Policies, Security and Compliance

Acceptable Use Policy

1. Purpose

This Acceptable Use Policy (AUP) is designed to protect Valstorm LLC, our employees, and our customers from harm caused by the improper use of our information systems and data. This policy outlines the acceptable and unacceptable use of Valstorm's technology resources.

2. Scope

This policy applies to all employees, contractors, and other authorized users of Valstorm's network, systems, and data.

3. Policy Statements

3.1 General Use and Ownership

  • Valstorm LLC's information systems are to be used for legitimate business purposes.

  • All data stored, processed, or transmitted on Valstorm's systems is the property of the company, with the exception of licensed first-party and third-party software. Customer data, which is stewarded by Valstorm on behalf of the customer is owned by the customer.

  • Valstorm reserves the right to monitor and audit system usage to ensure compliance with US laws, regulations, and company policies.

3.2 Security and Proprietary Information

  • Users are responsible for the security of their assigned credentials (passwords, access tokens) and must not share them with others.

  • All users must adhere to Valstorm's policies on handling sensitive and confidential information, including customer data governed by HIPAA.

  • Company laptops and mobile devices must be secured against unauthorized access (e.g., with strong passwords or biometrics) and reported immediately if lost or stolen.

3.3 Unacceptable Use The following activities are strictly prohibited:

  • Introducing malicious software (malware, viruses, spyware) onto the network.

  • Bypassing or attempting to bypass any system security controls.

  • Engaging in any activity that is illegal or violates local, state, or federal law.

  • Storing or transmitting unprotected sensitive data, including Protected Health Information (PHI), on unauthorized devices or services.

  • Using company assets for unauthorized commercial activities, personal financial gain, or any purpose that creates a conflict of interest.

4. Policy Enforcement

Any violation of this policy may result in disciplinary action, up to and including termination of employment or contract, and may also lead to civil or criminal penalties.

Business Continuity and Disaster Recovery (BCDR) Policy

1. Purpose

The purpose of this Business Continuity and Disaster Recovery (BCDR) Policy is to establish a framework that ensures Valstorm LLC can respond to, recover from, and restore critical business operations in the event of a significant disruption. Our primary objectives are to maintain a high level of service availability for our customers, protect company and customer data, and ensure the timely resumption of operations following an incident.

2. Scope

This policy applies to all Valstorm LLC personnel, critical business processes, and the information technology infrastructure and systems that support our SaaS platform.

3. Policy Statements

3.1 Business Impact Analysis (BIA) and Risk Assessment Valstorm LLC performs a Business Impact Analysis (BIA) to identify critical business functions and the resources that support them. This analysis determines our Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems. We conduct regular risk assessments to identify a broad range of potential threats, including those related to natural disasters, pandemics, cyber-attacks, and critical vendor failures.

3.2 Continuity Strategy: A Cloud-Native Approach Our continuity strategy is built upon the inherent resilience of our cloud infrastructure provider (e.g., AWS, Google Cloud, Azure). We do not rely on physical data centers. This approach provides robust protection against localized and regional disruptions.

  • Geographic Redundancy: Our production environment is architected across multiple, geographically isolated Availability Zones. In the event of a zone-level failure, traffic is automatically routed to a healthy zone. For critical data, we utilize cross-region replication to protect against a large-scale regional disaster.

  • High Availability and Fault Tolerance: Our platform is designed for high availability using load balancing, auto-scaling groups, and redundant infrastructure components. This ensures that the failure of a single server or component does not impact overall service availability.

  • Data Backup and Recovery: As defined in our Data Backup and Recovery Policy, we perform regular, automated backups of all customer data. These backups are encrypted and stored in a separate, secure location. Recovery procedures are tested regularly to ensure data can be restored effectively within our defined RTO and RPO targets.

3.3 Personnel and Operational Resilience Valstorm LLC operates as a distributed, remote-first organization. This model ensures that disruptions to a specific building, city, or region do not impact our ability to conduct business, maintain our platform, or provide customer support. Our continuity plan explicitly accounts for events like pandemics or regional disruptions by leveraging secure, remote access for all employees.

3.4 Incident Management and Plan Activation The BCDR plan is an integral part of our overall Incident Response Plan. A declared disaster or major disruption will trigger the activation of the Incident Response Team (IRT), which is responsible for executing the procedures outlined in this plan to recover and restore services.

