Security Policies

Effective Date: January 1, 2025

Personnel Policy

Netzilo reviews risks on a regular basis, to ensure proper mitigations are in place.

Reference Checks

As part of its hiring process, Netzilo does not perform criminal background checks, but does employ a reference check process for prospective employment candidates prior to or within 30 days of their hire date.

Security Awareness Training

All employees must complete Netzilo's information security awareness training as part of their initial onboarding and thereafter, while still under contract, on an annual basis.

Performance Reviews

All full time employees must complete an annual Performance Review, the results of which are signed and dated by both the employee and their manager, and uploaded to the employee's personnel files in the HR system.

Risk Assessment Policy

Netzilo reviews risks on a regular basis, to ensure proper mitigations are in place.

Scope

This policy covers any risk that could affect confidentiality, availability, and integrity of Netzilo's key information assets and systems.

Risk assessments can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.

Risk Assessment

The Security Review Team is responsible for completing periodic information security risk assessments for the purpose of determining areas of vulnerability, and to identify and initiate appropriate remediations.

A risk register should include:

  • Identification of the risk
  • What mitigations have been put in place
  • Acceptance of the residual risk

The execution, development and implementation of remediation programs is the joint responsibility of the Security Review Team. Employees are expected to cooperate fully with any risk assessment being conducted on systems for which they are held accountable. Employees are further expected to work with the Security Review Team in the development and implementation of a remediation plan.

Schedule

Risks should be evaluated on an annual basis.

Information Classification Policy

To understand its potential exposure from a security risk, issue or incident, Netzilo regularly catalogues and classifies its data and other in-scope assets, in order to apply risk-based controls.

Assets are anything that has value to the organization, including but not limited to, customer data, production data, financial data, intellectual property, and any material non-public information.

Asset Cataloging

Netzilo catalogues assets with several pieces of information, to help identify the potential risk of the asset. Information collected is as follows:

  • Description - what is the asset?
  • Risk - what is the asset risk classification?
  • Use - how is this asset used?
  • Location - where is it stored, used, and backed up?
  • Sharing - is it shared with any third parties, such as vendors? Which specific third parties?

If new data is catalogued, or data use changes, it should be specifically reviewed to verify that its collection and use is in line with Netzilo's Privacy Policy.

Asset Risk Classification

Netzilo classifies assets into three risk categories: Low Risk, Medium Risk, and High Risk.

Low Risk

Assets with minimal impact if compromised

Medium Risk

Assets with moderate impact if compromised

High Risk

Assets with significant impact if compromised

Note: When multiple classifications may apply, the highest applicable classification is used. For example, if a machine is low-risk by itself, but can be used to access high-risk data, its overall classification is also high-risk.

Schedule

Netzilo should review the data it collects and processes, and update the data register, quarterly.

Third Party Vendor Review Policy

Netzilo reviews vendor security practices before contracting, and on a regular basis, to ensure vendors properly handle Netzilo's customer data, confidential data, and other data.

Scope

This policy only applies to vendors or contractors handling Netzilo or its customers' data.

Schedule

Vendors' security practices should be initially evaluated as part of their contract review, and while still in use, on an annual basis.

Contractors must read and acknowledge Netzilo's security policies as part of their onboarding. Contractors must complete Netzilo's information security training as part of their onboarding and thereafter, while still under contract, on an annual basis.

Vendor Assessment

As part of vendor evaluation and contracting, vendors' security practices should be reviewed to ensure they sufficiently protect Netzilo's and its customers' data.

The requirements for a vendor may change based on the risk classification of the assets they are handling (see the Information classification policy), such as sensitive data, or access to production resources; and may change during a contract if a vendor's scope or responsibilities change.

Netzilo will:

  1. Ask vendors for their SOC 2 type II or type I report for an overview of their current security practices. If a SOC 2 report does not exist or where insufficient information is provided, Netzilo will ask the vendor to complete the VSAQ.
  2. Review the vendor's responses and compare these to Netzilo's security policies to identify any gaps where the vendor may have weaker policies.
  3. For each notable gap or where insufficient information is provided, Netzilo can: ask the vendor to make a change or provide additional information, implement a mitigating control, or accept the risk. These should be documented in the risk register.

Netzilo will document vendor information, to help in case of a potential incident. This information includes:

  • Vendor name - Which vendor?
  • Vendor contact information - How do we contact the vendor? List different contacts for billing, support, and/or security where they apply.
  • Type of data shared - What types of data from Netzilo does the vendor collect or otherwise have access to?
  • Terms of Service for services provided by the vendor
  • Security report or questionnaire shared by the vendor

Contact Information

If you have any questions about these Security Policies, please contact us:

Netzilo, Inc.

Email: legal@netzilo.com

Address: 166 Geary Str STE 1500, San Francisco, CA, 94108

Phone: +1 (415) 985-2636