Controls

Datastores that hold sensitive customer data are encrypted at rest, and encryption keys are managed and accessible only to authorized personnel with a legitimate need.

The production network is segmented from public networks and protected by firewalls and hardened configurations that are reviewed periodically to prevent unauthorized access.

Host-based vulnerability scans run at least quarterly on external-facing systems, annual penetration testing is performed, and identified issues drive patching of infrastructure supporting the service.

Employees acknowledge a code of conduct during onboarding, contractor agreements reference the same expectations, and violations are subject to disciplinary procedures.

Contractors sign confidentiality commitments in their agreements at the start of engagement.

Employees sign confidentiality obligations as part of their employment agreements and human resources security documentation.

A formal secure development lifecycle governs design, development, acquisition, testing, and maintenance of the platform, supported by secure development policies.

Changes to application code and infrastructure are tracked in tickets and version control and must be documented, tested, reviewed, and approved before deployment to production.

Only authorized personnel can promote changes to production, and deployment tooling enforces appropriate separation of duties.

A risk management program and risk register identify threats to service commitments, rate likelihood and impact including fraud risk, and capture mitigation plans in an annual assessment cycle.

Internal control self-assessments are conducted at least annually, with identified issues driving corrective actions.

A vendor management program maintains an inventory of critical third parties, defines security and privacy requirements, and reviews key vendors and their assurance reports at least annually.

A data management policy defines classification levels for public, internal, and customer data and sets handling rules so confidential information is restricted to authorized personnel.

Formal retention and disposal procedures govern how company and customer data is stored, archived, and securely destroyed when no longer needed.

Electronic media containing confidential information is wiped or destroyed following industry best practices, with destruction records maintained.

Customers are responsible for understanding and complying with their contractual obligations to Adaline.

Customers must keep administrative and technical contact information up to date with Adaline.

Customers remain responsible for their own systems of record and authoritative data sources.