← Back

Information Security Policy

Introduction

This Information Security Policy outlines the security measures and practices implemented by Stable Payments Inc. ("Autospend") to protect the confidentiality, integrity, and availability of information and systems.

Scope

This policy applies to:

  • All Autospend employees, contractors, and third-party service providers
  • All information systems, networks, and data owned or managed by Autospend
  • All customer and transaction data processed through our platform

Information Security Objectives

  • Confidentiality: Ensure that information is accessible only to authorized individuals
  • Integrity: Maintain the accuracy and completeness of information
  • Availability: Ensure that authorized users have access to information when needed
  • Compliance: Meet all applicable legal and regulatory requirements

Data Classification

Highly Confidential

  • Customer personal identification information (PII)
  • Financial account information
  • Cryptographic keys and wallet credentials
  • Authentication credentials

Confidential

  • Transaction records
  • Business contracts and agreements
  • Internal operational data

Internal Use

  • Internal communications
  • Non-sensitive business documents

Public

  • Marketing materials
  • Public website content

Access Control

User Access Management

  • Access is granted based on the principle of least privilege
  • User accounts are created only after proper authorization
  • Access rights are reviewed quarterly
  • Terminated employee access is revoked immediately

Authentication

  • Multi-factor authentication (MFA) is required for all system access
  • Strong password policies are enforced
  • Session timeouts are implemented
  • Failed login attempts are monitored and limited

Data Protection

Encryption

  • Data in Transit: All data transmitted over networks is encrypted using TLS 1.3 or higher
  • Data at Rest: Sensitive data stored in databases and file systems is encrypted using AES-256
  • Cryptographic Keys: Keys are stored in hardware security modules (HSMs) or secure key management systems

Data Backup and Recovery

  • Regular automated backups are performed daily
  • Backups are encrypted and stored in geographically distributed locations
  • Backup restoration procedures are tested quarterly
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 24 hours

Network Security

  • Firewalls protect all network perimeters
  • Intrusion detection and prevention systems (IDS/IPS) are deployed
  • Network segmentation isolates sensitive systems
  • Regular vulnerability scanning and penetration testing
  • DDoS protection mechanisms are in place

Application Security

  • Secure software development lifecycle (SDLC) practices
  • Code reviews and security testing before deployment
  • Regular security updates and patch management
  • Web application firewalls (WAF) protect public-facing applications
  • API security controls including rate limiting and authentication

Incident Response

Incident Detection

  • 24/7 security monitoring and alerting
  • Security Information and Event Management (SIEM) system
  • Automated threat detection

Incident Response Process

  • Identification: Detect and confirm security incidents
  • Containment: Isolate affected systems to prevent spread
  • Eradication: Remove the threat from the environment
  • Recovery: Restore systems to normal operation
  • Lessons Learned: Document and improve security measures

Notification

In the event of a data breach affecting customer information:

  • Affected customers will be notified within 72 hours
  • Regulatory authorities will be notified as required by law
  • Incident details and remediation steps will be communicated

Third-Party Security

  • All third-party service providers undergo security assessments
  • Contracts include security and confidentiality requirements
  • Regular audits of third-party security controls
  • Data processing agreements are in place where required

Physical Security

  • Data centers have 24/7 physical security and access controls
  • Biometric authentication for data center access
  • Video surveillance and security personnel
  • Environmental controls (fire suppression, climate control)

Employee Security

Training and Awareness

  • Annual security awareness training for all employees
  • Specialized training for technical staff
  • Regular security updates and communications
  • Phishing simulation exercises

Background Checks

  • Background checks conducted for all employees with access to sensitive data
  • Confidentiality and non-disclosure agreements signed by all staff

Compliance and Auditing

  • Regular internal security audits
  • Annual third-party security assessments
  • Compliance with PCI DSS, SOC 2, and other relevant standards
  • Security logs retained for a minimum of 1 year

Policy Review and Updates

This Information Security Policy is reviewed and updated annually or when significant changes occur to:

  • Technology infrastructure
  • Regulatory requirements
  • Threat landscape
  • Business operations

Reporting Security Concerns

If you discover a security vulnerability or have concerns about our security practices, please report them immediately to: [email protected]

Contact Information

For questions about this policy, contact us at: [email protected]