Information Security Policy

Last Updated: January 14, 2025

This Policy may be referenced from the agreement signed between Encryption Consulting LLC or its subsidiaries and affiliated companies (collectively, “Encryption Consulting”) and the Customer utilizing Encryption Consulting’s services (“Agreement”) and shall serve as a binding governing policy to fulfill Encryption Consulting’s security obligations. This Security Policy forms an integral part of the Agreement governing the use of Encryption Consulting’s services.

Definitions used but not defined herein shall have the meaning assigned to them in the applicable Agreement, or as referenced in the Encryption Consulting End User License Agreement.

This Policy outlines the security, technical, and organizational measures undertaken by Encryption Consulting.

Certifications and Compliance Programs

Encryption Consulting’s operations, policies, and procedures are audited regularly to ensure alignment with required standards as a trusted cybersecurity service provider. Compliance certifications and attestations are assessed by independent third-party auditors, resulting in certifications, audit reports, or attestations of compliance.

Encryption Consulting maintains certifications and assessments for ISO 27001, ISO 27701, SOC, and PCI DSS compliance. For certification reports or inquiries, please contact: [email protected].

Management Involvement and Overall Security Management

Encryption Consulting’s data security practices are grounded in a mature control environment, driven by proactive management oversight and board supervision. Responsibilities are clearly defined and communicated across the organization.

Management, including the DPO and CISO, regularly assesses risk and compliance posture, with emphasis on security and data confidentiality. Human resources policies are designed to hire qualified individuals, provide ongoing training, and enforce security responsibilities through corporate policy.

HR Security Measures

Subject to local laws and availability, background checks and screening processes are conducted for employees and contractors before granting access to sensitive systems or data.

All personnel are required to sign standard confidentiality and data protection agreements before accessing customer or proprietary data. These agreements prohibit unauthorized disclosure or misuse of confidential information.

Employees are subject to Encryption Consulting’s internal policies, including the Acceptable Use Policy (AUP) and Code of Conduct.

Encryption Consulting enforces security awareness through regular training programs, including annual mandatory security awareness training on risks, privacy, phishing, and security best practices.

Workstations are secured using standard technologies such as firewalls, full disk encryption, antivirus software, lock screens, and MFA for remote access.

Non-compliance with security policies results in disciplinary measures to ensure accountability and compliance.

Change Management

Encryption Consulting maintains a comprehensive change management program that governs change types, documentation, peer reviews, approvals, and emergency changes.

Only authorized version control systems are used. All changes are documented, reviewed by independent approvers, and tested in isolated environments before deployment.

Production and non-production environments are strictly separated. Release notes are published for each major and minor release.

Access Control, User, and Permissions Management

Encryption Consulting enforces strict access controls aligned with role-based access principles. Access is restricted to what is necessary per job function, with permissions regularly reviewed and approved.

Password policies enforce complexity and history requirements, especially on systems accessing customer data.

Additional protections include laptop encryption, restricted administrative rights, and enforced MFA for systems handling sensitive data.

Production System Access

Production environments are protected with rigorous controls including enforced MFA and restricted access to authorized personnel.

Administrative operations on source control, backups, and databases are tightly controlled and audited.

Physical Access and Visitors

Office access is limited to authorized personnel with secured entry methods. Security measures include alarm systems and staffed entry points.

Visitors are accompanied at all times and are prohibited from accessing internal networks or equipment.

Encryption Consulting utilizes major cloud providers (AWS, GCP, Azure) for hosting infrastructure, relying on their certified physical and operational controls (e.g., ISO 27001, SOC2, etc.). Data centers feature redundancy, surveillance, and access controls including biometrics and logging.

Network and Infrastructure Security

Encryption Consulting maintains secure baseline configurations and ensures enforcement through automated tooling. All data in transit and at rest is encrypted.

Customer data is never used in test environments. Endpoints are protected with EDR, patch management, and hardened system configurations.

HTTPS with TLS 1.2 or higher is used for communication. All customer data at rest is protected via layered encryption mechanisms.

For details, please refer to Encryption Consulting’s encryption methodology documentation.

Risk Assessment and Vulnerability Management

Encryption Consulting implements a formal risk management program that identifies and mitigates internal and external threats.

Security risk treatments are reviewed and approved annually as part of ISO 27001 compliance efforts.

Application security is enforced via regular external penetration tests, internal scanning, and secure SDLC practices. High and critical vulnerabilities are resolved promptly per policy, with re-tests to confirm remediation.

Vulnerability response timeframes:

• Critical: ASAP, no more than 1 week
• High: ≤ 1 month
• Medium: ≤ 3 months
• Low: ≤ 3 months

Customers are notified of vulnerabilities affecting services or data via electronic means in accordance with the Agreement.

Penetration Testing

Encryption Consulting conducts periodic external web application penetration tests.

Executive summaries or test results may be shared upon written request and subject to NDA.

Where required by regulation (e.g., DORA for financial institutions), Encryption Consulting will participate in customer-initiated penetration testing if mandated by regulators.

Logging and Monitoring

Encryption Consulting logs critical system activity using both manual and automated methods. Logs include user activity, timestamps, outcomes, and system interactions.

Log data is protected against tampering, retained for a minimum of 12 months (or longer if required), and monitored using centralized SIEM and intrusion detection/prevention systems.

Log access is tightly controlled, and administrator actions are limited to prevent deletion or modification.

Incident Response and Breach Notification

Encryption Consulting maintains a comprehensive incident response plan that includes detection, investigation, containment, notification, and post-incident review. (Note: Continue your remaining section here.)