3.5 Third-Party Dependency Management We identify and maintain a list of critical third-party service providers, with our cloud infrastructure provider being the most critical. We actively monitor the status and service health of these vendors. Our BCDR plan includes communication protocols and procedures for managing service disruptions caused by a critical vendor failure.

4. Plan Testing and Maintenance

To ensure the effectiveness of our BCDR plan, we are committed to:

  • Regular Testing: Conducting BCDR tests at least annually. These tests may include tabletop exercises, simulations of failover procedures, and tests of data restoration from backups.

  • Continuous Improvement: Reviewing and updating the BCDR plan and associated documentation annually, or whenever there is a significant change to our infrastructure, business processes, or risk landscape. Lessons learned from tests and actual incidents are incorporated into the plan.

Incident Response Policy

Our incident response process is aligned with the best practices and frameworks established by the National Institute of Standards and Technology (NIST). It follows a continuous lifecycle of preparation, detection and analysis, containment and eradication, recovery, and post-incident review.

The Process

1. Preparation: Building a Strong Defense

Continuous preparation is the foundation of our security posture. This phase includes:

  • Proactive Security Measures: Implementing and regularly updating a suite of security tools and practices, including firewalls, intrusion detection systems, and encryption protocols.

  • Employee Training: Conducting ongoing security awareness training for all employees to recognize and report potential threats.

  • Vulnerability Management: Regularly scanning our systems and applications for vulnerabilities and applying patches in a timely manner.

  • Data Backups: Maintaining secure and regular backups of customer data to ensure a swift recovery process.

2. Detection & Analysis: Identifying and Understanding the Threat

Our security systems are monitored 24/7 for any anomalous activity. When a potential incident is detected, our security team will immediately:

  • Triage and Validate: Assess the nature and severity of the alert to determine if it constitutes a genuine security incident.

  • Analyze the Scope: Investigate the extent of the incident, including the systems, data, and users that may be affected.

  • Classify the Incident: Categorize the incident based on its severity and potential impact to prioritize our response efforts.

3. Containment, Eradication, & Recovery: Taking Decisive Action

Once an incident is confirmed, our primary goal is to contain the threat and minimize its impact. This involves:

  • Containment: Isolating the affected systems to prevent the threat from spreading across our network.

  • Eradication: Identifying and removing the root cause of the incident to eliminate the threat from our environment.

  • Recovery: Restoring affected systems and data from secure backups to normal operation as quickly and safely as possible.

4. Post-Incident Activity: Learning and Improving

Following the resolution of an incident, we conduct a thorough post-mortem analysis to:

  • Identify Lessons Learned: Understand the root cause of the incident and identify areas for improvement in our security posture and response plan.

  • Enhance Security Measures: Implement any necessary changes to our systems, policies, and procedures to prevent similar incidents in the future.

  • Transparent Communication: Provide a clear and transparent summary of the incident to affected customers, outlining the steps taken to resolve it and the measures implemented to enhance future security.

Roles and Responsibilities

We have a dedicated Incident Response Team (IRT) composed of cross-functional members from our security, engineering, legal, and communications departments. Each member has clearly defined roles and responsibilities to ensure a coordinated and efficient response.

Communication Plan

In the event of a security incident that impacts our customers, we are committed to providing timely, transparent, and accurate information. Our communication plan includes:

  • Initial Notification: Promptly informing affected customers of the incident and the immediate steps we are taking.

  • Regular Updates: Providing ongoing updates on the status of our investigation and remediation efforts.

  • Post-Incident Report: Sharing a detailed report after the incident is resolved, outlining the cause, impact, and our corrective actions.

This plan serves as a foundational commitment to our users. We are continuously working to enhance our security measures and ensure the safety and integrity of our platform.

Information Security Policy

Purpose and Scope

This policy outlines Valstorm LLC's commitment to protecting the confidentiality, integrity, and availability of our and our customers' information assets. The scope of this policy applies to all Valstorm employees, contractors, and systems involved in the processing, storing, and transmission of data. Our objective is to safeguard our information systems from security threats, whether internal or external, deliberate or accidental.

Guiding Principles

Our security program is built upon the following core principles:

  • Data Governance: We classify data based on its sensitivity to ensure that it receives the appropriate level of protection. All customer data is treated as confidential.

