Circular Software IT Security Policy / 2025

1. Purpose

To ensure the confidentiality, integrity and availability of Circular Software’s systems, code and customer data by definingclear security responsibilities and controls.

Applies to all company personnel (the soledirector/employee and any contractors), all systems, code repositories and environments used to develop, deploy and support Circular Software’s AdobeInDesign app/plugin.

Director (Security Owner): Overall accountability for security, approves changes, conducts reviews.
Contractors: Must comply with this policy, complete security training, and follow secure development practices.
Third‐party Providers (e.g. AWS, GitHub, Webflow, Dropbox): Must maintain their own security certifications and controls as per their published policies.

Onboarding: All new contractors undergo reference and background checks (including DBS/security vetting).
Training: security awareness training via LinkedIn Learning (covering OWASP Top Ten, phishing, secure coding).
Offboarding: Documented process to disable all system accounts, revoke keys/badges, and collect company assets, secure disposal of data/assets if required.
Confidentiality: All personnel sign NDAs and confidentiality clauses in contracts.

Inventory: Maintain an inventory of coderepositories, cloud resources, API keys and development tools.
Classification: Code classified as“Confidential,” encrypted at rest and in transit.

Least Privilege: Access to production and development environments granted on a need-to-know basis.
Multi-factor authentication enforced on all systems (GitHub, Webflow, Airtable, Dropbox, email, VPN).
Strong password requirements (minimum 12characters, complexity).
Account Lockout: Automatic lockout after fiveunsuccessful login attempts; account unlock via director.

Data at Rest: Cloud provider encryption(AES-256) for all storage volumes and backups.

Secure Development:
Follow OWASP Secure Coding Practices.
Peer review of all code changes; use pullrequests on private GitHub.
Change Management:
All changes logged in our project tracker.
Stakeholders notified of any changes that could affect functionality or security.
Vulnerability Management:
Weekly automated vulnerability scans of all code and cloud infrastructure.
Critical findings remediated within 72 hours; tracked in issue tracker.

Firewalls: Software and hardware firewallsenforce network segmentation between development, test and production systems.
VPN: Mandatory for all remote access to internalcloud resources.
IDS/IPS: Not deployed (low-traffic, cloud-onlyenvironment); cloud provider’s managed threat detection is relied upon.

Due Diligence: Only engage cloud and service providers with published security certifications (e.g., ISO 27001, SOC 2).
Contracts: review provider policies annually.

Incident Response Plan: Documented steps fordetection, containment, eradication, recovery and lessons learned.
Notification: Customers notified within 24 hoursof any incident with potential customer impact.
Backups: Weekly full backups of databases and code repositories.
Stored in a separate cloud region; restore tested semi-annually.
Disaster Recovery: in event of major outage,systems can be rebuilt from code and backups within 24 hours.

Compliance: This policy aligns with industrybest practices; no formal certification due to company size.
Review Cycle: Policy reviewed and updatedannually or after any major change in environment or personnel.

‍