Cybersecurity Policy

1. Security Governance & Oversight

Tendrill maintains a comprehensive security program overseen by executive leadership. Our security governance framework includes:

• •Executive-level accountability for cybersecurity strategy and risk management
• •Regular security program reviews and updates aligned with industry standards
• •Documented security policies, procedures, and standards
• •Risk assessment processes to identify and mitigate potential threats

2. Technical Safeguards

Additional technical controls include:

• •Access Controls: Role-based access control (RBAC) with principle of least privilege
• •Multi-Factor Authentication: Required for all administrative and privileged access
• •Secure Development: Security-by-design principles integrated into our development lifecycle

3. Network Security

Our network infrastructure is protected through multiple layers of defense:

• •Firewalls and network segmentation to isolate sensitive systems
• •Intrusion detection and prevention systems (IDS/IPS)
• •DDoS protection and mitigation capabilities
• •Web Application Firewall (WAF) to protect against common web vulnerabilities

4. Vulnerability Management

We maintain a proactive vulnerability management program that includes:

• •Regular vulnerability scanning of systems and applications
• •Periodic penetration testing by qualified security professionals
• •Timely patching and remediation of identified vulnerabilities
• •Dependency monitoring for third-party libraries and components

5. Incident Response

Our incident response program includes:

• •Detection: 24/7 monitoring and alerting for security events
• •Containment: Rapid response procedures to isolate and contain threats
• •Eradication: Root cause analysis and removal of threat actors
• •Recovery: Systematic restoration of affected systems and services
• •Post-Incident Review: Lessons learned analysis to improve defenses

6. Employee Security Training

All Tendrill personnel receive comprehensive security training, including:

• •Security awareness training upon hire and annually thereafter
• •Phishing awareness and social engineering prevention
• •Secure coding practices for development team members
• •Data handling and privacy protection protocols

7. Third-Party Risk Management

We carefully evaluate and monitor third-party vendors and service providers:

• •Security assessments conducted prior to vendor engagement
• •Contractual requirements for data protection and security controls
• •Ongoing monitoring of vendor security posture
• •Regular review of subprocessor security certifications and compliance

For a complete list of our subprocessors, please see our Subprocessor List.

8. Continuous Monitoring & Audit

We maintain continuous security monitoring and regular audits to ensure the effectiveness of our security controls:

• •Security Information and Event Management (SIEM) for centralized logging
• •Real-time threat intelligence integration
• •Periodic internal security audits and control assessments
• •Annual review and update of security policies and procedures

9. Policy Updates

We may update this Cybersecurity Policy from time to time to reflect changes in our practices or applicable requirements. We will post the updated policy on this page with a revised effective date.