Security Policy

Graditto employs strict security standards and measures throughout the entire organization. Every team member is trained and kept up to date on the latest security protocols. We regularly undergo testing, training, and auditing of our practices and policies. 1. Purpose, Scope, and Organization This policy defines behavioral, process, technical, and governance controls pertaining to security at Graditto that all personnel are required to implement in order to ensure the confidentiality, integrity, and availability of the Graditto service and data ("Policy"). All personnel must review and be familiar with the rules and actions set forth below. This Policy defines security requirements for: * All Graditto employees, contractors, consultants, and any other third parties providing services to Graditto ("personnel"), * Management of systems, both hardware and software and regardless of locale, used to create, maintain, store, access, process, or transmit information on behalf of Graditto, including all systems owned by Graditto, connected to any network controlled by Graditto, or used in service of Graditto's business, including systems owned by third-party service providers, and * Circumstances in which Graditto has a legal, contractual, or fiduciary duty to protect data or resources in its custody. In the event of a conflict, the more restrictive measures apply. 1.1. Governance and Evolution This Policy was created in close collaboration with and approved by Graditto executives. At least annually, it is reviewed and modified as needed to ensure clarity, sufficiency of scope, concern for customer and personnel interests, and general responsiveness to the evolving security landscape and industry best practices. 1.2. Security Team The Graditto security team oversees the implementation of this Policy, including: * Procurement, provisioning, maintenance, retirement, and reclamation of corporate computing resources, * All aspects of service development and operation related to security, privacy, access, reliability, and survivability, * Ongoing risk assessment, vulnerability management, incident response, and * Security-related human resources controls and personnel training. 1.3. Risk Management Framework The security team maintains a Risk Management Framework derived from NIST SP 800-39 ("Managing Information Security Risk: Organization, Mission, and System View") and NIST SP 800-30 ("Guide for Conducting Risk Assessments"). Risk assessment exercises inform prioritization for ongoing improvements to Graditto's security posture, which may include changes to this Policy itself. Our Risk Management Framework incorporates the following: * Identification of relevant, potential threats. * A scheme for assessing the strength of implemented controls. * A scheme for assessing current risks and evaluating their severity. * A scheme for responding to risks. 2. Personnel and Office Environment Graditto is committed to protecting its customers, personnel, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly in the context of its established employment culture of openness, trust, maturity, and integrity. This section outlines expected personnel behaviors affecting security and the acceptable use of computer systems at Graditto. These rules are in place to protect our personnel and Graditto itself, in that inappropriate use may expose customers and partners to risks including malware, viruses, compromise of networked systems and services, and legal issues. 2.1. Work Behaviors The first line of defense in data security is the informed behavior of personnel, who play a significant role in ensuring the security of all data, regardless of format. Such behaviors include those listed in this section as well as any additional requirements specified in the employee handbook, specific security processes, and other applicable codes of conduct. * Training: All employees and contractors must complete the Graditto security awareness and data handling training programs at least annually. * Unrecognized Persons and Visitors: It is the responsibility of all personnel to take positive action to maintain physical security. Challenge any unrecognized person present in a restricted office location. Any challenged person who does not respond appropriately should be immediately reported to supervisory staff and the security team. All visitors to Graditto offices must be registered as such or accompanied by a Graditto employee. * Clean Desk: Personnel should maintain workspaces clear of sensitive or confidential material and take care to clear workspaces of such material at the end of each workday. * Unattended Devices: Unattended devices must be locked. All devices will have an automatic screen lock function set to automatically activate upon no more than fifteen minutes of inactivity. * Use of Corporate Assets: Systems are to be used for business purposes in serving the interests of the company, and of our clients and partners in the course of normal business operations. Personnel are responsible for exercising good judgment regarding the reasonableness of personal use of systems. Only Graditto-managed hardware and software is permitted to be connected to or installed on corporate equipment or networks and used to access Graditto data. Graditto-managed hardware and software includes those either owned by Graditto or owned by Graditto personnel but enrolled in a Graditto device management system. Only software that has been approved for corporate use by Graditto may be installed on corporate equipment. All personnel must read and understand the list of prohibited activities outlined in this Policy. Modifications or configuration changes are not permitted without explicit written consent by the Graditto security team. * Removable Storage, No Backups, Use of Cloud Storage: Use of removable media such as USB drives is prohibited. Personnel may not configure work devices to make backups or copies