Legal

Security Policy

How Sentiva Solutions secures our systems, your data, and our operations.

๐Ÿ“… Last updated: January 1, 2025 โœ“ Effective: January 1, 2025
Table of Contents
  1. Overview
  2. Access Controls
  3. Data Protection
  4. Network Security
  5. Endpoint Security
  6. Personnel Security
  7. Incident Response
  8. Vendor Security
  9. Audits & Compliance
  10. Vulnerability Reporting

01 Overview

Security is foundational to everything Sentiva Solutions does โ€” not just as a service we provide, but as a commitment we uphold internally. This policy describes how we protect our systems, our team, and the client data entrusted to us.

Found a vulnerability? Report it responsibly to [email protected]. We respond within 48 hours.

02 Access Controls

We strictly control who has access to what, and when:

  • โ†’Role-based access control (RBAC) across all internal systems
  • โ†’Multi-factor authentication (MFA) required for all Sentiva staff accounts
  • โ†’Principle of least privilege โ€” employees only access what they need
  • โ†’Client environments accessed only by assigned engineers with explicit authorization
  • โ†’Access credentials rotated regularly and revoked immediately upon role change or departure
  • โ†’All privileged access logged and reviewed periodically

03 Data Protection

Client data is treated with the highest level of care:

  • โ†’All data in transit encrypted using TLS 1.2 or higher
  • โ†’Data at rest encrypted using AES-256 or equivalent
  • โ†’Client data stored only in systems approved by our security team
  • โ†’Data minimization โ€” we collect and retain only what is necessary
  • โ†’Client data never used for any purpose beyond delivering agreed services
  • โ†’Data securely deleted upon contract termination within 60 days

04 Network Security

Our internal network environment is hardened and continuously monitored:

  • โ†’Next-generation firewalls with IDS/IPS at all network perimeters
  • โ†’Network segmentation to isolate client environments and internal systems
  • โ†’VPN required for all remote access to internal infrastructure
  • โ†’DNS filtering and web content inspection to block malicious traffic
  • โ†’24/7 SIEM monitoring with automated alerting for anomalous activity
  • โ†’Regular vulnerability scans and penetration testing

05 Endpoint Security

All Sentiva-managed devices are secured to enterprise standards:

  • โ†’Next-generation EDR deployed on all devices
  • โ†’Full-disk encryption enforced on all laptops and workstations
  • โ†’Automated OS and software patch management โ€” critical patches within 72 hours
  • โ†’Mobile Device Management (MDM) for all mobile devices used for work
  • โ†’Remote wipe capability enabled on all managed devices
  • โ†’USB and removable media controls enforced

06 Personnel Security

Our team is a key part of our security posture:

  • โ†’Background checks performed on all employees prior to hire
  • โ†’Security awareness training required at onboarding and annually thereafter
  • โ†’Phishing simulation exercises conducted quarterly
  • โ†’All staff sign confidentiality and acceptable use agreements
  • โ†’Clear offboarding process ensures all access revoked immediately upon departure
  • โ†’Dedicated security champion program within engineering teams

07 Incident Response

We have a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review:

  • โ†’24/7 monitoring for security events across all managed and internal systems
  • โ†’Defined escalation procedures and on-call security staff
  • โ†’Clients notified within 24 hours of any confirmed incident affecting their environment
  • โ†’Post-incident reports provided to affected clients within 5 business days
  • โ†’Annual tabletop exercises to test and improve response procedures
  • โ†’Coordination with law enforcement when legally required

08 Vendor Security

We apply the same security standards to our technology vendors and partners:

  • โ†’All vendors reviewed for security posture before engagement
  • โ†’Vendors with access to client data required to sign data processing agreements
  • โ†’Vendor access logged and limited to what is necessary
  • โ†’Periodic review of vendor security certifications (SOC 2, ISO 27001)
  • โ†’Vendor relationships terminated if security requirements are not met

09 Audits & Compliance

We hold ourselves to rigorous internal and external standards:

  • โ†’Annual internal security audits conducted by our security team
  • โ†’Periodic third-party penetration tests of our infrastructure
  • โ†’Adherence to NIST Cybersecurity Framework as our internal baseline
  • โ†’Experience supporting HIPAA, SOC 2, PCI-DSS, and CMMC compliance
  • โ†’This policy reviewed and updated at least annually or after any significant incident

10 Vulnerability Reporting

We welcome responsible disclosure of any security vulnerabilities discovered in our systems or website. Contact us at [email protected] with the subject line "Security Vulnerability Report." We commit to:

  • โ†’Acknowledging your report within 48 hours
  • โ†’Investigating all credible reports promptly
  • โ†’Keeping you informed as we work to resolve the issue
  • โ†’Not pursuing legal action against good-faith security researchers

Please do not publicly disclose a vulnerability until we've had the opportunity to address it.