  • Principle of Least Privilege: Access to information and systems is granted on a "need-to-know" basis, limited to the minimum required for individuals to perform their job functions.

  • Defense in Depth: We implement multiple layers of security controls—technical, administrative, and physical—to protect our assets, ensuring that a failure in one control does not compromise the entire system.

  • Third-Party Security Management: We conduct due diligence on all third-party vendors and partners to ensure they meet our security standards before being granted access to our data or systems.

  • Secure Development Lifecycle: Security is integrated into every phase of our software development process, from design and coding to testing and deployment, to minimize vulnerabilities in our platform.

  • Continuous Improvement: We are committed to regularly reviewing and improving our security policies, controls, and procedures to adapt to the evolving threat landscape.

Policy Enforcement

All employees and contractors are required to acknowledge and adhere to this Information Security Policy and all supporting procedures. Violations of this policy may result in disciplinary action, up to and including termination of employment or contract.

Risk Management and Assessment

1. Purpose

At Valstorm LLC, we take a proactive approach to security through a formal risk management program. The purpose of our risk assessment process is to systematically identify, analyze, and evaluate potential threats to our platform and our customers' data. This allows us to prioritize and implement appropriate security controls to mitigate risks to an acceptable level.

2. Risk Assessment Process

Our risk management lifecycle is a continuous process designed to adapt to new technologies and the evolving threat landscape. It includes the following key stages:

  • Risk Identification: We regularly identify potential security risks from a variety of sources. This includes conducting threat modeling, performing vulnerability scans, reviewing internal security audits, and analyzing security incidents.

  • Risk Analysis: Once a risk is identified, we analyze it to determine its potential likelihood and impact. This helps us understand the severity of each risk and its potential consequences for data confidentiality, integrity, and service availability.

  • Risk Evaluation & Treatment: Based on the analysis, we evaluate each risk against our predefined risk tolerance criteria. We then determine the most appropriate treatment strategy, which may include:

    • Mitigate: Applying security controls to reduce the likelihood or impact of the risk.

    • Transfer: Shifting the risk to a third party, such as through insurance or outsourcing.

    • Accept: Formally accepting the risk if it falls within our defined tolerance levels.

    • Avoid: Discontinuing the activity or process that gives rise to the risk.

  • Monitoring and Review: Risk management is an ongoing activity. We continuously monitor our security controls and conduct periodic reviews of our risk assessments to ensure their continued effectiveness and relevance. Assessments are performed at least annually or whenever there is a significant change to our environment, such as the introduction of new technology or a change in data processing activities.

Vendor and Third-Party Risk Management

1. Purpose

Valstorm LLC recognizes that our vendors, suppliers, and third-party partners are an extension of our operations. Our Vendor and Third-Party Risk Management policy ensures that these partners meet our security and compliance standards before they are entrusted with any company or customer data. The goal is to minimize the risks associated with sharing information and relying on external services.

2. Vendor Management Lifecycle

We manage third-party risk through a structured lifecycle approach:

  • Due Diligence and Onboarding: Before entering into any new agreement, we conduct a thorough security review of the potential vendor. This process includes evaluating their security policies, controls, and compliance certifications to ensure they align with our requirements.

  • Contractual Security Requirements: All contracts with third parties who handle our data include specific security obligations. These legally binding agreements mandate that vendors adhere to strict confidentiality, data protection, and incident notification requirements.

  • Ongoing Monitoring: Our responsibility doesn't end after a contract is signed. We perform periodic reviews of our critical vendors to ensure their security posture remains effective over time. This helps us verify their ongoing compliance with our standards.

  • Secure Offboarding: When a relationship with a vendor ends, we follow a formal offboarding process to ensure all access to Valstorm systems and data is revoked in a timely manner and that any retained data is securely returned or destroyed according to our policies.

Security

Valstorm LLC is committed to ensuring the security of your data. We employ a variety of security measures to protect your information from unauthorized access, use, or disclosure. Our security practices include:

  • Data Encryption: All sensitive data is encrypted both in transit and at rest using industry-standard encryption protocols.

  • Access Controls: We implement strict access controls to ensure that only authorized personnel have access to your data.

  • Regular Audits: We conduct regular security audits and vulnerability assessments to identify and mitigate potential risks.

  • Compliance: We comply with relevant data protection regulations and standards, including GDPR, CCPA, and HIPAA where applicable.