of data outside corporate policies. Instead, personnel are expected to operate primarily "in the cloud" and treat local storage on computing devices as ephemeral. Graditto data must be saved to company-approved secure cloud storage to ensure that even in the event of a corporate device being lost, stolen, or damaged, such artifacts will be immediately recoverable on a replacement device. Prohibited Activities Under no circumstances are personnel of Graditto authorized to engage in any activity that is illegal under local, state, national, or international law while utilizing Graditto-owned resources. * Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Graditto. * Violating or attempting to violate the terms of use or license agreement of any software product used by Graditto is strictly prohibited. * Unauthorized copying of copyrighted material, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Graditto or the end user does not have an active license is strictly prohibited. * Revealing your account password to others or allowing use of your account by others. This includes colleagues, as well as family and other household members when work is being done at home. * Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). * Effecting security breaches or disruptions of network communication. Security breaches include accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access. * Except by or under the direct supervision of the security team, port scanning or security scanning, or other such software designed to exploit or find computer, software, or network vulnerabilities. * Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. * Circumventing user authentication or security of any host, network or account or attempting to break into an information resource or to bypass a security feature. * Providing information about, or lists of, Graditto personnel to parties outside Graditto. * Attempts to subvert technologies used to effect system configuration of company-managed devices (e.g., MDM) or personal devices voluntarily used for company purposes (e.g., mobile Work Profiles). 2.2. Personnel Systems Configuration, Ownership, and Privacy * Centralized System Configuration: Personnel devices and their software configuration are managed remotely by members of the security team via configuration-enforcement technology, also known as MDM software. * Data and Device Encryption: All devices must use modern full disk encryption to protect data in the event of a lost device. This is enforced using MDM software. * Device Heartbeat and Remote Wipe: Devices must support the ability to report their status and be remotely wiped. This is enforced using MDM software. * Prevent Removable Storage: Devices must prevent usage of removable storage. This is enforced using MDM software. * Endpoint/Antivirus/Antimalware Protection: Devices must automatically install and configure the Graditto provided antivirus software for endpoint protection. This is enforced using MDM software. * Retention of Ownership: All software programs, data, and documentation generated or provided by personnel while providing services to Graditto or for the benefit of Graditto are the property of Graditto unless otherwise covered by a contractual agreement. * Personnel Privacy: While Graditto's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of Graditto. Graditto reserves the right, at its discretion, to review personnel's files or electronic communications to the extent necessary to ensure compliance with all applicable laws and regulations as well as corporate policies. 2.3. Human Resources Practices * Background Checks: Background checks are conducted for personnel with access to production infrastructure prior to their start date. * Training: The security team maintains a company-wide security awareness program delivered to all personnel at least annually. * Separation: In the case of personnel termination or resignation, the security team coordinates with human resources to implement a standardized separation process to ensure that all accounts, credentials, and access of outgoing employees are reliably disabled. 2.4. Physical Office Environment Access to Graditto offices is mediated by a staffed front office or programmable door control access. Internet-based security cameras are positioned to record time-stamped video of ingress/egress, which are stored off-site. 2.5. Office Network Internet access shall be provided to devices via wired ethernet and WPA2/WPA3 wifi. Networking switches and routers shall be placed in a locked networking closet with only the security team having access. WAN-accessible network services shall not be hosted within the office environment. 3. Personnel Identity and Access Management 3.1. User Accounts and Authentication Each individual having access to any Graditto-controlled system does so via a secure user account (e.g., Google Workspace/G Suite) denoting their system identity. Such user accounts are required to have a unique username, a unique strong password of at least 8 characters, and a two-factor authentication (2FA) mechanism. * Logging into Graditto Systems: Logins by personnel may originate only from Graditto-managed devices. Authentication is performed via secure centrally enforced identity providers. * Logging into Third-Party Systems: Whenever available, third-party systems must be configured to delegate authentication to Graditto's primary authentication system. When this is not available, unique strong passwords paired with MFA must be stored in the Graditto approved password management system. * Revocation and Auditing of User Accounts: User accounts are revoked immediately upon personnel separation. All user accounts are audited at least quarterly, and any inactive user accounts are revoked. 