Business continuity plan

UAB “HEAVY FINANCE”

BUSINESS CONTINUITY PLAN

1. GENERAL PROVISIONS

1.1. The business continuity plan (hereinafter – the Plan) of UAB “HEAVY FINANCE” (hereinafter – the Company) shall determine the actions, responsibilities and liabilities of the Company’s employees in ensuring and implementing the business continuity of the Company in the event of extreme situations and shall define the actions of informing and eliminating the malfunctions of activity in the event of extreme situations in order to ensure an uninterrupted business of the Company and limit the losses in the event of activity malfunctions.

1.2. The goal of the Plan shall be to ensure that the functions of the Company, as the operator of the crowdfunding platform www.heavyfinance.eu, would be performed uninterrupted.

1.3. The manager of the Company shall be responsible for the implementation of the Plan. If due to objective reasons the manager of the Company cannot perform his/hers functions (is on vacation, sick etc.), the manager of the Company shall beforehand appoint an employee of the Company responsible for the implementation of all of the functions envisaged in this Plan.

2. DEFINITIONS

2.1. If from the context it is not demanded otherwise, the notions written in capital letters shall have the meanings below:

2.1.1. The Investor – the client of the Company providing the Project Owner the crowdfunding funds.

2.1.2. The Law – The Law on Crowdfunding of the Republic of Lithuania.

2.1.3. The Platform – information system www.heavyfinance.eu being administered by the Company, by using which the crowdfunding is performed. 

2.1.4. The Project – the project prepared for the meeting of the needs of business, vocation, science, exploratory and other needs, save for consuming, and published on the Platform, for the implementation of which the Project Owner intends to attract crowdfunding funds.

2.1.5. The Project Owner – the client of the company, who on the Platform being administered by the Company intends to attract financing for his/hers Project being developed.

2.2. Other definitions used in this Plan shall be understood the same way as they are defined in the Law and other statutes of law of the Republic of Lithuania.

3. MAIN FUNCTIONS THAT NEED AN EXPEDIENT AND UNINTERRUPTED SAFEGUARDING OF THE BUSINESS CONTINUITY

3.1. The main functions that need an expedient and uninterrupted safeguarding of the business continuity shall be these:

3.1.1. possibility for the clients of the Company (Investors and Project Owners) to log-in to their account on the Platform;  

3.1.2. depicting of main information (loans, balances, portfolio of loans given) in the accounts of the clients of the Company (Investors and Project Owners) on the Platform;

3.1.3. possibility for the clients of the Company to perform the main operations on the Platform – finance and receive financing for Projects; 

3.1.4. uninterrupted registration and storing of information regarding the clients of the Company and their performed operations; 

3.1.5. control of the Company’s economic activity operations. 

4. MEANS OF SAFEGUARDING UNINTERRUPTED BUSINESS

4.1. In order to safeguard its business, the Company, as crowdfunding platform operator, shall have regard to the operational risks, which it may encounter in its activity. 

4.2. The Company shall identify these operational risks as one of the main ones:

4.2.1. inability of the employees of the Company to perform their functions;

4.2.2. loss of the premises of the Company; 

4.2.3. malfunctions of the technical equipment; 

4.2.4. malfunctions of the functionality of the platform; 

4.2.5. loss of data;   

4.2.6. activity malfunctions of payment and identification services providers. 

4.3. The Company understands that the list of risks indicated in Point 4.2 of this Plan shall not be exhaustive. If other operational risks of the Company would materialize (not directly indicated in this Plan), the employees of the Company must properly analogously react by adhering to the general principles and procedures envisaged in this Plan.

5. THE INABILITY OF THE EMPLOYEES OF THE COMPANY TO PERFORM THEIR FUNCTIONS

5.1. The manager of the Company must ensure that in those cases when the employees of the Company due to any reasons cannot perform their functions, another employee of the Company or the manager himself/herself could take over their functions. 

5.2. In the case of the inability of the employee of the Company to perform his/hers functions, the damage, if there would be one, shall be assessed.

5.3. In the case of the inability of the employee of the Company to perform his/hers functions, the manager of the Company shall also assess whether:

5.3.1. the non-performance of the functions of employees of the Company could impact the performance of the Company’s business; 

5.3.2. what functions of the employee of the Company could be transferred to another employee of the Company; 

5.3.3. is there a need to additionally employ another employee, who would perform the necessary job functions. 

