All Categories
Compliance Hub
Security Practices (Information Security Policy)

Security Practices (Information Security Policy)

Describes the technical and organizational measures we take to keep customer data secure.

Owner: Nick Tomic

Updated: May 2025

1. Purpose

This policy ensures the confidentiality, integrity, and availability of information processed by Face2Face (F2F) and shared with our customers, partners, or vendors. Security is applied at all information processing stages to support operational and strategic goals.

2. Scope

This policy applies to all information managed by F2F, including by full-time employees, contractors, partners, or third-party services. Anyone accessing F2F devices, data, or services is bound by this policy.

3. Policies

This document forms the foundation of F2F’s security practices and governs all related documents, including but not limited to:

  • Access Control Policy
  • Acceptable Use Policy
  • Data Retention & Backup Policy
  • Encryption Policy
  • Secure Software Development Lifecycle
  • Vendor Management Policy
  • Incident Response Plan
  • Risk Assessment & Vulnerability Management Policies

3.1 Policy Review

All security policies are reviewed annually, or after a major change in F2F’s infrastructure or risk profile. Reviews are approved by the CEO or designated security officer.

3.2 Policy Accessibility

Policies are accessible to all team members in F2F’s Notion handbook. Role-relevant policies must be acknowledged annually.

4. Responsibilities

All Users:

  • Follow policy guidelines
  • Report risks or incidents
  • Maintain basic security hygiene (e.g., locked screens, secure devices)
  • Participate in security training

Admins & Engineers:

  • Implement required system controls
  • Monitor logs and vulnerabilities

Security Team (or assigned lead):

  • Develop policy and provide training
  • Lead risk assessments and vendor reviews
  • Respond to incidents and report status to leadership

Executive Management:

  • Approve policy and risk decisions
  • Provide resources for implementation

5. Information Handling

All non-public information requires need-to-know access and approval from the information owner. Sharing or handling of data must align with classification guidelines.

5.1 Classification

Classification
Description
Public
Safe to share broadly
Internal
F2F-only, minor exposure impact
Confidential
Sensitive; external sharing requires approval
Restricted
High-risk exposure; legal, financial, or brand impact possible

5.2 Labeling

Documents must include classification labels. If absent, default is Internal.

5.3 Destruction

Sensitive documents must be shredded or digitally wiped. Devices must be factory reset and data encrypted before disposal.

5.4 Acceptable Use

  • Enforce SSO (e.g., Google Login); MFA mandatory where SSO is unavailable
  • Install only trusted apps from approved sources
  • Keep software updated
  • No disabling antivirus or encryption
  • Lock screens and avoid public exposure

5.5 Media Handling

No transferring data to unauthorized USBs or cloud apps. Avoid printing sensitive info.

5.6 Return of Assets

Return all F2F devices upon contract termination.

5.7 Asset Retirement

Devices are leased or evaluated every 36 months. Secure erase is mandatory before reuse or disposal.

6. Operational Security

6.1 Malware Protection

  • Devices must use antivirus or EDR solutions
  • Monitor threats via centralized alerting
  • Follow incident response plan for recovery

6.2 Backups

Critical services (e.g., databases, internal systems) must follow a documented backup schedule.

6.3 Logging & Monitoring

System logs must be secured and reviewed periodically to detect misuse or intrusions.

6.4 Vulnerability Management

Patch critical vulnerabilities promptly. Report and track via ticketing or security platform.

6.5 Incident Management

All incidents are handled via our Incident Response Plan, with clearly assigned roles. When customer data is impacted, we commit to notifying the customer within 48 hours, consistent with our Data Processing Agreement (DPA) and GDPR obligations.

6.6 Password Policy

  • Passwords ≥15 characters
  • No reused credentials
  • No use of names, birthdays, etc.
  • Change defaults on any SaaS or hardware immediately

6.7 Access Management

Access is granted based on least privilege and revoked upon role changes or departure.

6.8 Mobile Device Policy

Company-owned phones must support remote wipe. Devices with sensitive access are enrolled in MDM when applicable.

7. Information Security Training

All F2F team members receive annual training through Notion, video calls, and Slack updates. Ad-hoc alerts are issued for emerging threats.

8. Communications Security

  • Internal networks use firewalls and secure Wi-Fi
  • TLS required for all web services
  • Public hotspots discouraged—use VPN if unavoidable

9. Physical Security

9.1 Entry Controls

F2F operates remote-first. For any physical offices or WeWork spaces:

  • Access is keycard controlled
  • Guests must be escorted
  • Lost keys are deactivated immediately

9.2 Identification

Team members are known by name and video call presence. Unknown individuals in shared spaces must be reported.

9.3 Deliveries

New devices must be checked for tampering and reported if suspicious.

10. System Development & Maintenance

Code is developed using secure practices:

  • GitHub with protected branches
  • PR review required
  • No hard-coded secrets; use environment variables
  • Vendor reviews performed before onboarding tools

11. Cryptography

  • All data at rest must be encrypted
  • TLS for all network communications
  • Encryption keys managed securely per the encryption policy

12. Business Continuity Management

F2F maintains a lean Business Continuity Plan. Key systems (like Stripe, Google Cloud, and Notion) are backed by SLA-covered providers. Backup and failover strategies are regularly tested.

13. Compliance

F2F ensures compliance with applicable laws (e.g., GDPR) and customer requirements. Records are maintained for all security audits and vendor assessments. We maintain and regularly review an authorized subprocessors list, available to customers as part of our Data Processing Agreement (DPA).

Revision History

Version
Date
Editor
Notes
1.0
2025-02-14
Nick Tomic
Initial issue of the Security Policy

Contact

If you have any questions regarding our Information Security Policy, please contact:

Nick Tomic

Privacy Lead, Face2Face

📩 privacy@face2face.io

Last updated on August 16, 2021

Data Processing Agreement (DPA) Support & Uptime Commitments (SLA)