Controls

The company requires all system and application access to use unique login credentials—either individual usernames and passwords or approved keys.

Access to applications is limited strictly to authorized personnel.

Privileged database access is granted only to master administrators who have a verified business need.

The company employs a log management system to capture and analyze events that could impact its security posture.

The company uses an infrastructure monitoring solution to track system health and performance, issuing alerts when predefined thresholds are exceeded.

Firewalls are implemented and configured to block unauthorized access to the company's network.

The company keeps a documented inventory of all assets that make up its production systems.

The company enforces a password standard that all in-scope systems must follow, ensuring credentials align with established security requirements.

The company adheres to a strict "need-to-know" policy, granting access to sensitive data and critical systems only to users with a verifiable business requirement.

The company encrypts all storage systems that contain sensitive customer information to ensure the data remains protected when at rest.

The company completes internal control reviews at least once a year to confirm that key controls are designed and functioning properly. Any issues identified are addressed through corrective actions.

The product utilizes a role-based access control (RBAC) model to ensure that user permissions are automatically aligned with their specific job responsibilities and employment status.

The company follows policies for how long company and customer data is stored, as well as how it is securely deleted when no longer needed.

The company maintains a formal data classification policy to ensure sensitive information is appropriately protected and accessible only to authorized team members.

The company ensures that confidential customer data is strictly excluded from datasets used to train, retrain, or improve internal or third-party artificial intelligence models.