Security and Privacy

SOC II Compliant

Security and privacy at Allium

Introduction

Allium is committed to protecting the confidentiality, integrity, and availability of data in our possession. This security policy outlines the measures and guidelines we follow to ensure the security of our data assets, information systems, and infrastructure. All employees, contractors, and third-party partners are expected to comply with this policy to maintain a secure environment for our data.

Information Classification

Data Classification

All data within Allium is classified based on its sensitivity and criticality. The following classification levels are defined:

a. Highly Sensitive: Data that, if disclosed, could result in significant harm to individuals or the company, or a violation of legal or regulatory requirements.

b. Sensitive: Data that requires protection due to privacy or business considerations.

c. Internal Use: Data that is intended for internal use only and has no specific privacy or business sensitivity.

d. Public: Data that can be freely disclosed without any restrictions.

Data Handling

Data handling procedures are followed based on their classification:

a. Highly Sensitive and Sensitive Data:

  • Access is limited to authorized personnel.
  • Encryption is used for data in transit and at rest.
  • Data is securely stored and transmitted.
  • Data is regularly backed up and tested for restoration.
  • Data is securely disposed of when no longer needed.

b. Internal Use Data:

  • Access is limited to employees with a legitimate need.
  • Encryption is used for data in transit and at rest when appropriate.
  • Data is stored and transmitted securely.

c. Public Data:

  • Access can be granted to the general public without restrictions.
  • Protection mechanisms are implemented to prevent unauthorized modifications.

Access Control

User Access Management

Access to information systems and data is granted on a need-to-know basis, following the principle of least privilege. The following practices are implemented:

a. User accounts are created for individual employees and tied to their unique identities.

b. Access privileges are granted based on job responsibilities.

c. User access is promptly revoked or modified upon employee termination, transfer, or change in responsibilities.

d. Strong passwords are enforced, and multi-factor authentication (MFA) is utilized for critical systems and privileged accounts.

e. Regular audits and reviews of user access rights are conducted to ensure compliance.

Remote Access

Remote access to company systems are governed by the following guidelines:

a. Remote access are granted based on business requirements and user needs.

b. Secure connections, such as virtual private networks (VPNs), are used for remote access.

c. All remote access sessions are logged and monitored for suspicious activities.

​Network and Infrastructure Security

Network Security

Allium maintains a secure network environment by implementing the following measures:

a. Firewalls and intrusion prevention systems (IPS) are in place to protect the network from unauthorized access and malicious activities.

b. Network traffic is monitored for anomalies and security events.

c. Wireless networks are secured with strong encryption and access controls.

d. Regular vulnerability assessments and penetration testing are performed to identify and address security weaknesses.

System and Application Security

Systems and applications is secured by adhering to the following practices:

a. Regular patch management are implemented to ensure systems and applications are up to date with security patches.

b. Antivirus and anti-malware software are installed and regularly updated on all systems.

c. Secure configurations and hardening guidelines are followed for all systems and applications.

d. Secure coding practices are followed during application development to minimize vulnerabilities.

Incident Response and Reporting

Allium has an incident response plan in place to address security incidents promptly and effectively. The following procedures are followed:

a. All employees are aware of the incident reporting process and promptly report any security incidents or suspected breaches.

b. Incidents are documented, investigated, and escalated as appropriate.

c. Remediation actions are taken to mitigate the impact of the incident and prevent future occurrences.

d. Lessons learned from security incidents are documented and used to improve security controls and processes.

Security Awareness and Training

Allium applies security awareness and training programs to employees, contractors, and third-party partners. The training covers the following areas:

a. Information security policies and procedures.

b. Data classification and handling.

c. Password management and best practices.

d. Social engineering and phishing awareness.

e. Reporting security incidents.

Compliance and Auditing

Allium complies with all applicable laws, regulations, and industry standards. Regular security audits and assessments are conducted to evaluate the effectiveness of security controls and identify areas for improvement.

Policy Review and Updates

This security policy is reviewed periodically and updated as necessary to reflect changes in the organization, technology, and regulatory landscape. All employees are notified of policy updates and trained accordingly.

By adhering to this security policy, Allium aims to protect its data assets, ensure the privacy of individuals, and maintain the trust of its customers and stakeholders.