1. Introduction and Scope
 
1.1. This Security Policy describes the administrative, technical, and organizational measures implemented by Pandoblox to protect the confidentiality, integrity, and availability of information processed in connection with Pandoblox’s services (the “Services”). It applies to the systems, infrastructure, and processes used by Pandoblox to provide the Services, including the handling of client, subscriber, and user data. The controls described herein are designed to reduce security risks and support the secure operation of the Services.

1.2. This Security Policy forms part of, and is incorporated by reference into, the applicable subscription agreement and related terms governing the Services. In the event of any conflict between this Security Policy and the subscription agreement, the subscription agreement shall govern, unless applicable law requires otherwise.

1.3. This Security Policy does not apply to third-party websites, products, or services that may be linked to or integrated with the Services and are governed by their own security policies.
 
2. Definitions

2.1. For purposes of this Security Policy, the following terms have the meanings set forth below. Capitalized terms not defined in this Security Policy shall have the meanings given in the applicable Subscription Agreement or its referenced documents:
       2.1.1. “Service(s)” means Pandoblox’s services, including the systems, infrastructure, and processes used to provide them and handle client, subscriber, and user data.
       2.1.2. “Subscriber” means the entity or individual that has entered into a Subscription Agreement with Pandoblox.
       2.1.3. “Subscriber Data” means the data provided by or collected on behalf of the Subscriber that Pandoblox hosts, processes, or stores in connection with providing the Services.
       2.1.4. “Subscription Agreement” means the primary written agreement between Pandoblox and the Subscriber under which Pandoblox provides the Services, and to which this Security Policy is incorporated.

3. Information Security Governance

3.1. Security Program Oversight
       3.1.1. Pandoblox maintains an information security program designed to protect information processed in connection with the Services. The program is overseen by designated personnel responsible for implementing, maintaining, and monitoring security controls appropriate to Pandoblox’s operations and risk profile.

3.2. Roles and Responsibilities
       3.2.1. Pandoblox assigns security-related responsibilities to personnel based on job function and access requirements. Personnel with access to systems or data are required to comply with applicable security policies and procedures.

3.3. Risk Management
       3.3.1. Pandoblox periodically assesses security risks associated with the Services and implements reasonable measures to mitigate identified risks, taking into account the nature of the data, the Services provided, and applicable legal and regulatory requirements.

4. Access Controls
 
4.1. Authentication and Authorization
       4.1.1. Pandoblox implements access controls designed to ensure that only authorized personnel and users are permitted to access systems and data associated with the Services. Authentication mechanisms are used to verify user identities, and access rights are granted based on authorized roles.

4.2. Least-Privilege Principle and User Access Management
       4.2.1. Access to systems and data is limited to the minimum level necessary to perform assigned functions (the principle of least privilege). User access rights are provisioned, modified, and revoked in accordance with Pandoblox’s documented procedures.

4.3. Account Monitoring and Review
       4.3.1. Pandoblox monitors access to systems supporting the Services and periodically reviews access permissions to help identify and prevent unauthorized access or misuse.
 
5. Data Protection Measures

5.1. Information processed in connection with the Services is handled in accordance with its sensitivity and intended use. Appropriate encryption or comparable safeguards are applied to protect data during transmission and, where appropriate, at rest.

5.2. Logical and administrative safeguards, including documented procedures and personnel training, help prevent unauthorized access, disclosure, alteration, or destruction of information. These measures are designed to protect information throughout its lifecycle while supporting the secure operation of the Services.
 
6. Network and Infrastructure Security

6.1. Pandoblox protects its systems and infrastructure through technical and administrative measures such as the following:
       6.1.1. Network Controls:
                  6.1.1.1. Firewalls, segmentation, and continuous monitoring reduce the risk of unauthorized access.
                  6.1.1.2. System activity is logged and monitored for potential security events.

        6.1.2. Vulnerability Management:
                   6.1.2.1. Periodic assessments identify vulnerabilities.
                   6.1.2.2. Remediation actions, such as updates and patches, are applied based on risk and impact.

6.2. These combined measures maintain the security and reliability of the Services.
 
7. Incident Response
 
7.1. Incident Identification and Reporting. Security incidents affecting the confidentiality, integrity, or availability of information are promptly identified and reported.

