Vendo Legal

Information Security & Data Protection Policy

Last Updated:March 10, 2024

1. Introduction

Vendo is committed to ensuring the security, confidentiality, integrity, and availability of all information and data assets within our control. This Information Security and Data Protection Policy establishes the framework for protecting Vendo's information and data assets, including those belonging to our customers, partners, and employees.

2. Purpose

The purpose of this policy is to:

  • Define the principles and requirements for information security and data protection at Vendo
  • Establish a framework for protecting our information and data assets from unauthorized access, disclosure, modification, or destruction
  • Ensure compliance with applicable legal, regulatory, and contractual requirements
  • Define roles and responsibilities for information security and data protection within the organization

3. Scope

This policy applies to:

  • All employees, contractors, consultants, temporary workers, and other personnel affiliated with Vendo
  • All information and data assets, regardless of format or medium, that are created, collected, processed, stored, transmitted, or otherwise managed by Vendo
  • All information systems, applications, networks, and infrastructure owned, operated, or managed by Vendo, including those hosted in third-party environments
  • All business processes and activities conducted by or on behalf of Vendo

4. Policy Statement

Vendo is committed to implementing and maintaining an effective information security and data protection program that:

  • Protects the confidentiality, integrity, and availability of our information and data assets
  • Complies with all applicable legal, regulatory, and contractual requirements
  • Aligns with industry best practices and standards
  • Supports our business objectives and enhances customer trust
  • Continuously improves through regular assessment and adaptation

5. Principles

Vendo's information security and data protection program is guided by the following principles:

  • Risk-based approach: Security controls and resources are allocated based on risk assessment and risk management
  • Defense in depth: Multiple layers of security controls are implemented to protect our information and data assets
  • Least privilege: Access to information and systems is limited to what is necessary for individuals to perform their job functions
  • Separation of duties: Critical functions are divided among different individuals to prevent conflicts of interest and reduce the risk of fraud or abuse
  • Security by design: Security and privacy requirements are integrated into the design and development of our systems and processes
  • Privacy by design: Privacy principles are embedded into the design and operation of our systems, processes, and business practices

6. Roles and Responsibilities

6.1 Board of Directors and Executive Management

  • Provide oversight and governance for the information security and data protection program
  • Approve information security and data protection policies
  • Ensure adequate resources are allocated to the information security and data protection program

6.2 Chief Information Security Officer (CISO)

  • Develop, implement, and maintain the information security and data protection program
  • Monitor compliance with this policy and related standards, procedures, and guidelines
  • Report on the status and effectiveness of the information security and data protection program to executive management and the Board of Directors
  • Coordinate information security and data protection initiatives across the organization

6.3 Data Protection Officer (DPO)

  • Monitor compliance with data protection laws and regulations
  • Provide advice and guidance on data protection matters
  • Serve as the point of contact for data protection authorities and data subjects
  • Coordinate data protection impact assessments

6.4 Information Technology (IT) Department

  • Implement and maintain technical security controls
  • Monitor systems and networks for security events and incidents
  • Respond to and remediate security incidents under the direction of the CISO
  • Manage access to information systems and applications

6.5 Department Managers

  • Ensure that their staff understand and comply with this policy and related standards, procedures, and guidelines
  • Identify and report security and privacy risks within their areas of responsibility
  • Implement appropriate security and privacy controls for their business processes and activities

6.6 All Personnel

  • Understand and comply with this policy and related standards, procedures, and guidelines
  • Report security incidents, vulnerabilities, or concerns promptly
  • Protect information and data assets within their control
  • Complete required security and privacy training

7. Key Security Controls

7.1 Access Control

Vendo implements access control measures to ensure that:

  • Access to information and systems is granted based on the principle of least privilege
  • Access rights are regularly reviewed and updated
  • Strong authentication mechanisms are used to verify user identities
  • Access privileges are promptly removed or modified when personnel roles change or upon termination

7.2 Network Security

Vendo implements network security measures to protect our networks from unauthorized access and attacks, including:

  • Firewalls and intrusion detection/prevention systems
  • Network segmentation
  • Encryption for data in transit
  • Regular vulnerability scanning and penetration testing
  • Secure remote access solutions

7.3 System Security

Vendo implements system security measures to protect our systems and applications, including:

  • Regular security patching and updates
  • Hardening of systems according to industry standards
  • Anti-malware solutions
  • Secure configuration management
  • Secure development practices

7.4 Data Protection

Vendo implements data protection measures to safeguard our data assets, including:

  • Data classification based on sensitivity and criticality
  • Encryption for sensitive data at rest and in transit
  • Secure data storage and handling procedures
  • Data backup and recovery solutions
  • Secure data disposal methods

7.5 Physical Security

Vendo implements physical security measures to protect our facilities, equipment, and physical information assets, including:

  • Access control systems for our facilities
  • Surveillance systems
  • Environmental controls for data centers and server rooms
  • Secure disposal of physical media

7.6 Incident Management

Vendo implements incident management procedures to:

  • Detect and respond to security incidents promptly
  • Investigate and remediate security incidents effectively
  • Communicate with affected parties as required
  • Learn from incidents to improve our security posture

7.7 Business Continuity and Disaster Recovery

Vendo implements business continuity and disaster recovery measures to:

  • Ensure the continuity of critical business operations during disruptions
  • Recover systems and data in a timely manner following a disaster or major incident
  • Minimize the impact of disruptions on our customers and business operations

8. Compliance

8.1 Legal and Regulatory Compliance

Vendo complies with all applicable laws, regulations, and standards related to information security and data protection, including but not limited to:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Health Insurance Portability and Accountability Act (HIPAA), if applicable
  • Payment Card Industry Data Security Standard (PCI DSS), if applicable
  • Other applicable industry-specific regulations and standards

8.2 Contractual Compliance

Vendo complies with all contractual obligations related to information security and data protection in our agreements with customers, partners, vendors, and other third parties.

8.3 Policy Compliance

All personnel are required to comply with this policy and related standards, procedures, and guidelines. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.

9. Training and Awareness

Vendo provides information security and data protection training and awareness programs to:

  • Ensure that all personnel understand their responsibilities for information security and data protection
  • Raise awareness of security threats and best practices
  • Provide role-specific training for personnel with specialized security responsibilities
  • Promote a culture of security and privacy throughout the organization

10. Monitoring and Review

Vendo monitors and reviews our information security and data protection program to:

  • Assess the effectiveness of our security controls
  • Identify and address security vulnerabilities and weaknesses
  • Ensure compliance with this policy and related standards, procedures, and guidelines
  • Identify opportunities for improvement

This policy will be reviewed annually, or more frequently if significant changes occur in our business, technology environment, or regulatory requirements. Updates to the policy will be communicated to all personnel.

11. Exceptions

Exceptions to this policy may be granted only in extraordinary circumstances and must be approved by the CISO and documented. All exceptions will be reviewed periodically to determine if they are still necessary or if alternative controls can be implemented.