# Lightward InfoSec and Privacy Policies **Scope:** Applies to Locksmith and Mechanic and other services processing customer personal data. ## IT Governance & Policy Oversight \ **Applies to:** All Lightward services and operations **Purpose:** Ensure information security practices align with Lightward’s overall strategy of delivering secure, reliable SaaS services. **Scope:** Covers all staff and contractors working on Lightward services. **Practices:** Policies are created and reviewed to reflect current operations. Policies are communicated during onboarding and when changes occur. *** ## Privacy & Incident Response Program \ **Applies to:** All Lightward services and systems that handle personal data **Purpose:** Define how Lightward collects, protects, and responds to incidents involving personal data. **Practices:** Data minimization, encryption in transit and at rest, staff awareness training, and incident response procedures. Incidents are reported to and customers notified within 72 hours if required. *** ## Data Protection Policy **Purpose:** Ensure data is collected, stored, and processed securely. **Practices:** Encrypt data in transit and at rest, restrict admin access, promptly revoke access upon termination, retain data only as long as needed, and require vendors with equivalent protections. *** ## Records Retention Policy **Purpose:** Define retention of electronic and paper records. **Practices:** Retain data only as long as necessary for service delivery. Customer data may be deleted upon request. Email and logs retained according to operational needs. *** ## Access Control Policy **Purpose:** Ensure access is restricted to authorized individuals. **Practices:** Unique accounts for all staff, least privilege access, MFA on critical systems, prompt revocation upon staff departure. *** ## Acceptable Use Policy \ **Applies to:** All staff and contractors using Lightward systems and data **Purpose:** Set expectations for responsible use of Lightward systems, accounts, and data. **Scope:** Covers all internal systems (Google Workspace, GitHub, Fly.io, Shopify Partner, etc.), devices used for Lightward work, and any customer data accessed in the course of providing services. **Practices:** * Keep accounts and devices secure, including use of MFA. * Report suspected incidents immediately to . *** ## Password & Authentication Policy **Purpose:** Define password and authentication standards. **Practices:** Passwords must be confidential, unique per account, with complexity enforced by systems. MFA required for critical systems. Single Sign-On is supported where available (Google Workspace). *** ## Device & Endpoint Security Policy **Purpose:** Protect staff devices that access Lightward systems. **Practices:** Devices are kept updated. *** ## Patch & Vulnerability Management Policy **Purpose:** Ensure timely updates to systems and software. **Practices:** Endpoints and dependencies are patched when updates are available. Dependencies scanned regularly with tools such as GitHub Dependabot and CodeQL. *** ## Monitoring & Event Review Policy **Purpose:** Detect and respond to abnormal events. **Practices:** Application and system events are monitored using tools like Rollbar and New Relic. Alerts are reviewed to identify potential incidents. Logs retained to support investigation. *** ## Development Practices Overview **Purpose:** Outline software development security practices. **Practices:** Source code managed in GitHub, with separate development, staging, and production environments. Access restricted to authorized staff. Dependencies updated regularly. Automated scanning with CodeQL and GitHub tools. *** ## Business Resilience Policy **Purpose:** Maintain availability of services. **Practices:** Services hosted in AWS/Fly.io with redundancy. Backups and recovery plans ensure services can be restored. Operational risks discussed as they arise, with mitigations implemented as needed. *** ## Web Server Security Configuration Policy **Purpose:** Define standards for hosted web applications. **Practices:** All traffic encrypted via TLS. Hosting managed on Fly.io with hardened configurations. Patches applied as provided by the platform. Administrative access requires MFA. *** ## Public Privacy Policy **Purpose:** Provide transparency to customers on how Lightward handles personal data. **Practices:** Lightward’s external privacy policy is published publicly and available to all customers. URL: *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.lightward.guide/privacy-and-security/lightward-infosec-and-privacy-policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.