5.4. In the event of very urgent and pressing need for staff, the manager of the Company shall keep looking for alternatives (for example, acquiring the service from the third persons or temporary employment), until the needed member of staff is found. Until the services will be started to be performed or an employee employed, the necessary to be performed functions must be proportionally distributed to other (current) employees of the Company.

5.5. After completing the assessment envisaged in Point 5.3 (and, upon need, hiring another employee), the manager of the Company shall transfer the functions of the employee of the Company, who cannot perform his/hers functions, to another employee (employees) and/or external service provider.

5.6. In order to ensure the possibility for the manager of the Company or other employee to take over the functions of the employee, the documents and information, with which the employees work, must be accessible to the Company’s or at least one other employee (for example, stored on cloud-servers, kept in a physical or electronic form, by giving a continuous access to the manager of the Company or another employee).

6. THE RESTORING OF THE BUSINESS OF THE COMPANY IN THE EVENT OF LOSS OF PREMISES

6.1. In the event of loss of premises (in the event of fire, natural disaster, terroristic act, criminal activities or other actions), first of all, the people shall be evacuated.

6.2. The manager of the Company or his/hers authorized person shall adopt a decision regarding further actions necessary to continue the business process and avoid the loss of Company’s documents, he/she shall assess the damage, restore technical means and communications, promptly inform the persons responsible for the maintenance of servers and IT, as well as the necessary emergency services.

6.3. If the Company loses its premises, the manager of the Company must as soon as possible organize the remote work of the Company or working from temporary premises. 

6.4. The manager of the Company must ensure that the documents, which are essential to the business of the Company or provision of services, used in the business of the Company would be scanned regularly and electronically stored on the Company’s servers.

6.5. The documents regarding the day-to-day activities of the Company must be kept in lockable cabinets. In the event of need, the activity documents of the Company may be transferred to a third person, with which the Company has concluded an agreement regarding the archiving of documents.

6.6. In the event of loss of premises, the maximum restoration time must be 24 hours.

7. DAMAGES OR MALFUNCTIONS OF THE TECHNICAL EQUIPMENT

7.1. If the electricity supply malfunctions, the Company shall promptly inform the owner of the Company’s premises and the administrator of the building. If the electricity supply is not restored within 24 hours, the manager of the Company may declare the evacuation of workplaces.

7.2. The manager of the Company shall ensure that, if the technical equipment, which is necessary for the performance of Company employees’ functions, is damaged, a possibility would be provided to use a back-up technical equipment or that the technical equipment would be repaired or changed within 24 hours. 

7.3. The IT services provider used by the Company shall ensure the continuity of the information systems activity. If due to the malfunction of communication services the Internet connection with the servers used by the Company breaks, the manager of the Company shall promptly inform the operator, which directly supplies Internet connection to the Company, and exert all endeavors to restore the Internet connection.

7.4. If the supply of communication services is not restored within 24 hours, the manager of the Company must use an alternative communication services provider (which can offer an urgent and safe technical solution) and, if there are no real alternatives to the supply of communication services, the manager of the Company may declare the evacuation of workplaces.

8. MALFUNCTINS OF THE FUNCTIONALITIES OF THE PLATFORM

8.1. If the operation of the Platform being controlled by the Company malfunctions, the employee of the Company, who noticed this, shall promptly inform about this the manager of the Company, who shall take-up respective means to promptly, but no later than within 12 hours, inform the clients of the Company about the malfunctions of the Platform or its activity.

8.2. If the activity of the Platform malfunctions, the manager of the Company shall promptly address the Company’s IT services provider requesting to eliminate the malfunctions of the Platform or its respective functionalities.

8.3. If due to the malfunctions of the Platform or its functionalities it was impossible to finance the Projects published on the Platform, based on the prescript of the manager of the Company the financing period for the respective Projects being published on the Platform may be additionally extended (for the period that the respective malfunctions of the Platform or its functionalities lasted). All of the clients of the Company shall be promptly informed about the adoption of such decision. 

8.4. The manager of the Company or person appointed by him/her shall beforehand inform the clients of the Company about the scheduled update, change or technical maintenance works of the Platform, due to which the activity of the Platform may malfunction, by publishing the respective information on the Platform. 

