Last Updated: November 28, 2022

Information Security Policy

Introduction

Sassafras Software, LLC. (“Sassafras,” “Company” or “we,” “our” or “us”) recognizes that in certain instances it must collect, store and use Sensitive Information relating to its customers, employees and individuals associated with the company. Sassafras is dedicated to collecting, handling, storing and using Sensitive Information properly and securely. Sassafras has recognized that our business information is a critical asset and as such our ability to manage, control, and protect this asset will have a direct and significant impact on our future success. The Sassafras Information Security Program is built around the information contained within this policy and its supporting policies.

Purpose

Sassafras is committed to collecting, handling, storing and using Sensitive Information properly and securely. This Policy establishes an Information Security Program to create administrative, technical and physical safeguards for the protection of Sensitive Information throughout the company. The purpose of this Program is to comply with applicable laws and to:

  1. Provide a framework for comprehensive stewardship of Sensitive Information;
  2. Increase awareness of the confidential nature of Sensitive Information;
  3. Eliminate unnecessary collection and use of Sensitive Information;
  4. Protect against anticipated threats or hazards to the security or integrity of Sensitive Information; and
  5. Protect against unauthorized access to or use of Sensitive Information in a manner that creates a substantial risk of identity theft, fraud or other misuse of the data.

Audience

The Sassafras Information Security Policy applies equally to any individual, entity, or process that interacts with any Sassafras Information Resource.

Definitions

Breach of Security: the unauthorized acquisition or use of Sensitive Information that creates a substantial risk of identity theft or other harm. This definition includes the unauthorized acquisition or use of encrypted electronic Sensitive Information where the confidential process or key has been compromised.

Electronic: relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.

Employee: includes all Sassafras staff, trainees, interns, and any other individual who provides services to Sassafras, whether compensated or not, and who, in connection with such services, has access to customer data.

Encryption: transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key.

Record: any material upon which written, drawn, spoken, visual or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics that contain Sensitive Information. The term Record includes both paper and electronic material.

Sensitive Information: Information that is designated as Restricted Use, Confidential or Internal Data under the Data Protection Standards.

Responsibilities

Executive Management
Members of Executive Management shall, in consultation with the Security Committee, maintain a list of categories of information that will be included within the definition of Sensitive Information and prescribe appropriate levels of protection in a series of procedures collectively known as the Data Protection Standards. The Executive Director shall ensure that an appropriate risk-based Information Security Program is implemented to protect the confidentiality, integrity, and availability of all Information Resources collected or maintained by or on behalf of Sassafras. The Director may consult with the Committee and charge the Committee with responsibilities concerning the administration and review of this Policy.

Information Security Officer
The Information Security Officer leads the Information Security Committee and provide updates on the status of the Information Security Program to Executive Management. Manages compliance with all relevant statutory, regulatory, and contractual requirements. Assesses risks to the confidentiality, integrity, and availability of all Information Resources collected or maintained by or on behalf of Sassafras.

Information Security Committee
In accordance with the Information Security Committee Charter, the Committee assists with the administration of this Policy, ensures compliance with applicable information security requirements, and coordinates the implementation of information security controls. Significant threat changes and vulnerabilities are identified, and information received from monitoring processes is evaluated.

All Employees, Contractors, and Other Third-Party Personnel
Every employee of Sassafras should strive to minimize the collection, handling, storage and use of Sensitive Data. Only those who have a legitimate business need to access Sensitive Information should do so, and for as limited as time as possible. Minimize or eliminate the collection, handling, storage and use of Sensitive Data whenever and wherever possible. Seek guidance from the Information Security Team for questions or issues related to information security.

Policy

Sassafras maintains and communicates an Information Security Program consisting of policies, standards, procedures and guidelines that serve to protect the Confidentiality, Integrity, and Availability of the Information Resources maintained within the organization using administrative, physical and technical controls.

The information security program is reviewed no less than annually or upon significant changes to the information security environment. During the course of review, the Information Security Officer and the Committee shall review any Breach of Security that is reported to outside authorities, including the results of any investigation and the company’s response to any Breach.

Change management
Sassafras releases minor upgrades typically every 4-10 weeks, and cloud instances upgrades will be scheduled once each new version has been released. Cloud hosted customers will be notified 2 weeks prior to an upgrade for most non-critical updates. High priority upgrades will have a notification period of 3 days, and critical upgrades may be performed without notification.

Patch management
Cloud servers are configured to automatically apply security patches. Other major OS upgrades require manual approval and these are checked and applied at least every month.

Data Breach
If we become aware of a suspected data breach affecting our customers, we will notify affected customers within 72 hours.

Data Destruction
Customers may request removal of all of their data from our cloud servers. Upon request, we will complete this within 5 business days.

Audit Logs
Logs of both access and configuration changes are recorded wherever possible. Internally, our software (KeyServer) maintains a log of administrators logging in and out, as well as relevant configuration changes such as policy option changes. Linode maintains a log of system access to the VMs themselves.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.