. Monitoring and incident response

We maintain procedures to identify, investigate, contain and recover from suspected security incidents. We preserve relevant evidence, correct identified weaknesses and provide legally or contractually required notifications to affected parties, utilities or authorities.

8. Business continuity

Reasonable backup, restoration and continuity measures are maintained for critical services. Recovery priorities are based on operational impact and data sensitivity.

9. Continuous improvement

Security controls are reviewed and improved in response to material system changes, incidents, vulnerability findings, vendor changes and evolving legal or contractual requirements. This public summary does not disclose sensitive technical configurations that could weaken security.

10. Report a concern

To report a suspected privacy or security issue involving Bapu Company, email karun@bapu.company with the subject “Security Concern.” Do not include passwords, private keys or other unnecessary sensitive information in the initial message.