Policies

The master policy that establishes our commitment to protecting information and governs all other security policies.

How we identify, assess, treat, and monitor information security risks.

The rules for responsible use of company and client systems, data, and devices.

How we use AI and machine-learning tools responsibly so client data, code, and confidentiality stay protected.

How access to systems and data is granted, reviewed, and revoked on a least-privilege basis.

Requirements for strong credentials, MFA, and password manager use.

How we classify data by sensitivity and the handling rules for each level.

How long we keep data and how we securely return or destroy it.

Standards for encrypting data in transit and at rest and managing keys and secrets.

Roles, severity levels, and the steps we follow to detect, contain, and recover from security incidents.

How we maintain and restore service and client work during a disruption.

How changes to code and production systems are reviewed, approved, and deployed.

What we log, how we monitor for security events, and how long logs are retained.

What we back up, how often, and how restores are tested.

How we segment networks and control traffic to protect systems and data.

How physical access to devices and facilities is controlled in a distributed team.

Security practices built into how we design, build, and ship software.

How we find, prioritize, and remediate vulnerabilities.

Security responsibilities across hiring, onboarding, training, and offboarding.

How we evaluate and monitor sub-processors and vendors that handle data.

How we inventory and protect hardware, software, and data assets.