We have a Human Resources policy which defines human resources requirements at each stage of employment and engagement as it relates to information security and data privacy. This policy includes the requirements at onboarding, during employment or independent contractor engagements, and upon change of role or termination.

Our Risk Management program is governed under our Risk Assessment policy.

Risk assessments are conducted at least annually. Additionally, when significant changes occur, a risk assessment is performed to assess the impact those changes have on privacy and organizational risk.

We have a Vendor Management policy which governs the key objectives of vendor management and vendor risk management.

We have implemented the necessary controls to meet GDPR requirements.

Our Privacy Notice describes how customer data is managed. Customers may review the Privacy Notice at https://carbidesecure.com/privacy-notice/.

System backups are performed automatically on a regular basis. Full Backups must be kept for at least 90 days to ensure that there is a known good state, free from infection should a system need to be restored.

We have an Asset Management policy which outlines safeguarding measures for our asset.

We have a Data Classification policy which defines our data classification levels. These levels determine who has permission to access our data and under what conditions.

An incident response plan has been implemented in preparation to respond immediately to a security incident.

Our Endpoint Hardening policy includes information on antivirus and anti-malware requirements.

We conduct monthly vulnerability scans using tools approved thir-party tools to identify improper configurations, known vulnerabilities, unpatched systems, and other potential vulnerabilities.

We conduct external penetration testing annually using a third-party provider.

We conduct penetration tests on an annual basis using a third-party tester.

We have a Vulnerability Management policy which documents vulnerability management processes and appropriate tools for conducting vulnerability assessments of identified critical systems.

We have an Availability Management policy which outlines our Business Continuity Planning and Testing processes. These plans are reviewed and revised to reflect any changes to roles, responsibilities or core business functions and the systems that support them.

We have an Information Governance policy which provides an overview of our privacy and security mission and objectives, and highlights the key roles and responsibilities within the organization as they relate to data privacy and information security. This policy ensures that the information security and privacy program has structure, consistency, and buy-in at the highest level of the organization. It also articulates the team structure as it relates to information security and data privacy.

Our Information Security & Privacy policies are reviewed annually.