  • Employee Training: Our employees undergo regular training on data security best practices and policies.

Access controls

Valstorm has 3 levels of access control

  1. RBAC (Role Based Access Control) - This is the first layer to control access to Create Read Update and Delete (CRUD) data on objects. This is done through Profiles and Permission Sets.

  2. Role Hierarchy - This is the second layer to control access to data. This is done through the Role Hierarchy. Users at higher roles can see data owned by users at lower roles. Teams can also specify whether they share data with their team or not.

  3. Sharing - This is the third layer to control access to data. Users can provide access to specific records to other users or groups of users. This is done through manual sharing or automated sharing.

Data Backup and Recovery

We perform regular backups of your data to ensure that it can be restored in the event of data loss or corruption. Our backup processes are designed to minimize downtime and ensure data integrity. Your data will be backed up weekly unless you have a packaged offering that includes daily backups. Contact sales for more information.

Our Commitment to Security

We prioritize the security of our customers' data and our platform. Our Incident Response Plan is designed to be a comprehensive and agile framework that allows us to effectively identify, contain, and remediate security incidents while maintaining clear and transparent communication with our users.

Sensitive Data Handling Policy

1. Purpose

Valstorm LLC is committed to protecting the confidentiality and integrity of all sensitive data entrusted to us. This policy outlines the required procedures and controls for handling sensitive data throughout its entire lifecycle, from collection to disposal, to prevent unauthorized access, use, or disclosure.

2. Definition of Sensitive Data

For the purposes of this policy, sensitive data includes, but is not limited to:

  • Personally Identifiable Information (PII): Names, email addresses, physical addresses, phone numbers, IP addresses, or any other data that can be used to identify an individual.

  • Protected Health Information (PHI): Any health-related information that is subject to HIPAA regulations.

  • Financial Information: Credit card numbers, bank account details, and payment history.

  • Authentication Credentials: Passwords, API keys, and access tokens.

  • Proprietary Customer Data: Any business-critical data that a customer uploads to our service.

All of these data types are marked at the Schema/Object level in our database to ensure they are treated with the appropriate level of security.

3. Data Handling Lifecycle

We apply strict security controls at every stage of the data lifecycle:

  • Collection: We practice data minimization, ensuring we only collect sensitive data that is strictly necessary to provide our services.

  • Transit: All sensitive data transmitted between our customers and our platform, or between our internal systems, is encrypted using strong, industry-standard protocols such as TLS (Transport Layer Security).

  • Storage (At Rest): Sensitive data stored on our servers, databases, and backups is encrypted using robust encryption standards like AES-256.

  • Processing (In Use): We enforce the Principle of Least Privilege. Access to sensitive data in our production environment is restricted to authorized personnel who have a legitimate business need. We maintain detailed audit logs of all access to sensitive data.

  • Destruction: When sensitive data is no longer required for legitimate business or legal purposes, it is securely and permanently destroyed in accordance with our Data Retention Policy.

4. Employee Training

All employees who handle sensitive data as part of their job responsibilities are required to complete regular data security and privacy training. This ensures they are aware of their responsibilities and are equipped to protect customer data effectively.

Vendor and Third-Party Risk Management

1. Purpose

Valstorm LLC recognizes that our vendors, suppliers, and third-party partners are an extension of our operations. Our Vendor and Third-Party Risk Management policy ensures that these partners meet our security and compliance standards before they are entrusted with any company or customer data. The goal is to minimize the risks associated with sharing information and relying on external services.

2. Vendor Management Lifecycle

We manage third-party risk through a structured lifecycle approach:

  • Due Diligence and Onboarding: Before entering into any new agreement, we conduct a thorough security review of the potential vendor. This process includes evaluating their security policies, controls, and compliance certifications to ensure they align with our requirements.

  • Contractual Security Requirements: All contracts with third parties who handle our data include specific security obligations. These legally binding agreements mandate that vendors adhere to strict confidentiality, data protection, and incident notification requirements.

  • Ongoing Monitoring: Our responsibility doesn't end after a contract is signed. We perform periodic reviews of our critical vendors to ensure their security posture remains effective over time. This helps us verify their ongoing compliance with our standards.

  • Secure Offboarding: When a relationship with a vendor ends, we follow a formal offboarding process to ensure all access to Valstorm systems and data is revoked in a timely manner and that any retained data is securely returned or destroyed according to our policies.