9. LOSS OF DATA

9.1. In order to protect against the outcomes of loss of data incidents, in the business of the Company, the manager of the Company shall install technical means ensuring the safety of data, which give the possibility to:

9.1.1. periodically (at least once per day) copy and store on the external and/or internal Company’s server information, which the Company and its employees use in their activity; 

9.1.2. restore the lost data and information no later than within 24 hours. 

9.2. In the event of data loss, the subjects providing the server administration services to the Company and/or subjects providing IT services to the Company (depending on the type of data loss) shall be informed and the specific data restoration period determined.

9.3. If a possible data leak incident happens or third persons intercepts the data (when any unsanctioned by the Company access to the data is possible), the manager of the Company must perform these actions:

9.3.1. assess the scope of data that leaked or was intercepted during a respective incident; 

9.3.2. determine, whether personal data was leaked (or could have leaked) or intercepted (or could have been intercepted) during the incident. If yes, then regarding the possible personal data breach the manager of the Company and other employees of the Company shall follow the procedures envisaged in the General Data Protection Regulation and in the Rules Regarding the Control of Personal Data Breach confirmed by the Company (furthermore, in the event of personal data breach, the State Data Protection Inspectorate shall be promptly informed about this);

9.3.3. take up actions to uncover how the safety of the data was breached and correct the gap in security; 

9.3.4. block the accounts, the log-in data of which could have been disclosed due to the gap, take up actions to change the log-in data of these accounts;   

9.3.5. promptly inform the clients of the Company about the temporary malfunctions of the Platform, if due to the change the functions of the Platform are temporarily limited; 

9.3.6. assess the need to submit judicial lawsuits to the third persons, address the law enforcement and pre-trial investigation institutions. 

10. THE MALFUNCTIONS OF SERVICE PROVIDERS ACTIVITY

10.1. The Company in order to avoid the malfunctions of the activity of the service providers being used (for example, regarding the malfunctions of payment and/or client identification services providers’ activity) or the termination of respective cooperation of the subjects with the Company, shall take up such actions:

10.1.1. by having the technical capabilities and with preparation, to take over a part of services being provided by the service providers and perform them by using the internal resources (for example, to assess the possibilities to determine the identity of part of the clients when they are physically there or in accordance to the remote procedure allowed by the statutes of law etc.); 

10.1.2. continuously maintain communication with the service providers and know the scope of their possible to be provided services. Upon possibility, conclude agreements with a couple of service providers;

10.1.3. ensure that in the event of the aforementioned malfunctions of functions the Company could transfer the provision of services (in full scope or only in part) to another service provider. 

10.2. If the activity of the payment services provider malfunctions, the manager of the Company shall address the service provider, examine the reasons for malfunction and the periods for their elimination. After determining that the malfunction cannot be eliminated within a couple of hours period, the Company, upon a possibility, shall divert the payments being collected to another payment services provider (to the account opened in its system meant for administering the crowdfunding funds) and promptly inform about this the clients of the Company.

10.3. If the payment partner holds up the funds payable to the clients of the Company for more than 24 hours, in the event of need, additional financing of the Company may be initiated by ensuring the timely settlement with the clients.

10.4. If the activity of the client’s identification services provider malfunctions, the manager of the Company shall first of all address the service provider, examine the reasons for malfunction and the periods for their elimination. After determining that the malfunction cannot be eliminated within a couple of hours period, the Company may itself determine the identity of the client (for example, by identifying the client physically) or divert the clients towards the system of another identification services provider.

11. CONTACT PERSONS 

11.1. A list of contact persons shall be submitted in Annex 1 to this Plan, with whom there must be immediate communication in the event of a specific malfunction of the Company’s activity. After the employees of the Company identify any malfunction of the Company’s activity, along with the contact persons indicated in Annex 1, in all of the cases, the manager of the Company shall be promptly notified.

11.2. When the data of the contact persons changes, the manager of the Company shall promptly update the information submitted in Annex 1 to the Plan and shall familiarize all of the employees of the Company in writing with it.

