Lightward InfoSec and Privacy Policies

Scope: Applies to Locksmith and Mechanic and other services processing customer personal data.

IT Governance & Policy Oversight

Applies to: All Lightward services and operations

Purpose: Ensure information security practices align with Lightward’s overall strategy of delivering secure, reliable SaaS services.

Scope: Covers all staff and contractors working on Lightward services.

Practices: Policies are created and reviewed to reflect current operations. Policies are communicated during onboarding and when changes occur.

Privacy & Incident Response Program

Applies to: All Lightward services and systems that handle personal data

Purpose: Define how Lightward collects, protects, and responds to incidents involving personal data.

Practices: Data minimization, encryption in transit and at rest, staff awareness training, and incident response procedures. Incidents are reported to [email protected] and customers notified within 72 hours if required.

Data Protection Policy

Purpose: Ensure data is collected, stored, and processed securely.

Practices: Encrypt data in transit and at rest, restrict admin access, promptly revoke access upon termination, retain data only as long as needed, and require vendors with equivalent protections.

Records Retention Policy

Purpose: Define retention of electronic and paper records.

Practices: Retain data only as long as necessary for service delivery. Customer data may be deleted upon request. Email and logs retained according to operational needs.

Access Control Policy

Purpose: Ensure access is restricted to authorized individuals.

Practices: Unique accounts for all staff, least privilege access, MFA on critical systems, prompt revocation upon staff departure.

Acceptable Use Policy

Applies to: All staff and contractors using Lightward systems and data

Purpose: Set expectations for responsible use of Lightward systems, accounts, and data.

Scope: Covers all internal systems (Google Workspace, GitHub, Fly.io, Shopify Partner, etc.), devices used for Lightward work, and any customer data accessed in the course of providing services.

Practices:

• Keep accounts and devices secure, including use of MFA.

• Report suspected incidents immediately to [email protected].

Password & Authentication Policy

Purpose: Define password and authentication standards.

Practices: Passwords must be confidential, unique per account, with complexity enforced by systems. MFA required for critical systems. Single Sign-On is supported where available (Google Workspace).

Device & Endpoint Security Policy

Purpose: Protect staff devices that access Lightward systems.

Practices: Devices are kept updated.

Patch & Vulnerability Management Policy

Purpose: Ensure timely updates to systems and software.

Practices: Endpoints and dependencies are patched when updates are available. Dependencies scanned regularly with tools such as GitHub Dependabot and CodeQL.

Monitoring & Event Review Policy

Purpose: Detect and respond to abnormal events.

Practices: Application and system events are monitored using tools like Rollbar and New Relic. Alerts are reviewed to identify potential incidents. Logs retained to support investigation.

Development Practices Overview

Purpose: Outline software development security practices.

Practices: Source code managed in GitHub, with separate development, staging, and production environments. Access restricted to authorized staff. Dependencies updated regularly. Automated scanning with CodeQL and GitHub tools.

Business Resilience Policy

Purpose: Maintain availability of services.

Practices: Services hosted in AWS/Fly.io with redundancy. Backups and recovery plans ensure services can be restored. Operational risks discussed as they arise, with mitigations implemented as needed.

Web Server Security Configuration Policy

Purpose: Define standards for hosted web applications.

Practices: All traffic encrypted via TLS. Hosting managed on Fly.io with hardened configurations. Patches applied as provided by the platform. Administrative access requires MFA.

Public Privacy Policy

Purpose: Provide transparency to customers on how Lightward handles personal data.

Practices: Lightward’s external privacy policy is published publicly and available to all customers.

URL: https://lightward.inc/privacy-policy