Help CenterIn this document we will refer to the corporation ‘Get Phil Inc.’ as ‘Phil’ for brevity.
1. Introduction
Purpose:
The purpose of this security policy is to establish a culture of security and trust within Phil, ensuring the protection of all company and client data against unauthorized access, disclosure, alteration, and destruction.
Scope:
This policy applies to all information technology systems, data, network devices, software applications, operating environments, and physical locations owned or operated by Phil.
Audience:
This policy is applicable to all Phil employees, contractors, and third-party service providers with access to Phil systems and data.
2. Policy Overview
Goals:
The primary goals of this security policy are to protect the confidentiality, integrity, and availability of data; to ensure business continuity; and to comply with legal and regulatory obligations.
Guiding Principles:
Phil commits to maintaining the highest standards of information security, regular security assessments, adherence to best practices, and a continuous improvement approach to our security posture.
3. Organizational Security
Roles and Responsibilities:
- Chief Technology Officer (CTO): Oversees the company's information security program.
- Engineering Team: Implements security measures, monitors security systems, and responds to security incidents.
- Employees: Responsible for adhering to the security policy and procedures.
Security Training and Awareness:
All employees are required to partake in occasional info security meetings to understand how information is secured and how it should be handled.
4. Physical Security
Access Controls:
Our office space at 100 Liberty St, Toronto is monitored 24/7 by CCTV and on-site security. Doors require personalized keycards. Access to sensitive infrastructure is restricted to authorized personnel only, controlled by strict security policies. On-site IT oversees network security 24/7.
Monitoring:
All sensitive areas are monitored through user action logging alerts.
5. Network Security
Firewalls and Intrusion Detection Systems:
All major infrastructure is hosted through Google Cloud and benefits from its state-of-the-art security products, read more here: https://cloud.google.com/trust-center/security?hl=en
Secure Configuration:
All infrastructure is configured following industry best practices, with strong password policies and regular security patching.
Encryption:
Data in transit and at rest is encrypted using AES-256 encryption standards.
6. Access Control
Internal User Authentication and Authorization:
Two-factor authentication and role-based access control are enforced for all system access. All passwords are required to be a minimum of 20 characters and be generated automatically by the password manager.
Customer Authentication and Authorization:
Passwordless login is required for all users to help maintain a high security level that is tied to their pre-existing email authorization security. Currently, two access levels of “admin” and “basic” are provided to help provide controls to edit and manage the content of lower level users.
Account Management:
The IT department manages user accounts, ensuring timely provisioning and deprovisioning of access rights.
7. Data Protection
Data Classification:
Data is classified into four categories: Public, Internal Use, and Confidential, with specific handling requirements for each.
Data Handling and Storage:
Data is stored in Google Cloud in secure, encrypted databases and file systems, with access limited based on data classification.
Payment Information Handling:
All payment related data is stored and handled by our third party vendor, Stripe. Their security policy can be accessed here: https://stripe.com/docs/security
8. Incident Response and Recovery
Incident Response Plan:
An internal incident response plan is available upon request from the engineering team.
Disaster Recovery:
Critical data is backed up daily, with backups stored in a separate cloud instance.
9. Compliance and Audits
Regulatory Compliance:
Phil complies with GDPR and other relevant data protection regulations.
Audits and Assessments:
Annual internal security audits are conducted to ensure compliance and identify areas for improvement.
10. Policy Review and Update
Review Cycle:
This security policy is reviewed and updated annually or in response to significant changes in the threat landscape or business operations.
Change Management:
Changes to the security policy are reviewed by the Engineering team and approved by the CTO.
11. Acknowledgment of Receipt and Understanding
Sign-off:
All employees, contractors, and third-party providers must sign an acknowledgment form confirming that they have received, read, and understood the Get Phil Inc. Security Policy.