7.2. Response Procedures
       7.2.1. Incident response procedures guide investigation, mitigation, and remediation.
       7.2.2. Notification and corrective actions shall comply with applicable laws and contractual obligations.
       7.2.3. In responding to a security incident, Pandoblox will take actions appropriate to the nature and severity of the incident, which may include identification and assessment of affected systems or data, implementation of containment measures to limit impact, investigation to determine scope and root cause, and remediation and recovery actions to restore affected systems and reduce the likelihood of recurrence.
        7.2.4. Notification Timelines. Where required by applicable law or contractual obligation, Pandoblox will provide notification of a confirmed security incident without undue delay. The timing and content of such notification will depend on the nature and scope of the incident, the information available at the time, and applicable legal or regulatory requirements. Initial notifications may be limited to available information, with updates provided as additional details become known. Notification may be delayed where necessary to comply with legal obligations, support law enforcement, or prevent further harm.

7.3. Procedures are continuously updated to reflect emerging threats and changes in the Services.

8. Vulnerability Management

8.1. Pandoblox maintains processes designed to identify, assess, and address security vulnerabilities affecting systems and infrastructure used to support the Services. These processes are intended to reduce the risk of unauthorized access, data compromise, or service disruption.
        8.1.1. Monitoring and Detection. Systems are monitored for potential security weaknesses, misconfigurations, and emerging threats. Monitoring activities may include automated tools, alerts, and review of system activity to identify indicators of vulnerability or exposure.
        8.1.2. Patching and Remediation. Identified vulnerabilities are evaluated and prioritized based on risk severity and potential impact. Remediation measures, including patches, configuration changes, or other corrective actions, are applied within time frames deemed appropriate based on the nature of the risk.
        8.1.3. Penetration Testing and Assessments. Pandoblox may conduct periodic penetration testing, vulnerability scans, or similar security assessments to evaluate the effectiveness of security controls. Findings from such assessments are reviewed and used to inform remediation efforts and ongoing improvements to the security program.

8.2. These vulnerability management activities are continuously reviewed and updated to address evolving threats and changes to the Service. Notwithstanding the foregoing, while these measures are designed to reduce risk, Pandoblox does not represent or warrant that they eliminate all security vulnerabilities 

9. Employee Security Practices
 
9.1. Security responsibilities are incorporated into personnel management and operational practices supporting the Services. Individuals with access to systems or information are required to comply with applicable security policies and procedures.
       9.1.1. Security Awareness and Training. Personnel receive security awareness training appropriate to their roles and responsibilities. The training is intended to promote awareness of security risks, data protection obligations, and acceptable use of systems and information.
       9.1.2. Access Rights Review and Revocation. Access to systems and information is granted based on role requirements and the principle of least privilege. Access rights are reviewed periodically and are promptly modified or revoked upon termination of employment, engagement, or changes in role.
       9.1.3. Confidentiality Obligations. Personnel with access to information are subject to confidentiality obligations designed to protect client, subscriber, and user data. These obligations apply during and after employment or engagement and are enforced in accordance with the applicable policies and agreements.

9.2. Employee security practices are reviewed and updated as necessary to address changes in operations, risk, or regulatory requirements.

10. Vendor and Third-Party Security

10.1. Third-party vendors, service providers, and subprocessors engaged to support the Services shall maintain security measures appropriate to the nature of the services they provide and the risks associated with their access to the systems or information.
         10.1.1. Security Requirements. Vendors are expected to implement administrative, technical, and organizational safeguards designed to protect information and systems relevant to the Services. Security requirements may be documented through contractual obligations, policies, and other appropriate mechanisms.
         10.1.2. Vendor Assessments and Oversight. Pandoblox conducts reasonable due diligence and ongoing assessments of third-party security practices based on the risk, scope of access, and criticality of services provided. Oversight activities may include review of security documentation, assessments, or other risk-based evaluations.

10.2. Third-party access is limited to what is necessary to perform contracted services, and vendors are expected to promptly notify Pandoblox of security incidents affecting the services as required by contract or applicable law.

11. Business Continuity and Backup
 
11.1. Data associated with the Services is subject to backup processes intended to protect against data loss, corruption, or unavailability. Backups are performed on a regular basis using methods designed to protect data from accidental loss or unauthorized access. Backup frequency, retention, and storage practices may vary based on system architecture, data sensitivity, and operational requirements.

11.2. Business Continuity and Disaster Recovery.
         11.2.1. Business Continuity. Pandoblox maintains business continuity and disaster recovery measures designed to support the critical systems and services during and following a disruptive event.
         11.2.2. Disaster Recovery. Pandoblox maintains backup and recovery procedures designed to restore access to systems and data following a disruption.
         11.2.3. Testing and Review. Business continuity and disaster recovery measures are periodically reviewed, tested, and updated as appropriate.
         11.2.4. Recovery objectives, where referenced, are internal targets only and do not constitute service level commitments or guarantees.
 
