Login

Security Policy

Policy Objective

The purpose of this policy is to establish a comprehensive and systematic framework to ensure the confidentiality, integrity, and availability of the information assets of ShareBuilders. This policy is aligned with established frameworks, such as NIST, to safeguard our data, systems, and infrastructure from an evolving landscape of security threats, thereby ensuring resilience, operational continuity, and adherence to industry best practices.

This policy not only aims to protect internal processes but also to provide stakeholders, clients, and partners with assurance regarding the robustness of our information security practices.

 

Policy Scope

This policy applies to all employees, contractors, partners, third parties, and external entities that access, process, or manage company data, systems, or services. It encompasses all types of information—electronic, printed, or verbal—and extends to all organizational environments, including remote, on-premises, cloud-based, and hybrid operations. It also includes company-owned devices, personal devices used for company purposes, and any applications or systems used for conducting business operations, thus ensuring comprehensive coverage across our entire enterprise architecture.

 

Temporary Passwords at First Logon

Temporary passwords are provided to new users for their first login. Upon successful login, users must change their password to a unique and secure one of their choosing. Temporary passwords expire within 24 hours if not used, ensuring that unused credentials do not pose a security risk.

 

Strong Password Requirements for Scoped Systems and Data

All systems that transmit, process, or store Scoped Systems and Data must enforce strong password requirements. In addition to strong passwords, Multi-Factor Authentication (MFA) must be implemented to provide an extra layer of security for critical systems.

Authentication & Password Policy

This section outlines password management practices for systems that transmit, process, or store scoped systems and data. Employees must utilize unique credentials consisting of strong passwords, which must be at least eight characters in length and include a combination of uppercase letters, lowercase letters, numerals, and special symbols to meet complexity requirements. Systems enforce periodic password changes and retain password history to prevent reuse.

 

Password confidentiality is paramount:

  • No Sharing: Passwords must never be shared among employees, ensuring unique access credentials for accountability.

  • No Recording: Passwords must not be written down or recorded in any form accessible to unauthorized individuals. Instead, employees are required to use secure password managers.

 

Multi-Factor Authentication (MFA)

MFA is universally mandated across all systems to enhance the security of access control, particularly for sensitive systems and high-risk data repositories. Methods may include biometrics, one-time passcodes, or physical security tokens.

 

Principle of Least Privilege

Access privileges must be strictly aligned with individual job responsibilities, adhering to the principle of least privilege to minimize exposure to sensitive information. Role-based access control (RBAC) is implemented to streamline permissions and ensure appropriate segregation of duties.

 

Data Protection

Data Classification

All corporate data must be systematically classified by sensitivity, criticality, and business impact. Data protection measures are then applied commensurate with the classification level, and this classification must be periodically reviewed to accommodate changes in sensitivity.

 

Encryption

Sensitive information must be encrypted in transit and at rest using strong encryption algorithms such as AES-256. Encryption keys must be managed securely to prevent unauthorized access.

 

Data Handling, Storage, and Retention

Data must be encrypted during transit and at rest, and access is restricted based on role requirements. Secure deletion protocols are employed to permanently remove obsolete data, and data retention schedules are strictly followed to determine archival or deletion timelines.

 

Client and Third-Party Notification Requirements

In the event of a data breach, each incident is evaluated to determine if client or third-party notifications are required. Notifications are provided promptly—generally within 72 hours of identifying the breach—and comply with applicable regulatory frameworks such as GDPR and CCPA.

 

Incident Reporting

Employees must report all security incidents, including suspicious activities, unauthorized access, or anomalies, to the VP of Product or helpdesk. Escalation processes ensure that incidents are also reported to the highest management levels, including the CEO, and the senior product team, providing multiple oversight layers for effective response.

 

Incident Management

Reported incidents are investigated thoroughly by senior product team members, who also document findings, conduct root cause analysis, and determine corrective measures. Regular simulated exercises are conducted to maintain incident response preparedness.

 

Breach Notification

Affected stakeholders are notified within 72 hours of identifying a security incident, including a thorough assessment of compromised data, potential impacts, and remediation measures.

 

Risk Management

Risk Assessment

Regular assessments are conducted to identify and evaluate threats to information assets, including vendor and supply chain risks.

 

Risk Treatment

Risks are managed through a documented plan that may include mitigation, acceptance, transfer, or avoidance strategies. The effectiveness of these measures is reviewed periodically.

 

Physical and Device Security

As a fully remote, cloud-based company, our security measures focus on secure remote work environments. Employees must:

  • Ensure secure home office environments, including locked devices, secure Wi-Fi networks, and avoidance of public networks for company data access.

