Information Security Policy

1. Policy Overview

CapEngage's Information Security Policy establishes the framework for protecting the confidentiality, integrity, and availability of information assets. This policy applies to all employees, contractors, and third parties with access to CapEngage systems.

Our security program is aligned with ISO 27001, NIST Cybersecurity Framework, and SOC 2 requirements.

2. Security Principles

Confidentiality: Protecting information from unauthorized access
Integrity: Maintaining accuracy and completeness of data
Availability: Ensuring reliable access to systems and data
Accountability: Clear ownership and responsibility for security
Continuous Improvement: Regular review and enhancement of security measures

3. Data Classification

Classification	Description	Controls
Public	Information intended for public disclosure	Standard controls
Internal	Internal company information	Employee access only
Confidential	Customer data, proprietary information	Restricted access, encryption
Restricted	Highly sensitive data (encryption keys, secrets)	Strict access controls, HSM storage

4. Access Control

4.1 Authentication

Multi-factor authentication (MFA) for all access
Strong password policies (minimum 12 characters, complexity requirements)
Single Sign-On (SSO) with SAML/OIDC for enterprise customers
Session timeout after 30 minutes of inactivity
Regular password rotation (90 days for privileged accounts)

4.2 Authorization

Role-based access control (RBAC) with principle of least privilege
Separation of duties for sensitive operations
Regular access reviews (quarterly for privileged access)
Just-in-time access for administrative functions
Access logging and monitoring

4.3 Third-Party Access

Third-party access requires data processing agreements, background checks, and is limited to necessary functions only.

5. Data Protection

5.1 Encryption

At Rest: AES-256 encryption for databases and storage
In Transit: TLS 1.3 for all network communications
Key Management: Hardware Security Modules (HSM) for key storage
Key Rotation: Annual encryption key rotation

5.2 Data Masking

PII masking in logs and non-production environments
Tokenization for sensitive data (credit cards, SSN)
Anonymization for analytics and reporting

5.3 Data Loss Prevention (DLP)

DLP systems monitor and prevent unauthorized data exfiltration through email, cloud storage, and external transfers.

6. Network Security

Web Application Firewall (WAF) with rule-based protection
DDoS protection and mitigation services
Network segmentation with VPC isolation
Intrusion detection and prevention systems (IDPS)
Regular vulnerability scanning and penetration testing
Secure configuration management

7. Application Security

7.1 Secure Development

Secure coding practices and guidelines
Code review and static analysis (SAST)
Dependency scanning and vulnerability management
Dynamic application security testing (DAST)
Security testing in CI/CD pipeline

7.2 Runtime Protection

Runtime application self-protection (RASP) and container security monitoring for production workloads.

8. Incident Response

24/7 security monitoring and incident response team
Documented incident response procedures
Incident severity classification and escalation
Breach notification within 72 hours (GDPR)
Post-incident analysis and remediation

9. Security Training

Annual security awareness training for all employees
Phishing simulations and security assessments
Role-specific training for developers and administrators
Regular security communications and updates

10. Compliance and Audits

Annual SOC 2 Type II audit
ISO 27001 certification maintenance
Regular penetration testing (quarterly)
Compliance monitoring for GDPR, CCPA, DPDP
Third-party security assessments

11. Contact Information

Security Team: security@capengage.com

Report Vulnerability: security@capengage.com

Address: Building No 4B, Flat No 304, Olympeo Riverside PH Karjat, Avasare, Raigad, Maharashtra, India - 410101