Policies & Procedures

Disciplinary Process:

We have a disciplinary process for non-compliance with information security policy, and employees are informed of the consequences.

Employee Termination:

An employee termination process is in place.

Security Baselines:

We have documented information security baselines for infrastructure components.

Data Retention:

We have a Data Retention and Disposal Policy, ensuring compliance with legal, statutory, and regulatory requirements.

Policy Reviews:

Privacy and security policies are reviewed annually and approved by management.

Encryption Policies:

We have implemented a Data Encryption Policy.

SLAs:

Policies and procedures maintain accurate and relevant SLAs between providers and customers.

Media Handling:

We have implemented media handling procedures, including secure storage and destruction policies.

Information Security Policies:

Written information security policies are reviewed annually and approved by senior management.

Password Management:

A documented password management policy is in place.

Access Control:

Access to sensitive data systems is restricted based on need and approval, with a documented access control policy.

Software Development Lifecycle:

Our SDLC focuses on security, with code reviews for secure coding principles.

Third-Party Risk Management:

A documented third-party risk management program oversees subcontractors and service providers.

Incident Management:

An incident management response team is in place with defined roles and responsibilities.

Two-Factor Authentication:

Implemented for critical applications.

Team Segregation:

Development teams are segregated from the production environment.

SDLC Procedure:

We follow defined rules and guidelines for secure software development and systems.

Media Labeling:

Implemented media protection procedures.

Business Continuity Plan (BCP):

BCP policies are in place, covering people, processes, and systems, and are tested annually.

Password Security:

Password security controls are deployed across application, OS, database, and network layers.

Change Management:

A documented change management process covers all changes to the production environment.

Asset Classification:

An asset classification policy is in place, maintaining a mapping to information classification policy.

Mobile Computing Security:

Policies address the risks of mobile computing, including physical protection, access controls, cryptographic techniques, backup, and virus protection.

Acceptable Use Policy:

A documented Acceptable Use Policy outlines the usage of information assets.

Information Security Responsibilities:

Roles and responsibilities for information security are defined and communicated to all employees.

Access to Customer Data:

Access is restricted to authorized employees only, managed via an access control policy.

Incident Response Plan:

An incident response plan ensures effective management of information security incidents.

Password Hashing:

Passwords are hashed using SHA512 with unique salts.

Change Control Procedures:

Change control procedures are in place to maintain program source code and associated items.

Contingency Planning:

A documented contingency plan for information systems is in place, reviewed and tested annually.

External File Sharing:

Controls over external file sharing are enforced.

Security Incident Management:

A computer security incident response team (CSIRT) handles security incidents in line with customer requirements.

Information Classification:

A formal information classification policy categorizes sensitive data appropriately.

Risk Management:

A Risk Management Framework addresses identification, measurement, and mitigation of potential risks.

Facility Security:

Policies and procedures document repairs and modifications to physical components related to security.

Data Backup:

Data backups are performed daily in a secured manner on AWS.

Data Purging:

A Data Retention and Disposal Policy ensures secure data purging.

Business Continuity:

Policies ensure service availability during extreme situations like power outages or natural disasters.

Security Incident Reporting:

Our incident management framework includes identifying, managing, and communicating security incidents.

Cybersecurity Policy:

A cybersecurity policy and standards are defined, approved, and implemented.

For further details or specific policy documents, please contact us at support@filtroo.co.

Scope and Application of Policies

All actions, decisions, and procedures outlined in the company’s contracts and policies, as well as the enforcement of terms and conditions, will be the exclusive responsibility of Filtroo Estonia. Filtroo Estonia is the sole entity authorized to implement and oversee all measures detailed in these documents, ensuring adherence to relevant laws and regulations. The entity in the USA will not be involved in or held accountable for any of the activities or obligations set forth in these contracts and policies.

By engaging with our services, users acknowledge and agree that Filtroo Estonia will be solely responsible for managing all aspects of their interaction with the company's services, including data management, customer support, and the application of contractual terms.