  • Ensure all company-issued devices are equipped with full-disk encryption and enrolled in Mobile Device Management (MDM) solutions to enable remote wiping if lost or stolen.

 

Policy for Confidential Customer Information

All employees are required to sign the ‘Policy to Protect Confidential Customer Information’ as part of the onboarding process. This policy outlines their responsibilities for safeguarding sensitive customer data and is integral to ensuring compliance with our privacy standards.

 

Employee Awareness and Training

Employees must undergo regular security awareness training to understand cybersecurity risks and their mitigation responsibilities. Specialized training is provided for those handling sensitive systems, and formal acknowledgment of adherence to this policy is required to ensure accountability.

 

Compliance and Continuous Review

Regulatory Compliance

Security measures must comply with relevant legal, regulatory, and contractual requirements, including GDPR and CCPA.

 

Policy Review

This policy is reviewed annually or whenever significant changes in the threat landscape occur. Lessons learned from incidents and audits contribute to continuous improvement efforts.

 

Policy Enforcement

Non-compliance with this policy may result in disciplinary action, ranging from corrective training to termination of employment, depending on the severity of the infraction. Repeated violations or deliberate non-compliance may escalate to legal action.

 

Contact Information

For any questions or concerns regarding information security, employees should reach out to the VP of Product. If unavailable, the helpdesk (helpdesk@share-builders.com) can be contacted for guidance.

 

Security Steering Committee

Security oversight is managed through regular meetings of the senior product team, where security topics are discussed, prioritized, and addressed. This informal committee ensures that key security concerns are consistently integrated into our broader operational and strategic conversations.

 

Product Security Organization & Responsibilities

The information security function is integrated within the senior product team, embedding security considerations into all product development and operational processes. We follow NIST principles for our own self-governance; however, we are not yet formally certified, and any future certifications may be pursued based on customer requirements.

  • Senior Product Team Members: Responsible for managing security policies, incidents, and overall strategy.

  • VP of Product: Ensures alignment of security standards with product development goals, vendor management, and customer relationships.

  • CEO: Provides final approval for security policies and ensures that security strategies align with business objectives.

 

Role of Inventory Management

The senior product team is responsible for maintaining an inventory of cloud, hardware and software assets, which is critical to managing and mitigating risks associated with our technology infrastructure. This includes tracking cloud-based resources and ensuring that all assets are secure and properly accounted for.

 

Vendor Management

Vendors are divided into “Base Vendors” essential to our operations and “Opted-In Vendors” integrated upon specific customer requests. All vendors must adhere to strict protocols to ensure compliance and protect customer data. All vendors engaged with ShareBuilders are required to enter into a Non-Disclosure Agreement (NDA) prior to accessing any Scoped Systems or Data. The NDA outlines strict obligations regarding the confidentiality of information, including proprietary customer data and internal operational details. It ensures that vendors commit to protecting sensitive information, limits the use of such information strictly to agreed purposes, and mandates immediate notification to ShareBuilders in the event of any unauthorized disclosure or breach.

 

Base Vendors

Microsoft Azure

Usage: Microsoft Azure provides foundational cloud infrastructure and hosting services.

Access Scope: Microsoft Azure supports the foundational architecture by offering storage, computation, networking, and cloud security services. Its scalable infrastructure ensures high availability, reliability, and security for data operations, which is vital for the efficient functioning of ShareBuilders’ applications. Azure’s capabilities include redundancy, resource allocation, and virtual machine deployment to adapt to dynamic workload requirements.

Azure B2C (Azure Active Directory B2C)

Usage: Azure B2C handles user authentication and identity management.

Access Scope: This service manages secure authentication, including password management, multi-factor authentication, and federated identity integration, providing a consistent and secure access framework. It also supports integration with external identity providers, which facilitates a unified and scalable approach to user identity verification and system access control.

HubSpot

Usage: HubSpot is used for Customer Relationship Management (CRM) and service desk operations.

Access Scope: HubSpot centralizes customer information, manages support tickets, and facilitates communication between ShareBuilders and customers. It provides valuable data insights for optimizing campaigns and improving service delivery, contributing to streamlined workflows in both sales and customer support while ensuring customer data is accessible, organized, and secure.

Atlassian Products

Usage: Used for managing internal documentation and overseeing product development.

Access Scope: Tools such as Jira and Confluence support project management, issue tracking, and internal documentation. This facilitates planning, tracking, and maintaining transparency across teams. With Atlassian, ShareBuilders ensures effective management of tasks and milestones while enabling cross-functional alignment with company objectives.

