We are committed to implementing appropriate security controls to protect data against unauthorized access, disclosure, or misuse. We ensure data security by encrypting data in transit and at rest, implementing strict access control measures, implementing regular backups, and enforcing strict password requirements. We also restrict access to data based on the need-to-know principle.

Purpose:

To outline the policies and procedures for data security at CircleHD who stores data on AWS and replicates it to Google Cloud, and to ensure that effective measures are implemented to safeguard the confidentiality, integrity, and availability of data in line with our security commitments.

Scope:

This policy applies to all employees, contractors, consultants, external vendors, and third-party partners who have access to CircleHD’s data or the company’s IT infrastructure.

Policy:

1. Data Encryption

All data is encrypted in transit and at rest using industry-standard encryption protocols (AES-256). Encryption keys are managed and stored securely, with access restricted to authorized personnel. This ensures that our data is protected against unauthorized access or disclosure.  

2. Data Replication:

We use Google Cloud as a backup for our AWS environment, ensuring high availability of data. We maintain the same level of security controls and measures on Google Cloud as we do on AWS to ensure our data’s consistent protection.

3. Service Level Agreements (SLAs): 

RPO – 1 Hour, RTO- 1 Hour
– Access Control: Access to data is restricted to authorized personnel, and access requests are processed following the standard change approval process.
 – Data Backup: Data backups are conducted regularly and tested to ensure data integrity.
 – Disaster Recovery: The Disaster Recovery Plan is in place for all critical systems and is reviewed annually.
 – Incident Response: All security incidents are investigated promptly and reported to the necessary stakeholders.

4. Compliance: 

We comply with all applicable data protection regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy laws.

5. Training and Awareness: 

We provide periodic training and awareness programs to ensure that all employees, contractors, consultants, external vendors, and third-party partners of their roles and responsibilities towards data security.

6. Third-Party Partners: 

We execute nondisclosure agreements (NDAs) and assess third-party partners’ security controls regarding data protection before granting access.

High level overview of archive storage and recovery workflow.