• Information Security Program
  Our organization has a comprehensive Information Security Program that is communicated across all levels. This program aligns with the SOC 2 Framework, an established security auditing standard developed by the American Institute of Certified Public Accountants (AICPA).
• Third-Party Audits
  We undergo independent third-party assessments to evaluate and verify our security and compliance controls.
• Third-Party Penetration Testing
  We conduct independent third-party penetration tests at least annually to ensure our security posture remains strong and uncompromised.
• Roles and Responsibilities
  Clearly defined and documented roles and responsibilities ensure the protection of our customers’ data. All team members are required to review and acknowledge our security policies.
• Security Awareness Training
  Employees must complete security awareness training that covers industry best practices and key information security topics, including phishing prevention and password management.
• Confidentiality
  All team members sign a confidentiality agreement before their first day of work, adhering to industry standards.
• Background Checks
  We conduct background checks on all new hires in compliance with local laws.

• Cloud Infrastructure Security
  Our services are hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP), both of which maintain rigorous security programs with multiple certifications. For more details, visit AWS Security and GCP Security.
• Data Hosting Security
  Our data is stored in AWS and GCP databases, all of which are located in the United States. Refer to the vendor-specific security documentation for additional information.
• Encryption at Rest
  All databases are encrypted at rest.
• Encryption in Transit
  Our applications use TLS/SSL encryption to protect data in transit.
• Vulnerability Scanning
  We perform regular vulnerability scans and continuously monitor for potential threats.
• Logging and Monitoring
  We actively log and monitor cloud services to detect and address security events.
• Business Continuity and Disaster Recovery
  We leverage our data hosting provider’s backup services to minimize the risk of data loss in case of hardware failures. Monitoring systems alert our team to any service disruptions.
• Incident Response
  Our incident response plan includes escalation procedures, rapid mitigation strategies, and clear communication protocols to address security incidents effectively.

• Permissions and Authentication
  Access to cloud infrastructure and sensitive tools is restricted to authorized employees based on their job requirements. We enforce Single Sign-On (SSO), two-factor authentication (2FA), and robust password policies where applicable.
• Least Privilege Access Control
  We adhere to the principle of least privilege for identity and access management.
• Quarterly Access Reviews
  We conduct quarterly reviews to ensure only authorized personnel have access to sensitive systems.
• Password Requirements
  Employees must comply with stringent password requirements and complexity standards.
• Password Managers
  Company-issued laptops come with a password manager to help employees securely store and manage passwords.

• Annual Risk Assessments
  We conduct annual risk assessments to identify and mitigate potential threats, including fraud risks.
• Vendor Risk Management
  Vendor risk assessments are conducted before approving new vendors to ensure security and compliance standards are met.

If you have any questions, feedback, or concerns, or if you need to report a potential security issue, please reach out to us at security@speedwellholdings.com.