Logo

Circle+ Security Policy

Effective Date: 1st Jan 2024

At Circle+, we are committed to maintaining the security, confidentiality, and integrity of the data we manage. This Security Policy outlines the protocols, controls, and best practices Circle+ follows to protect our systems, infrastructure, and users' data from unauthorized access, threats, and breaches. It is a critical part of our mission to provide a secure environment for the startups and businesses that use our platform.

1. Objectives

The objectives of the Circle+ Security Policy are:

  • To protect the confidentiality, integrity, and availability of Circle+ systems and customer data.
  • To implement appropriate safeguards that mitigate risks and vulnerabilities.
  • To comply with applicable legal, regulatory, and contractual security requirements.
  • To establish guidelines for detecting, responding to, and recovering from security incidents.

2. Scope

This Security Policy applies to:

  • All employees, contractors, and third parties with access to Circle+ systems and data.
  • All information systems, applications, cloud infrastructure, and data storage solutions owned or operated by Circle+.
  • Customer data processed, stored, or transmitted through Circle+ services.

3. Roles and Responsibilities

3.1 Chief Information Security Officer (CISO)

The CISO is responsible for overseeing Circle+'s security strategy, policies, and implementation of security controls.

3.2 Security Team

The Security Team is tasked with managing Circle+'s security operations, monitoring systems, responding to incidents, and ensuring compliance with security best practices.

3.3 Employees and Contractors

All employees and contractors are responsible for adhering to Circle+'s security policies, completing security training, and promptly reporting any suspected security incidents.

3.4 Third Parties

Third-party vendors and service providers with access to Circle+ systems must comply with our security standards and are subject to audits to ensure compliance.

4. Access Control

4.1 User Authentication and Authorization

  • Circle+ employs strong authentication mechanisms such as multi-factor authentication (MFA) for accessing sensitive systems.
  • Access to systems and data is granted on a need-to-know basis, with role-based access controls (RBAC) in place to ensure appropriate authorization.
  • User accounts are regularly reviewed to revoke access for inactive users or those no longer authorized.

4.2 Password Policies

  • All users must adhere to Circle+'s password policies, which require strong passwords that are regularly updated.
  • Passwords must be at least [insert password requirements] characters long and contain a mix of uppercase letters, lowercase letters, numbers, and symbols.

5. Data Protection and Encryption

5.1 Data Classification

Circle+ categorizes data into sensitivity levels (e.g., public, internal, confidential) and applies security controls appropriate to the classification level.

5.2 Data Encryption

  • All sensitive data, including personal identifiable information (PII) and customer data, is encrypted both at rest and in transit using industry-standard encryption protocols (e.g., AES-256 for data at rest, TLS for data in transit).
  • Circle+ maintains encryption key management systems to ensure secure storage and handling of encryption keys.

5.3 Data Storage and Retention

  • Customer data is stored on secure, encrypted servers.
  • Data retention policies are in place to ensure that personal data is only retained as long as necessary for the purposes for which it was collected, or as required by law.

6. Network Security

6.1 Firewalls and Intrusion Detection

  • Firewalls are deployed to protect Circle+'s network infrastructure and limit unauthorized traffic.
  • Intrusion detection and prevention systems (IDS/IPS) continuously monitor the network for suspicious activities or potential security breaches.

6.2 Network Segmentation

Critical systems are separated from general systems using network segmentation to minimize the impact of any potential breach.

6.3 VPNs

Secure virtual private networks (VPNs) are used to encrypt traffic and provide secure remote access for employees, contractors, and authorized users working offsite.

7. Vulnerability Management

7.1 Regular Security Audits

  • Circle+ conducts regular security audits and assessments to identify potential vulnerabilities within its systems and infrastructure.
  • Audits include internal assessments, penetration tests, and external security reviews.

7.2 Patching and Updates

  • Critical systems, applications, and software are regularly patched and updated to protect against known vulnerabilities.
  • Automatic updates are enabled for critical components where possible, and all patches are reviewed and tested before deployment to ensure stability.

8. Incident Response and Management

8.1 Incident Detection

  • Circle+ maintains continuous monitoring systems to detect and alert the security team of suspicious activities, intrusions, or unauthorized access attempts.
  • All system logs are retained and reviewed regularly to identify potential security incidents.

8.2 Incident Response Plan

  • Circle+ has a documented incident response plan (IRP) in place to guide the company's actions in the event of a security breach.
  • In the event of a breach, Circle+ will:
    • Immediately assess and contain the incident.
    • Notify affected users or customers as required by law.
    • Investigate the cause of the breach and implement corrective measures.

8.3 Reporting and Notification

  • Security incidents must be reported promptly to the CISO and the Security Team.
  • Circle+ will notify affected customers and regulatory bodies within the time frames required by law if a data breach involving sensitive customer data occurs.

9. Business Continuity and Disaster Recovery

9.1 Business Continuity Plan

Circle+ maintains a business continuity plan to ensure critical services can continue to operate in the event of a disaster or extended outage.

9.2 Disaster Recovery

  • Backups of all critical data are performed regularly and stored securely.
  • In the event of a data loss or system failure, Circle+ can restore services and data from backup within established recovery time objectives (RTOs).

10. Employee Training and Awareness

10.1 Security Training

All Circle+ employees and contractors undergo regular security awareness training to understand the latest security threats and best practices.

10.2 Phishing and Social Engineering

Circle+ regularly conducts phishing and social engineering awareness exercises to ensure that employees are vigilant against potential attacks.

11. Compliance and Regulatory Requirements

11.1 Legal Compliance

Circle+ complies with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other regional privacy regulations.

11.2 Security Frameworks

Circle+ aligns its security practices with recognized industry standards and frameworks such as ISO 27001, NIST, and SOC 2.

12. Third-Party Risk Management

12.1 Vendor Security Assessments

Circle+ performs security assessments of all third-party vendors who handle or have access to customer data to ensure they meet our security standards.

12.2 Data Sharing with Third Parties

Circle+ ensures that third-party vendors who handle customer data comply with Circle+'s data protection policies and applicable regulations. Vendors are required to sign data protection agreements (DPAs) to ensure compliance.

13. Policy Review and Updates

This Security Policy is subject to periodic review and updates. Circle+ will update this policy as necessary to reflect new security practices, technologies, or legal requirements. Any changes will be communicated to all relevant stakeholders.

Contact Us

If you have any questions about this Security Policy or need further information, please contact us at:

Circle+
Email: info@circleplus.xyz

Back to Home