12. Policy Updates
 
12.1. This Security Policy is reviewed periodically to ensure it remains appropriate to the Services, security risks, and applicable regulatory requirements. Updates may be made to reflect changes in technology, business operations, legal obligations, or security practices.

12.2. Revisions to this Security Policy are approved by designated personnel responsible for security oversight. The most current version of the Security Policy will be made available as appropriate, and continued use of the Services constitutes acceptance of the updated policy.

12.3. Pandoblox will make commercially reasonable efforts to notify subscribers of material updates to this Security Policy within thirty (30) days of such updates. Notification may be provided through appropriate channels, including but not limited to electronic communication, account notifications, or publication within the Service.

13. Audit Rights and Attestations

13.1. Pandoblox may make available, upon reasonable request, information regarding its security practices to demonstrate compliance with this Security Policy.
         13.1.1. Security Reports and Attestations. Subject to confidentiality obligations, Pandoblox may provide access to relevant third-party security assessments or certifications, where available. Such materials may include:
                      13.1.1.1. Independent audit reports (e.g., SOC 2 or similar reports);
                      13.1.1.2. Security assessment summaries or certifications;
                      13.1.1. 3. Other documentation reasonably demonstrating Pandoblox’s security controls
         13.1.2. Provision of such materials may be subject to execution of a non-disclosure agreement and may be limited to protect the security and confidentiality of Pandoblox’s systems and customers.
         13.1.3. Audit Requests. Where required by law or expressly agreed in a separate written agreement, the Subscriber may request to conduct an audit or assessment of Pandoblox’s compliance with this Security Policy. Any such audit shall:
                      13.1.3.1. Be conducted upon reasonable prior written notice;
                      13.1.3.2.Be limited in scope, frequency, and duration;
                      13.1.3.3. Be performed in a manner that does not unreasonably interfere with Pandoblox’s operations; and
                      13.1.3.4. Be subject to Pandoblox’s reasonable security and confidentiality requirements.
         13.1.4. Pandoblox may satisfy audit requests through the provision of existing audit reports or attestations in lieu of permitting audits.
 
14. Specific Security Commitments (Metrics)

14.1. Data Security Standards
         14.1.1. Encryption at Rest and In Transit. Pandoblox shall implement industry-standard encryption protocols to protect Subscriber Data. Specifically, all data at rest shall be protected using a minimum of AES-256 encryption, and data in transit shall be protected using TLS 1.2 or higher protocols.
         14.1.2. Data Retention and Disposal. Unless otherwise agreed in writing, Pandoblox shall retain Subscriber Data for a maximum period of ninety (90) days following the termination or expiration of the Subscription Agreement. Following this period, Pandoblox shall securely delete or render inaccessible all Subscriber Data in accordance with industry best practices.

14.2. Vulnerability Remediation
         14.2.1. Patching Commitment. Pandoblox commits to the following guaranteed timelines for remediation measures, including patching, based on the severity of identified security vulnerabilities impacting the Services:
                     14.2.1.1. Critical/High Severity: Remediation will be completed within seven (7) days of confirmation.
                     14.2.1.2. Medium Severity: Remediation will be completed within thirty (30) days of confirmation.
                     14.2.1.3. Low Severity: Remediation will be completed within a timeframe deemed appropriate based on Pandoblox's internal risk assessment.

15. Data Location and Transfer

15.1. Data Hosting Location
         15.1.1. Subscriber Data will be hosted primarily in Pandoblox’s secured data centers located in the United States.
         15.1.2. Pandoblox reserves the right to use facilities in other geographic regions for operational efficiency, resilience, or load balancing, provided that such facilities adhere to the security standards and protections set forth in this Security Policy.

15.2. International Data Transfer
         15.2.1. The Subscriber acknowledges and agrees that, as part of providing the Services, Pandoblox may transfer, store, and process Subscriber Data across international borders, including to countries outside of the Subscriber’s primary geographic region.
         15.2.2. By utilizing the Services, the Subscriber consents to this cross-border transfer, storage, and processing of Subscriber Data. Pandoblox commits to ensuring that all such transfers are executed in compliance with applicable data protection laws, including implementing necessary legal transfer mechanisms and safeguards.
 
End of Pandoblox Signal Security Policy