Opted-In Vendors

Opted-In Vendors are additional services that can be integrated based on specific customer requests. These vendors are not part of our core system but offer supplementary capabilities when needed, under strict security protocols to ensure privacy and compliance.

Zapier

Usage: Zapier allows for user-defined workflow automation, focusing on customer contact records and activity.

Access Scope: This opt-in service integrates data between third-party applications to enhance productivity and reduce manual processes. The service strictly excludes any exposure of financial data, managing only non-sensitive datasets to ensure compliance with data protection regulations. This results in more efficient workflows without compromising security.

vCreative

Usage: Integrates account data from ShareBuilders CRM to minimize duplication and reduce manual data entry.

Access Scope: vCreative helps manage creative content workflows, reducing administrative tasks by automating repetitive processes. This ensures consistency of account data across platforms and optimizes time management for creative teams, thereby improving accuracy and reducing the chances of manual errors during campaign lifecycle operations.

OpenAI

Usage: Utilizes AI for content generation and natural language processing.

Access Scope: OpenAI processes user inputs to generate contextual content, such as email and calendar data enrichment, communication drafts, and data analysis. The service facilitates automation of content personalization and customer queries, enabling ShareBuilders to enhance productivity while adhering to strict data privacy standards.

Aurinko

Usage: Manages mailbox synchronization and facilitates data integration for email, contacts, and tasks.

Access Scope: Aurinko’s unified APIs and synchronization logic support the integration of email, calendar, contacts, and task data within applications, crucial for ShareBuilder CRM Connected Mailbox. This reduces development complexity and time while ensuring data consistency across multiple environments, providing a robust and secure data synchronization solution.

Data Lifecycle Management

Data in Transit and at Rest

Encryption protocols (TLS 1.2+ and AES-256) are used to protect data during all stages of its lifecycle.

Data Retention and Deletion

ShareBuilders employs specific data retention and backup schedules to ensure the integrity and availability of customer data while adhering to legal and business requirements. This policy covers the retention, archival, and deletion of customer data, including financial history, account information, user-created data (e.g., pending activities), and configuration choices.

Backup Frequency and Retention:

  • Differential Backups: Differential backups of customer databases, which capture all changes since the last full backup, are performed daily and retained until the subsequent weekly backup.

  • Weekly Backups: A weekly backup is created every Sunday, replacing the daily differential backups. These weekly backups are retained until the end of the month.

  • Monthly Backups: At the end of each calendar month, a monthly backup is created. Monthly backups are retained for an average of two years to ensure data availability for both operational purposes and customer support.

Customer Cancellation Policy:

  • Upon a customer canceling their service, the most recent backup will be retained for a minimum period of six months.

  • If the customer requests their data to be purged sooner, they must formally send a request in writing by emailing helpdesk@share-builders.com. Upon receipt of such a request, we ensure that all relevant backups are permanently deleted from cloud-based virtual storage.

Data Destruction:

All data retained past its required retention period will be securely deleted from our systems. Given that all backups are stored in the cloud, deletion involves removing the virtual disks entirely from cloud environments, which is conducted and verified by our product team to ensure data is permanently deleted.

Customer Requests for Data Purging:

Formally Requesting Data Deletion: Customers can formally request data deletion by contacting helpdesk@share-builders.com. This process will include confirmation of the request and a timeline for secure deletion.

Fulfillment Timeline: Requests for data purging will be addressed promptly, with a commitment to fulfilling the request within 30 days of receipt, unless otherwise specified or impacted by legal considerations, such as ongoing investigations.

Regulatory and Legal Compliance:

Data retention timelines are established in alignment with relevant legal, regulatory, and contractual requirements. ShareBuilders will periodically review and adjust retention periods as necessary to maintain compliance with emerging regulations and industry best practices.

Incident Management Testing and Preparedness

ShareBuilders conducts annual simulations, including scenario-based and tabletop exercises, to rigorously test and validate our incident management procedures. This ensures that our response capabilities remain effective in the face of real-world threats and incidents.

Incident Management Program

This program provides a comprehensive response to information security incidents, ensuring systematic escalation and prompt resolution. All incidents undergo prioritization based on severity, and findings contribute to improving policies and processes.

Continuous Improvement

Post-incident reviews and regular simulations are integral to enhancing our incident response capabilities. Lessons learned are incorporated into security measures, and annual simulations of various scenarios are conducted to validate the effectiveness of incident management.

Disciplinary Process and Notification Requirements

Employees involved in security breaches are subject to disciplinary actions that are documented comprehensively. Clients and stakeholders are notified of incidents within 72 hours, in compliance with applicable regulations, ensuring transparency and trust.