Security Policy

Build Then Bless (BTB)

1. Purpose

The purpose of this Security Policy is to establish a comprehensive framework for securing Build Then Bless’s (BTB) data, systems, and assets. This policy aims to protect customer information, maintain data integrity, and ensure compliance with industry best practices and regulatory requirements.

2. Scope

This policy applies to all BTB employees, contractors, and third-party service providers who have access to BTB’s data, systems, and applications. It covers all data, including customer information, transactional data, and any other sensitive information stored, processed, or transmitted by BTB.

3. Security Principles

BTB follows industry-standard security principles to protect the confidentiality, integrity, and availability of data:

  • Confidentiality: Only authorized individuals have access to sensitive data.
  • Integrity: Data is protected from unauthorized modification to ensure accuracy and reliability.
  • Availability: Systems and data are accessible to authorized users when needed.

4. Access Control

  • User Access Management: Access to BTB’s systems is restricted to authorized personnel based on role-based access control (RBAC). Users are granted access strictly based on the principle of least privilege.
  • Multi-Factor Authentication (MFA): MFA is required for accessing critical systems and data repositories, including databases and cloud storage.
  • Periodic Review: Access rights are reviewed periodically to ensure compliance with RBAC policies and to remove access from users who no longer require it.

5. Data Security

  • Encryption:
    • Data in Transit: All data transmitted between clients, servers, and third-party services is encrypted using TLS (Transport Layer Security).
    • Data at Rest: Sensitive data stored in the database and AWS is encrypted using AES-256 encryption.
  • Data Masking: Sensitive data, such as cardholder IDs and card IDs, are not collected or stored by BTB.

6. Network Security

  • Firewalls: BTB employs firewalls to protect its network from unauthorized access and potential threats. These firewalls are configured to allow only essential traffic.
  • Intrusion Detection and Prevention: Regular monitoring of network traffic is conducted to detect and prevent potential security threats.
  • Secure Communication: All internal and external communications utilize secure protocols (e.g., HTTPS) to ensure data integrity and confidentiality.

7. Application Security

  • Secure Coding Practices: All developers are trained in secure coding practices to minimize vulnerabilities within BTB applications.
  • Vulnerability Scanning: Regular vulnerability scans and code reviews are conducted to identify and address security flaws.
  • Penetration Testing: Periodic penetration tests are conducted to simulate potential attacks and assess the application’s security posture.

8. Data Backup and Recovery

  • Data Backups: Regular backups of the databases are created and stored securely on AWS. Backups are encrypted and accessible only to authorized personnel.
  • Disaster Recovery: A disaster recovery plan is in place to ensure that BTB can recover and restore access to data in case of an incident. Regular testing of the disaster recovery plan is conducted to ensure its effectiveness.

9. Incident Response

  • Incident Detection: BTB utilizes monitoring tools to detect security incidents promptly.
  • Incident Handling: In the event of a security incident, BTB’s incident response team will follow a predefined incident response plan to mitigate the impact and restore normal operations.
  • Reporting: Any security breaches or incidents will be reported to affected customers and regulatory bodies as required by law.

10. Compliance

  • Regulatory Compliance: BTB adheres to applicable data protection regulations (e.g., GDPR, CCPA) and industry standards to ensure the lawful processing and storage of customer data.
  • Policy Review: This Security Policy is reviewed annually or whenever there are significant changes to BTB’s operations or applicable regulations.

11. Employee Training

All employees undergo mandatory security training upon onboarding and annual refresher training to stay updated on best practices for data protection and security.

12. Contact Information

For questions or concerns regarding this Security Policy, please contact: support@buildthenbless.com