Information Security Policy

Note: Vidovo, Inc is referred to as "Vidovo" throughout this document.

Purpose and Scope

This Information Security Policy establishes the framework for protecting the confidentiality, integrity, and availability of information assets at Vidovo. This policy applies to all employees, contractors, account executives, and third parties who access our systems, data, or network resources.

Policy Statement

Vidovo is committed to protecting the information assets of our organization, clients, and partners. We recognize that information security is essential to maintaining trust, ensuring business continuity, and complying with legal and regulatory requirements.

Information Security Objectives

Our information security program aims to:

  • Protect confidential business and customer information from unauthorized access, disclosure, or theft
  • Ensure the integrity and accuracy of data and information systems
  • Maintain the availability of critical business systems and data
  • Comply with applicable laws, regulations, and contractual obligations
  • Foster a culture of security awareness throughout the organization

Roles and Responsibilities

Management

Company leadership is responsible for:

  • Establishing and maintaining this Information Security Policy
  • Allocating appropriate resources for information security
  • Reviewing and approving security-related decisions
  • Ensuring compliance with this policy

All Personnel

All employees, contractors, and account executives are responsible for:

  • Understanding and complying with this policy and related procedures
  • Protecting company and customer information entrusted to them
  • Reporting security incidents or suspected vulnerabilities immediately
  • Participating in security awareness training
  • Using strong passwords and protecting authentication credentials

Access Control

User Access Management

  • Access to information systems and data is granted based on the principle of least privilege
  • User accounts are created only for authorized individuals with legitimate business needs
  • Access rights are reviewed periodically and revoked promptly upon termination or role change
  • Shared accounts are prohibited; each user must have a unique account

Password Requirements

  • Passwords must be at least 12 characters long and include a mix of uppercase, lowercase, numbers, and special characters
  • Passwords must not be shared, written down, or stored in unencrypted format
  • Multi-factor authentication (MFA) must be enabled where available, particularly for email, cloud services, and administrative access
  • Default passwords must be changed immediately upon initial system access

Remote Access

  • Remote access to company systems requires secure methods such as VPN or encrypted connections
  • Company data accessed remotely must be protected with appropriate security measures
  • Personal devices used for work purposes must meet minimum security standards

Data Protection and Classification

Data Classification

Information is classified based on sensitivity:

Confidential: Customer data, financial information, trade secrets, proprietary business information. Requires the highest level of protection.

Internal: Business information intended for internal use only. Should be protected from unauthorized external access.

Public: Information approved for public disclosure. May be shared externally.

Data Handling

  • Confidential information must be encrypted when stored electronically and transmitted over networks
  • Sensitive data must not be sent via unencrypted email or stored on unauthorized devices
  • Physical documents containing confidential information must be secured when not in use and disposed of securely
  • Customer data must be handled in accordance with applicable privacy laws and contractual obligations

Data Retention and Disposal

  • Data is retained only as long as necessary for business or legal requirements
  • Data disposal must render information unrecoverable (e.g., secure deletion, shredding)

Device and Endpoint Security

Company Devices

  • All company-owned devices must have up-to-date operating systems and security patches
  • Antivirus/anti-malware software must be installed and kept current
  • Full disk encryption must be enabled on laptops and mobile devices
  • Devices must be configured to lock automatically after a period of inactivity
  • Lost or stolen devices must be reported immediately

Personal Devices (BYOD)

If personal devices are used for company business:

  • Devices must meet minimum security requirements (current OS, screen lock, encryption)
  • Personal devices must not be used to store confidential customer data unless explicitly authorized

Physical Security

  • Devices must not be left unattended in public places
  • Screens must be locked when leaving workstations
  • Visitors must not be given unsupervised access to company systems or information

Email and Internet Use

Acceptable Use

  • Company email and internet resources are provided for business purposes
  • Personal use should be minimal and not interfere with work responsibilities
  • Users must not access inappropriate, illegal, or offensive content
  • Company resources must not be used for personal financial gain or illegal activities

Email Security

  • Be cautious of phishing attempts and suspicious emails
  • Do not click on links or open attachments from unknown or untrusted sources
  • Verify requests for sensitive information or financial transactions through alternative communication channels
  • Report suspicious emails immediately

Software and Systems

Software Installation

  • Only authorized and licensed software may be installed on company systems
  • Software must be obtained from legitimate sources
  • Unlicensed or pirated software is strictly prohibited

System Updates

  • Operating systems, applications, and security software must be kept up to date with the latest patches
  • Critical security updates must be applied promptly

Cloud Services

  • Only approved cloud services may be used to store or process company data
  • Cloud services must provide adequate security controls and data protection
  • Login credentials for cloud services must be protected with strong passwords and MFA
  • All cloud services must be used in accordance with the laws and regulations of the United States. If a cloud service is not available in the United States, it must be used in accordance with the laws and regulations of the country of the service provider.

Vendor and Third-Party Management

  • Third-party vendors with access to company systems or data must demonstrate adequate security practices
  • Contracts with vendors must include appropriate security and confidentiality provisions
  • Vendor access is granted only as necessary and monitored appropriately

Incident Response

Security Incidents

A security incident includes but is not limited to:

  • Unauthorized access to systems or data
  • Malware infections or suspected compromise
  • Loss or theft of devices containing company data
  • Data breaches or exposure of confidential information
  • Suspected phishing or social engineering attacks

Incident Reporting

  • All security incidents or suspected incidents must be reported immediately to management
  • Do not attempt to investigate or remediate incidents without authorization
  • Preserve evidence and do not alter systems involved in an incident

Incident Response Process

Upon notification of a security incident, management will:

  • Assess the scope and severity of the incident
  • Contain the incident to prevent further damage
  • Investigate root causes and affected systems/data
  • Notify affected parties as required by law or contract
  • Implement corrective actions to prevent recurrence
  • Document the incident and lessons learned

Third-Party Liability Disclaimer

Important Notice: Vidovo does not guarantee or assume any liability for the security practices, data handling, or information security measures of third-party vendors, partners, or service providers. While we require third parties to maintain appropriate security standards, users and stakeholders acknowledge that Vidovo cannot be held responsible for security breaches, data incidents, or other security-related issues that may occur within third-party systems or services, even when such third parties are integrated with or connected to Vidovo systems.

Users are advised to review and understand the security policies and practices of any third-party services they choose to use in conjunction with Vidovo products or services.

Training and Awareness

  • All personnel are expected to be aware of this policy and to follow it.
  • All new hires are expected to be up-to-date on the latest security best practices.
  • Personnel are encouraged to ask questions and seek guidance on security matters when they are unsure about how to proceed.

Policy Enforcement

Violations

Violations of this policy may result in:

  • Disciplinary action up to and including termination of employment or contract
  • Legal action if violations involve illegal activities
  • Liability for damages resulting from the violation

Exceptions

Any exceptions to this policy must be:

  • Documented with business justification
  • Approved by management
  • Reviewed periodically

Policy Review and Updates

This policy is reviewed and updated at least annually, or more frequently if:

  • Significant changes occur in the threat landscape
  • New systems or business processes are implemented
  • Regulatory requirements change
  • Security incidents reveal policy gaps

Contact Information

For questions, concerns, or to report security incidents, contact:

Vidovo
Email: contact@vidovo.com

Acknowledgment

All personnel are required to review and acknowledge their understanding of this Information Security Policy.

By using Vidovo information systems and resources, you agree to comply with this policy and understand that violations may result in disciplinary action.