Phoenician, LLC

Loading

Phoenician, LLC

Security Policies

Phoenician, LLC is committed to protecting the confidentiality, integrity, and availability of our clients’ data and organizational resources. These security policies govern our approach to cyber, physical, and operational security across all services and solutions, including our Unified Data Layer (UDL), CMS, ERP, and integration platforms.

1. Data Protection & Privacy

  • Encryption: All sensitive data is encrypted using industry-standard AES-256 encryption both at rest and in transit. We require HTTPS (TLS 1.2+) for all web, API, and mobile communications.
  • Access Control: Access to client data and administrative systems is strictly limited by role-based access controls (RBAC), with multi-factor authentication (MFA) required for all privileged accounts.
  • Data Residency: We host all systems and client data in secure, US-based cloud data centers compliant with FERPA, GDPR, and relevant US state privacy laws.

2. User Authentication & Identity Management

  • Single Sign-On (SSO): SSO is supported via SAML, OAuth2, or integration with enterprise directories (e.g., LDAP, Active Directory, EntraID).
  • Password Security: Strong password requirements and regular password rotation are enforced for all user accounts.
  • Session Management: Automatic timeout of inactive sessions and controls to prevent unauthorized account access.

3. Application Security

  • Secure Development: All code is developed following Secure Software Development Lifecycle (SSDLC) principles, including code reviews, peer testing, and vulnerability scanning before release.
  • Patch Management: Security updates and patches are applied promptly to all servers, application stacks, and third-party components.
  • Vulnerability Testing: Regular penetration testing and security assessments are performed on all customer-facing applications.

4. Physical & Network Security

  • Cloud Infrastructure: All production servers are hosted in leading cloud providers (AWS, Azure, GCP) with rigorous physical security—24/7 monitoring, access controls, and disaster mitigation.
  • Network Segmentation: Production environments are isolated behind firewalls with strict network segmentation and intrusion detection/prevention (IDS/IPS) systems.
  • DDoS Protection: Distributed Denial-of-Service mitigation measures are in place at network and application layers.

5. Monitoring, Auditing & Incident Response

  • Audit Logging: All critical activities—logins, data access, administrative changes, and API usage—are logged and retained for seven years.
  • Continuous Monitoring: Security events are monitored in real time with automated alerting for suspicious or anomalous activity.
  • Incident Response: A documented and regularly tested incident response plan ensures rapid detection, containment, investigation, and notification of any security event. Clients are notified promptly (typically within 24 hours) of any confirmed security incidents affecting their data.

6. Data Retention & Deletion

  • Retention: Client data is retained only as long as necessary for services or contractual requirements. Automated purging and secure deletion procedures are routinely executed.
  • Data Ownership: Clients retain full ownership of their data, with explicit support for secure export or destruction at contract termination.

7. Vendor and Third-Party Management

  • Due Diligence: All third-party services and subprocessors undergo rigorous security and privacy due diligence prior to integration.
  • Contracts: Data processing agreements and SLAs require compliance with our security standards for any third-party handling client data.

8. Compliance & Training

  • Regulatory Compliance: Our services adhere to NIST, ISO 27001, and PCI DSS standards, and all regulatory frameworks relevant to our clients.
  • Employee Training: All employees receive annual cybersecurity, data privacy, and compliance training. Security awareness is reinforced through ongoing internal initiatives.

9. Business Continuity & Disaster Recovery

  • Backups: Automated daily backups, multi-region disaster recovery, and routine failover testing ensure data resilience and rapid recovery (RTO <4 hours, RPO <1 hour).
  • Continuity Planning: Comprehensive business continuity plans are maintained and periodically tested for all mission-critical operations.

10. Reporting Security Concerns

If you become aware of a security vulnerability or incident relating to any Phoenician service, please contact our Security Team at [email protected].

Phoenician Technology reviews and updates these security policies regularly to address evolving cyber threats and industry best practices. For detailed information or compliance documentation, please contact us directly.