12. SOLVENCY ISSUES AND RISK OF BANKRUPTCY

12.1. If the Company encounters uncontrollable solvency issues, a real risk of bankruptcy emerges or for other reasons there is a risk that the Company will no longer be able to carry out its crowdfunding activities, the Company shall take the further steps:

12.1.1. first of all, the Company promptly informs the Bank of Lithuania (supervisory authority) about this situation by detailing the current risk level (the used or planned to be used) means for controlling the risk and the means ensuring the continuity of the business activity; 

12.1.2. secondly, the Company shall promptly inform all of its clients (Investors and Project Owners) about such situation; 

12.1.3. thirdly, the Company shall promptly cancel all of the Projects, to which financing is being collected, published on the Platform, as well as, shall not conclude and not provide the possibility to conclude new crowdfunding transactions (the funds of such Investors shall be returned to them);

12.1.4. fourthly, the Company shall promptly suspend the secondary subrogation market operating on the Platform;  

12.1.5. finally, the administration of the Platform shall be immediately transferred to another platform operator which could ensure its continued operation:

12.1.5.1. the administration of the Platform shall be transferred to the company UAB Finansų avilys (having acquired the right to provide crowdfunding services). The administration of the Platform (and loan agreements concluded on it) is transferred in accordance with the Law and business continuity agreement concluded in advance between the Company and UAB Finansų avilys. This would ensure the further administration of the Platform and the loan agreements concluded on it; 

12.1.5.2. if due to unexpected obstacles the Platform cannot be effectively transferred to UAB Finansų avilys within a reasonable period of time, the Company shall conclude an agreement with other entities operating in the market and entitled to provide crowdfunding services on taking over the administration of the Platform;

12.1.5.3. in all cases, the transfer of the administration of the Platform (and the loan agreements concluded on it) shall not in any way affect or prejudice the interests of both Investors and Project Owners;

12.1.5.4. the process of transferring the administration of the Platform to another operator shall be transparent and informative. The Investors and Project Owners shall be consistently and timely informed about the course of such process;

12.1.5.5. upon the successful transfer of the administration of the Platform to another operator, the latter is obliged to restore the functionality of the Platform to the extent than it had functioned before the risk of insolvency of the Company arose.

12.2. The Project Owners and Investors shall always conclude the crowdfunding transactions (loan agreements) on the Platform directly with each other. Thus, even in those cases when the Company cannot anymore perform the activity of crowdfunding platform’s operator and the transfer of further administration of the Platforms may take additional time, the Project Owners will always remain obliged to properly perform their obligations towards the Investors stemming from the concluded crowdfunding transactions (loan agreements). 

13. FINAL PROVISIONS

13.1. The employees of the Company must via signature familiarize with their functions and obligations envisaged in this Plan. The manager of the Company shall be responsible for the familiarization of the employees with the Plan. 

13.2. The manager of the Company shall be responsible for the periodic (at least once per year) testing and updating of the Plan.

13.3. The Plan shall be confirmed, updated or amended in accordance to the prescript of the manager of the Company.

13.4. The Plan and/or its updated, amendments shall come into force on the day of adopting the prescript of the manager of the Company, save for those cases, when another coming into force date shall be indicated in the prescript. 

UAB “HEAVY FINANCE”Business continuity planAnnex No. 1

CONTACT PERSONS

The inability of the employee to perform functions:

Manager of the Company:Laimonas NoreikaTel. +37060064899E-Mail: [email protected]

The loss of premises

Emergency services:112 – General emergency telephone number
011 – Fire department
022 – Police
033 – Ambulance
Owner of the premises (Birutės Str. 18-1, Vilnius): UAB “Verslama” is the owner of the premises
Tel. +370 686 41 395
E-Mail: [email protected]
IT and servers maintenanceUAB “Creation Labs”
Tel. +370 677 98 187
E-Mail: [email protected] 

Platform malfunctions

IT service providers supervising the platform:UAB “Creation Labs”
Tel. +370 677 98 187
E-Mail: [email protected]

Malfunctions of service providers activity

Internet service providers:AB “Telia Lietuva” 
Tel. +37064181817
E-Mail: [email protected]
Payment service providers:UAB “Paysera LT”
Tel. +37052071558
E-Mail: [email protected]
Third party transferring data about the identity of the clients UAB “Paysera LT”
Tel. +37052071558
E-Mail: [email protected]

Loss of data

IT and servers maintenanceUAB “Creation Labs”
Tel. +370 677 98 187
E-Mail: [email protected]
State InstitutionsState Data Protection Inspectorate
(8 5) 271 28 04, (8 5) 279 1445
E-Mail: [email protected]