Information Security Policy
1. Purpose
This Information Security Policy defines the principles, controls, and responsibilities for protecting the confidentiality, integrity, and availability of information processed by the Company.
The policy serves as the baseline information security framework for daily operations, ensuring that personal data and business data are handled securely and responsibly.
2. Scope
This policy applies to:
- All employees, contractors, and authorized users
- All information systems, applications, and infrastructure operated by the Company
- All personal data and sensitive business data processed on behalf of customers, partners, and end users
3. Information Security Principles
The Company follows these core security principles:
- Least Privilege: Access is granted only to the minimum level required to perform job functions
- Defense in Depth: Multiple layers of security controls are applied
- Data Minimization: Only necessary data is collected and retained
- Shared Responsibility: Security is a shared responsibility across the organization
4. Organizational Responsibilities
- Management is responsible for approving and enforcing this policy
- All personnel are required to comply with security requirements and report security concerns
- Designated administrators manage access control and system security
5. Access Control & Authentication
- Access to systems and data is restricted based on job roles
- Strong authentication mechanisms are enforced, including:
- Unique user accounts
- Strong password requirements
- Multi-factor authentication (where supported by the platform)
- Access rights are reviewed periodically and revoked promptly when no longer required
6. Infrastructure & Network Security
The Company operates cloud-based infrastructure using reputable cloud service providers, including:
- Amazon Web Services (AWS)
- Supabase (PostgreSQL-based managed backend services)
- Vercel (application hosting and deployment)
Security measures include:
- Logical network segmentation provided by cloud platforms
- Firewall and security group configurations
- Monitoring and logging capabilities enabled through cloud services
7. Data Protection & Encryption
Sensitive and personal data is protected through:
- Encryption in transit (e.g. HTTPS/TLS)
- Encryption at rest (where supported by the platform)
- Access to production data is strictly controlled
- Secrets and credentials are stored securely using environment variables or managed secret services
8. Endpoint & Operational Security
Company endpoints are protected using:
- Operating system security controls
- Screen locking and password protection
Basic security hygiene is enforced, including:
- Clear desk practices
- Secure handling of credentials
- Prohibition of unauthorized software
9. Incident Response
The Company maintains an incident response process to address security events, including:
- Identification and assessment of potential security incidents
- Containment and remediation actions
- Internal escalation and communication
- Notification to affected partners or customers where required by contract or law
10. Vulnerability & Threat Management
- Systems and dependencies are monitored for known vulnerabilities
- Security updates and patches are applied in a timely manner
- Third-party services are selected based on their security posture and industry reputation
11. Third-Party & Cloud Service Providers
The Company relies on established cloud and SaaS providers that maintain their own security certifications and controls.
Third-party services are evaluated for security and compliance before use, and access is limited to necessary scopes.
12. Policy Review & Updates
This Information Security Policy is:
- Reviewed periodically
- Updated as necessary to address changes in technology, business operations, or regulatory requirements
13. Compliance
This policy is designed to support compliance with applicable data protection and privacy requirements, including those relevant to partners such as TikTok, Meta, and Google.