careCycle Information Security Policy

1. Introduction

1.1 Purpose

This Information Security Policy outlines the measures and practices careCycle (Nodable Labs, Inc.) implements to protect all information assets, including our own and those of our clients. It aims to ensure the confidentiality, integrity, and availability of information across all our operations and services.

1.2 Scope

This policy applies to all employees, contractors, systems, networks, and data involved in Nodable's operations and service delivery.

2. Information Classification

All information assets shall be classified according to their sensitivity and criticality:

• Public
• Internal Use Only
• Confidential
• Highly Confidential (including client PII and sensitive data)

3. Access Control

3.1 Least Privilege Principle: Access rights will be granted based on the principle of least privilege.

3.2 Authentication: Multi-factor authentication is required for all system access.

3.3 Access Review: Regular reviews of access rights will be conducted to ensure appropriate access levels.

4. Data Protection

4.1 Encryption: All sensitive data must be encrypted both in transit and at rest.

4.2 Data Handling: Procedures for secure handling, storage, and transmission of data will be established and followed.

4.3 Data Retention: Data will be retained only as long as necessary for business purposes or as required by law.

5. Network Security

5.1 Firewalls: Next-generation firewalls will be implemented and regularly updated.

5.2 Segmentation: Network segmentation will be used to isolate sensitive systems and data.

5.3 Monitoring: Continuous monitoring of network traffic for suspicious activities will be conducted.

6. System Security

6.1 Patching: All systems will be kept up-to-date with the latest security patches.

6.2 Hardening: Systems will be hardened according to industry best practices.

6.3 Antivirus: All systems will have up-to-date antivirus and anti-malware protection.

7. Application Security

7.1 Secure Development: Secure coding practices will be followed in all software development.

7.2 Testing: Regular security testing, including penetration testing, will be conducted on all applications.

7.3 Third-party Applications: All third-party applications will undergo security assessment before implementation.

8. Physical Security

8.1 Access Controls: Physical access to data centers and offices will be restricted and monitored.

8.2 Environmental Controls: Appropriate environmental controls will be implemented to protect against physical threats.

9. Human Resources Security

9.1 Background Checks: All employees and contractors will undergo background checks.

9.2 Training: Regular security awareness training will be provided to all staff.

9.3 Acceptable Use: An Acceptable Use Policy will be maintained and enforced.

10. Incident Management

10.1 Response Plan: An Incident Response Plan will be maintained and regularly tested.

10.2 Reporting: All security incidents must be reported immediately to the Information Security team.

11. Business Continuity and Disaster Recovery

11.1 BC/DR Plan: A comprehensive Business Continuity and Disaster Recovery plan will be maintained and tested regularly.

12. Compliance

12.1 Regulatory Compliance: Nodable will comply with all relevant data protection and privacy regulations (HIPAA, GDPR, CCPA, etc.).

12.2 Audits: Regular internal and external audits will be conducted to ensure compliance with this policy and relevant standards.

13. Third-party Risk Management

13.1 Assessment: All third-party vendors will undergo security assessment before engagement.

13.2 Contracts: Security requirements will be included in all vendor contracts.

14. Policy Review and Update

This policy will be reviewed annually and updated as necessary to reflect changes in technology, business practices, and regulatory requirements.

15. Enforcement

Violations of this policy may result in disciplinary action, up to and including termination of employment or contract.

16. Contact

For questions or concerns about this policy, please contact the Information Security team at privacy@careCycle.ai.

Last Updated: April 5, 2025