Information Security Policy

This Information Security Policy describes the administrative, technical, and physical safeguards that Softserve Software LLC (“we,” “our,” or “us”) uses to protect the confidentiality, integrity, and availability of customer data processed by the car storage facility management software and related services (the “Service”).

This policy applies to all Softserve Software LLC personnel, contractors, systems, and third-party providers involved in building, operating, or supporting the Service.

It should be read together with our Access Controls Policy, Privacy Policy, and Terms of Service.

• Confidentiality: prevent unauthorized access to, or disclosure of, customer data.
• Integrity: protect customer data from unauthorized or accidental modification and maintain the accuracy of operational records.
• Availability: provide reliable access to the Service and its data for authorized users.
• Accountability: produce logs and records sufficient to investigate security events.
• Compliance: meet obligations under applicable laws and customer contractual commitments.

• Management owns this policy, approves material changes, and ensures resources are available to implement it.
• Engineering implements and maintains the technical controls described in this policy, including secure coding, deployment, monitoring, and incident response.
• All personnel and contractors are required to comply with this policy and to report suspected security incidents promptly.
• Customers are responsible for managing their own user accounts, protecting their sign-in credentials, and configuring the Service appropriately for their operations.

• In transit: all traffic between end users and the Service is secured with TLS. The application connects to its managed Postgres database over TLS with full certificate verification.
• At rest: customer data stored in our managed database, object storage, and cache layer is encrypted at rest by the underlying providers using industry-standard algorithms.
• Secrets: API keys, database connection strings, and other secrets are stored in the hosting provider's encrypted environment variable store and are scoped per environment.

Access to the Service and to the systems that operate it is managed under our Access Controls Policy. Key principles include least privilege, need-to-know, multi-factor authentication on administrative accounts, named user accounts, and periodic access reviews.

• Source code is maintained in a private repository with access limited to authorized contributors.
• Code changes are reviewed prior to merging into the main branch used for production deployments.
• Deployments to production are performed through an automated CI/CD pipeline; manual ad-hoc changes to production are avoided.
• Dependencies are tracked and updated; known security vulnerabilities reported by automated tooling are triaged and remediated based on severity.
• Sensitive data and secrets are never committed to source control.
• Separate environments (development, preview, production) are maintained, each with its own isolated configuration and credentials.

• The managed Postgres provider performs regular automated backups of the production database, with point-in-time recovery available within the provider's retention window.
• Uploaded files are stored in a managed object storage service that provides durability guarantees consistent with industry norms for cloud object storage.
• Configuration and code necessary to rebuild the Service are stored in source control and in the hosting provider's configuration.
• In the event of a major service disruption, our objective is to restore access to the Service as promptly as the underlying providers' recovery capabilities allow.

• Application logs, request logs, and database logs are retained by the respective providers in accordance with their standard policies.
• Application errors are captured through an error monitoring service and reviewed.
• Authentication events are logged and available for investigation of suspicious activity.

A security incident is any event that compromises, or is reasonably believed to compromise, the confidentiality, integrity, or availability of customer data or the Service.

• Detection: incidents may be identified through monitoring, automated alerts, customer reports, or reports from third-party providers.
• Containment: on confirmation of an incident, we take reasonable steps to contain it, including rotating credentials, revoking access, and isolating affected components.
• Investigation: we determine the scope, root cause, and data affected, using available logs and provider audit trails.
• Notification: where an incident materially affects a customer's data, we will notify the affected customer without undue delay, consistent with applicable law and contractual obligations.
• Remediation: we apply corrective actions and update controls to reduce the likelihood of recurrence.

Suspected security incidents can be reported to us at the email address below.

• We select third-party providers with established security programs and publicly documented compliance credentials where available.
• Data shared with third-party providers is limited to what is necessary to deliver the Service.
• Access credentials to third-party providers are scoped to the minimum capabilities required and are rotated when personnel with access depart.
• A list of key subprocessors is described in our Privacy Policy and is available on request.

• Personnel and contractors with access to customer data or production systems are bound by confidentiality obligations.
• Personnel are expected to use company-managed or otherwise appropriately protected devices when accessing production systems, with disk encryption, screen-lock, and up-to-date operating system patches.
• Personnel are expected to stay current on common security risks including phishing, social engineering, and credential theft.

Any exception to this policy must be approved in writing by Softserve Software LLC management and documented with a justification. Violations of this policy may result in revocation of access, termination of the relationship, and legal action where appropriate.

Questions about this Information Security Policy, or reports of suspected security incidents, can be directed to: