# Lightward InfoSec and Privacy Policies **Scope:** Applies to Locksmith and Mechanic and other services processing customer personal data. ## IT Governance & Policy Oversight \ **Applies to:** All Lightward services and operations **Purpose:** Ensure information security practices align with Lightward’s overall strategy of delivering secure, reliable SaaS services. **Scope:** Covers all staff and contractors working on Lightward services. **Practices:** Policies are created and reviewed to reflect current operations. Policies are communicated during onboarding and when changes occur. *** ## Privacy & Incident Response Program \ **Applies to:** All Lightward services and systems that handle personal data **Purpose:** Define how Lightward collects, protects, and responds to incidents involving personal data. **Practices:** Data minimization, encryption in transit and at rest, staff awareness training, and incident response procedures. Incidents are reported to and customers notified within 72 hours if required. *** ## Data Protection Policy **Purpose:** Ensure data is collected, stored, and processed securely. **Practices:** Encrypt data in transit and at rest, restrict admin access, promptly revoke access upon termination, retain data only as long as needed, and require vendors with equivalent protections. *** ## Records Retention Policy **Purpose:** Define retention of electronic and paper records. **Practices:** Retain data only as long as necessary for service delivery. Customer data may be deleted upon request. Email and logs retained according to operational needs. *** ## Access Control Policy **Purpose:** Ensure access is restricted to authorized individuals. **Practices:** Unique accounts for all staff, least privilege access, MFA on critical systems, prompt revocation upon staff departure. *** ## Acceptable Use Policy \ **Applies to:** All staff and contractors using Lightward systems and data **Purpose:** Set expectations for responsible use of Lightward systems, accounts, and data. **Scope:** Covers all internal systems (Google Workspace, GitHub, Fly.io, Shopify Partner, etc.), devices used for Lightward work, and any customer data accessed in the course of providing services. **Practices:** * Keep accounts and devices secure, including use of MFA. * Report suspected incidents immediately to . *** ## Password & Authentication Policy **Purpose:** Define password and authentication standards. **Practices:** Passwords must be confidential, unique per account, with complexity enforced by systems. MFA required for critical systems. Single Sign-On is supported where available (Google Workspace). *** ## Device & Endpoint Security Policy **Purpose:** Protect staff devices that access Lightward systems. **Practices:** Devices are kept updated. *** ## Patch & Vulnerability Management Policy **Purpose:** Ensure timely updates to systems and software. **Practices:** Endpoints and dependencies are patched when updates are available. Dependencies scanned regularly with tools such as GitHub Dependabot and CodeQL. *** ## Monitoring & Event Review Policy **Purpose:** Detect and respond to abnormal events. **Practices:** Application and system events are monitored using tools like Rollbar and New Relic. Alerts are reviewed to identify potential incidents. Logs retained to support investigation. *** ## Development Practices Overview **Purpose:** Outline software development security practices. **Practices:** Source code managed in GitHub, with separate development, staging, and production environments. Access restricted to authorized staff. Dependencies updated regularly. Automated scanning with CodeQL and GitHub tools. *** ## Business Resilience Policy **Purpose:** Maintain availability of services. **Practices:** Services hosted in AWS/Fly.io with redundancy. Backups and recovery plans ensure services can be restored. Operational risks discussed as they arise, with mitigations implemented as needed. *** ## Web Server Security Configuration Policy **Purpose:** Define standards for hosted web applications. **Practices:** All traffic encrypted via TLS. Hosting managed on Fly.io with hardened configurations. Patches applied as provided by the platform. Administrative access requires MFA. *** ## Public Privacy Policy **Purpose:** Provide transparency to customers on how Lightward handles personal data. **Practices:** Lightward’s external privacy policy is published publicly and available to all customers. URL: ***