Effective Date: February 2, 2026

Last Updated: February 2, 2026

1. PURPOSE AND SCOPE

This Security Policy describes the administrative, technical, and physical safeguards implemented by Monarch Studio Cafe (“Monarch,” “we,” “our,” or “us”) to protect electronic systems, customer information, employee information, and business data from unauthorized access, disclosure, alteration, or destruction.

2. INFORMATION SECURITY CONTROLS

Monarch maintains security controls appropriate to the size, nature, and complexity of its operations, including encrypted payment processing, secure hosting environments, role-based access controls, authentication safeguards, and regular system updates.

3. ACCESS MANAGEMENT & USER RESPONSIBILITIES

Access to Monarch systems is limited to authorized personnel. Users must safeguard credentials, report suspected unauthorized activity, and comply with security requirements.

4. THIRD-PARTY SERVICE PROVIDERS

Monarch relies on reputable third-party vendors for payment processing, hosting, and communications services and is not responsible for breaches originating solely within third-party systems.

5. DATA BREACH & INCIDENT RESPONSE

Monarch will take reasonable steps to contain, investigate, and mitigate any suspected security or privacy incident and will comply with insurer notification and cooperation obligations.

6. LEGAL AND REGULATORY NOTIFICATION

Where required by law, Monarch will notify affected individuals and regulators following confirmation of a qualifying data breach.

7. TRAINING AND AWARENESS

Monarch may provide periodic security awareness guidance or training to personnel regarding cybersecurity risks and incident reporting.

8. RECORD RETENTION AND DATA MINIMIZATION

Monarch limits the collection and retention of personal information to what is reasonably necessary for business operations.

9. POLICY REVIEW AND UPDATES

This Policy may be reviewed and updated periodically to reflect changes in operations, law, or insurer requirements.

10. LIMITATION OF LIABILITY

To the fullest extent permitted by law, Monarch disclaims liability for unauthorized access or data loss caused by factors beyond its reasonable control.