Information Security Policy

Purpose

This Information Security Policy explains Appcircle's approach to protecting information and the systems that create, process, transmit, or store it. It establishes the core security principles and governance expectations used to maintain the confidentiality, integrity, and availability of information.

Scope

This policy applies to:

• Appcircle's workforce (employees, contractors, and temporary staff) and anyone granted access to Appcircle information or systems.
• Appcircle-operated environments and services, including corporate IT systems, cloud infrastructure, and product services.
• Third parties that process Appcircle or customer information on our behalf, as defined by contract and applicable law.

Key definitions

• Confidentiality: Information is accessible only to authorized individuals or systems.
• Integrity: Information is accurate, complete, and protected from unauthorized modification.
• Availability: Authorized users can access information and systems when needed.
• Sensitive data: High-impact information (e.g., credentials, cryptographic keys, or other restricted data) requiring stronger controls.

Policy principles

Appcircle's security program is guided by the following principles:

• Risk-based security: Security controls are selected and prioritized based on risk.
• Least privilege & need-to-know: Access is granted only to what is necessary and reviewed periodically.
• Defense in depth: Multiple layers of security reduce the impact of single-control failures.
• Secure by design: Security is integrated into system design, software delivery, and operations.
• Segregation of environments: Development/testing environments are separated from production where feasible.
• Monitoring and accountability: Security-relevant activity is logged and monitored to support detection and investigation.
• Data protection by default: Strong controls (including encryption where appropriate) protect data in transit and at rest.

Roles and responsibilities

• Engineering Management (Policy Owner): Owns this policy, ensures it is reviewed, updated, and communicated.
• Engineering / Platform / Operations: Implements and operates security controls; monitors for issues; triages and responds to security concerns.
• All personnel: Understands and follows this policy and related standards; promptly reports suspected security incidents.

Security control domains

Appcircle maintains security controls across the following domains. Detailed requirements are defined in supporting policies, standards, and procedures.

Access control

• Access to systems and data is controlled using identity-based access management.
• Administrative access is restricted and monitored.
• Account provisioning and deprovisioning follow documented processes.

Asset management

• Information assets are identified and managed throughout their lifecycle.
• Ownership is assigned for key systems and datasets where appropriate.
• Assets are classified to determine appropriate handling and protection.

Data protection & privacy

• Data handling follows defined classification and handling rules.
• Customer and personal information is protected in accordance with contractual and legal obligations.
• Data retention and secure deletion follow defined requirements.

Cryptography and key management

• Cryptography is used to protect sensitive information where appropriate (e.g., in transit and at rest).
• Encryption keys and secrets are managed to reduce the risk of disclosure or misuse.

Secure development and change management

• Software changes follow controlled development practices (e.g., code review and tested deployment processes).
• Security considerations are incorporated into the software development lifecycle.
• Changes to production systems are managed through a controlled change process.

Logging and monitoring

• Security-relevant events are logged to support detection, investigation, and compliance needs.
• Monitoring supports timely identification of suspicious or harmful activity.

Vulnerability management

• Vulnerabilities are identified, assessed, prioritized, and remediated based on risk.
• Critical updates and patches are addressed with urgency appropriate to the risk.

Incident response

• Security incidents are handled using a documented incident response process.
• Incidents are tracked, investigated, remediated, and reviewed to reduce the likelihood of recurrence.

Business continuity, backup, and disaster recovery

• Backups and continuity measures are designed to support service resilience and recovery.
• Recovery processes are tested periodically where appropriate.

Vendor and third-party security

• Third parties are assessed and managed based on risk.
• Contracts may include security requirements relevant to access, data handling, and incident notification.

Physical security

• Physical access to facilities and systems is managed to reduce risk of unauthorized access or loss.

Security objectives and continuous improvement

Appcircle sets measurable security objectives to drive continuous improvement. Examples may include:

• Timely review of privileged access and other critical permissions.
• Regular control assessments and evidence collection to demonstrate control operation.
• Improved detection and response times for security events and incidents.
• Verification of backup and recovery capability through periodic testing.

Note: This public policy describes Appcircle's high-level security posture. Detailed internal standards and procedures (including specific retention periods, patch timelines, and technical configurations) are maintained separately and may be shared under appropriate agreements when required.

Exceptions

Exceptions to this policy or supporting standards must be:

• Documented with justification, scope, duration, and compensating controls.
• Approved by the policy owner (or an authorized delegate).
• Reviewed before expiry and retired when no longer required.

Reporting security concerns

Personnel must report suspected security incidents or weaknesses promptly through approved internal channels.

For external vulnerability reports, Appcircle may maintain a Responsible Disclosure process as described in the Responsible Disclosure Policy.

Policy review and updates

This policy is reviewed at least annually and when significant business, technology, or regulatory changes occur.

Supporting policies and plans

This policy is supported by topic-specific policies, standards, and plans, including:

• Acceptable Use Policy
• Asset Management Policy
• Backup Policy
• Business Continuity Plan
• Change Management Policy
• Code of Conduct
• Data Classification Policy
• Data Protection Policy
• Data Retention Policy
• Disaster Recovery Plan
• Employee Background Check Policy
• Encryption Policy
• Incident Response Plan
• Logging and Monitoring Policy
• Password Policy
• Physical Security Policy
• Responsible Disclosure Policy
• Risk Assessment Policy
• Software Development Life Cycle (SDLC) Policy
• System Access Control Policy
• Vendor Management Policy
• Vulnerability Management Policy