Information Security Policy

Document ID: ISMS-POL-001
Version: 1.0
Effective Date: December 29, 2025
Review Date: December 29, 2026
Classification: Internal

1. Purpose#

This Information Security Policy establishes the framework for protecting the confidentiality, integrity, and availability of information assets at anonym.legal. It defines the security requirements and responsibilities for all personnel, systems, and processes involved in the operation of the PII anonymization platform.

2. Scope#

This policy applies to:

• All employees, contractors, and third parties with access to anonym.legal systems
• All information assets including customer data, system configurations, and intellectual property
• All systems, networks, and applications that process, store, or transmit information
• All physical and virtual environments hosting the platform

3. Policy Statement#

anonym.legal is committed to:

• Protecting customer data and ensuring privacy in PII processing
• Maintaining the confidentiality, integrity, and availability of information assets
• Complying with applicable laws, regulations, and contractual requirements
• Continuously improving the Information Security Management System (ISMS)

4. Information Security Objectives#

1. Data Protection: Ensure all PII processed through the platform is protected using industry-standard encryption (AES-256-GCM)
2. Access Control: Implement role-based access control (RBAC) and plan-based feature gating
3. Availability: Maintain 99.9% uptime for production services
4. Incident Response: Detect and respond to security incidents within 24 hours
5. Compliance: Maintain compliance with GDPR and relevant data protection regulations

5. Roles and Responsibilities#

5.1 Management#

• Approve and support the ISMS
• Allocate resources for security initiatives
• Review security performance quarterly

5.2 System Administrators#

• Implement and maintain security controls
• Monitor systems for security events
• Apply security patches within defined timeframes

5.3 Developers#

• Follow secure coding practices
• Conduct code reviews for security vulnerabilities
• Implement security requirements in applications

5.4 Users#

• Comply with security policies and procedures
• Report security incidents promptly
• Protect authentication credentials

6. Security Controls#

6.1 Technical Controls#

• Encryption at rest and in transit (TLS 1.2+, AES-256-GCM)
• Multi-factor authentication (2FA) support
• Account lockout after failed login attempts
• Password complexity requirements (12+ characters, mixed case, numbers, symbols)
• JWT-based session management
• Role-based access control (Admin, Editor, User)
• Plan-based feature gating (Free, Basic, Pro, Business)

6.2 Administrative Controls#

• Security awareness training
• Access provisioning and deprovisioning procedures
• Change management process
• Incident response procedures

6.3 Physical Controls#

• Data center security (Hetzner certified facilities)
• Network segmentation
• Firewall and intrusion detection

7. Acceptable Use#

7.1 Permitted Use#

• Processing PII for legitimate anonymization purposes
• Using system features according to subscription plan
• Accessing data necessary for job functions

7.2 Prohibited Use#

• Attempting to bypass security controls
• Sharing authentication credentials
• Processing illegal content
• Unauthorized data exfiltration

8. Data Classification#

9. Compliance#

This policy supports compliance with:

• General Data Protection Regulation (GDPR)
• ISO/IEC 27001:2022
• SOC 2 Type II principles

10. Policy Review#

This policy shall be reviewed:

• Annually, or
• Following significant security incidents, or
• When there are major changes to the business or technology environment

11. Enforcement#

Violations of this policy may result in:

• Disciplinary action up to and including termination
• Termination of contractor agreements
• Legal action where appropriate

12. Document Control#