Information Security Policy

1. Purpose & Scope

This policy establishes requirements for the protection of Tendrill's information assets and customer data. It applies to:

• •All Tendrill employees, contractors, and authorized users
• •All information systems, applications, and data repositories
• •Third-party systems that process or store Tendrill data
• •All forms of information: digital, physical, and verbal

2. Data Classification

Tendrill classifies information into four categories based on sensitivity and regulatory requirements:

3. Access Control

Access to information and systems is governed by the following principles:

• •Least Privilege: Users are granted only the minimum access necessary to perform their job functions.
• •Role-Based Access Control (RBAC): Access rights are assigned based on job roles and responsibilities.
• •Segregation of Duties: Critical functions are divided among multiple individuals to prevent fraud or error.
• •Access Reviews: User access rights are reviewed quarterly and upon role changes.

4. Authentication Requirements

Password requirements include:

• •Minimum length of 12 characters
• •Combination of uppercase, lowercase, numbers, and special characters
• •Prohibition of commonly used or compromised passwords
• •Unique passwords for each system and service

5. Data Handling & Storage

All data must be handled in accordance with its classification level:

• •Storage: Confidential and Restricted data must be stored in approved, encrypted systems only.
• •Transmission: Sensitive data must be encrypted during transmission using TLS 1.2 or higher.
• •Retention: Data is retained only as long as necessary for business purposes or as required by law.
• •Disposal: Data must be securely deleted when no longer needed, using approved methods.

6. Physical Security

While Tendrill primarily operates as a cloud-native company, physical security controls are maintained where applicable:

• •Cloud infrastructure providers are required to maintain SOC 2 Type II certification
• •Workstations must have automatic screen lock enabled (5-minute timeout)
• •Full disk encryption required on all company devices
• •Secure disposal of any physical media containing sensitive information

7. Change Management

All changes to production systems follow a controlled process:

• •Changes are documented and reviewed before implementation
• •Testing is performed in non-production environments first
• •Rollback procedures are established for each change
• •Emergency changes follow expedited approval with post-implementation review

8. Business Continuity & Disaster Recovery

Tendrill maintains business continuity and disaster recovery capabilities to ensure service availability:

• •Regular backups of critical data with secure offsite storage
• •Documented recovery procedures and recovery time objectives (RTO)
• •Periodic testing of backup and recovery procedures
• •Geographic redundancy for critical systems

9. Compliance & Audit Framework

We maintain compliance with applicable laws, regulations, and industry standards:

• •Regular compliance assessments against applicable requirements
• •Internal audits of security controls and procedures
• •Documentation and tracking of audit findings and remediation
• •Management review of security metrics and incidents

10. Policy Updates

This policy is reviewed annually and updated as needed to reflect changes in our business, technology environment, or regulatory requirements. Updates will be posted on this page with a revised effective date.