3.2. Access Management * Role-Based Access Control: Graditto adheres to the principle of least privilege, employing a role-based access control (RBAC) model to limit permissions. * Web Browsers and Extensions: Any browser that is allowed to access corporate data is subject to restrictions on which browser extensions can be installed. * Administrative Access: Access to administrative operations is strictly limited to security team members based on tenure and the principle of least privilege. 3.3. Termination Upon termination of personnel, the security team follows Graditto's personnel exit procedure to immediately revoke all digital access and reclaim physical company assets. 4. Provenance of Technology 4.1. Software Development * Graditto stores source code and configuration files in private GitHub repositories. * The security and development teams conduct code reviews and execute static code analysis tools on every code commit. * Security reviews shall be conducted on every code commit to security-sensitive modules (authentication, authorization, auditing, and encryption). * Sensitive data which does not need to be decrypted (e.g., passwords) is salted and hashed using approved secure functions such as Argon2, Scrypt, or bcrypt. * Sensitive data which must be decrypted (e.g., tokens) must use an approved secure encryption provider for HSM functions, such as AWS KMS. 4.2. Configuration and Change Management All adopted systems and services configurations shall be documented and reviewed on at least an annual basis. System configurations address the following controls in a risk-based fashion: * Data-at-rest encryption. * Data-in-transit protection (TLS 1.2/1.3). * Removal or disabling of unnecessary software and configurations. * Production data is strictly isolated and never used in development or test environments. 4.3. Third Party Services For every third-party service or sub-processor that Graditto adopts, the compliance team shall review the service and vendor annually to gain assurance that their security posture is consistent with Graditto's standards. Physical infrastructure is primarily hosted on trusted cloud providers such as Amazon Web Services (AWS) or DigitalOcean. 5. Data Classification and Processing 5.1. Data Classification Graditto maintains the following Data Confidentiality Levels: * Confidential: Information only available to specific roles within the organization. Data must be encrypted at rest and in transit. Access requires 2FA/MFA. * Restricted: Access restricted to specific roles and authorized third parties. Data must be encrypted at rest and in transit. * Internal: Information is available to all employees and authorized third parties. * Public: Information is available to the public. #Customer Data Type Classifications * Customer User Account Data: Credentials shall be salted and hashed in a non-recoverable manner. * Customer Contact Data: Contact data about Graditto customers and organizations. * Customer Preferences Data: Customer-specific preferences and configurations. * Customer Recorded Data: Data collected during session recordings or specific functional modules. * Customer Event Transaction Metadata: Metadata about platform transactions. 5.2. Graditto Employee Access to Customer Data Graditto employees may access Customer Data only from managed devices, solely for the purpose of incident response or customer support, for no longer than is needed to fulfill the request, and in a fully auditable manner. Customer Data is never used in development or test systems. 5.3. Customer Access Graditto provides web user interfaces, application programming interfaces (APIs), and data export facilities to provide customers access to their own data. 5.4. Data Encryption Graditto protects all data in transit with TLS 1.2 or TLS 1.3, and all data at rest with industry-standard AES-256 encryption. Cryptographic keys are managed via secure KMS and automatically rotated yearly. 5.5. Data Retention and Disposal Upon expiration of services, customers may instruct Graditto to delete all customer data from Graditto's systems in accordance with applicable law as soon as reasonably practicable. Cloud storage media that previously held customer data is securely decommissioned using techniques aligned with NIST 800-88. 6. Vulnerability and Incident Management 6.1. Vulnerability Detection and Response Graditto utilizes automated source code scanners, peer code reviews, continuous monitoring, and periodic vulnerability scanning to detect any security issues. Detected vulnerabilities are evaluated based on their impact and prioritized for complete remediation or the implementation of compensating controls. 6.2. Incident Detection and Response The Graditto security team maintains an internal Incident Response Policy containing defined steps for identification, containment, investigation, eradication, recovery, and postmortem. In the event of a data breach affecting a customer, Graditto will maintain direct communication with the customer regarding the severity, scope, and resolution of the breach. 7. Business Continuity and Disaster Recovery 7.1 Availability and Resiliency Graditto services shall be configured in such a manner so as to withstand long-term outages to individual servers, availability zones, and geographic regions. Graditto infrastructure and data are replicated to ensure high availability. 7.2 Disaster Recovery * Recovery Point Objective (RPO): Target of 5 minutes for recent data, and no longer than 24 hours for older backups. * Recovery Time Objective (RTO): Target of no longer than 24 hours. * Testing: Backup and recovery processes are tested on a regular, periodic basis. 7.3 Business Continuity * Distribution and Remote Work: Graditto prioritizes tools and policies that enable secure, distributed remote work for staff in the event of localized emergencies. * Notification: Staff and relevant management will be immediately notified via secure, internal channels during any active emergency event. * Usage Limitation: Google Workspace APIs are not used to develop, improve, or train generalized Graditto AI and/or ML Models.