1. Introduction and Scope
 
1.1. This Security Policy describes the administrative, technical, and organizational measures implemented by Pandoblox to protect the confidentiality, integrity, and availability of information processed in connection with Pandoblox’s services (the “Services”). It applies to the systems, infrastructures, and processes used by Pandoblox to provide the Services, including the handling of client, subscriber, and user data. The controls described herein are designed to reduce security risks and support the secure operation of the Services.

1.2. This Security Policy forms part of, and is incorporated by reference into, the applicable subscription agreement and related terms governing the Services. In the event of any conflict between this Security Policy and the subscription agreement, the subscription agreement shall control, unless applicable law requires otherwise.

1.3. This Security Policy does not apply to third-party websites, products, or services that may be linked to or integrated with the Services and are governed by their own security policies. 
 
2. Information Security Governance

2.1. Security Program Oversight
       2.1.1. Pandoblox maintains an information security program designed to protect information processed in connection with the Services. The program is overseen by designated personnel responsible for implementing, maintaining, and monitoring security controls appropriate to Pandoblox’s operations and risk profile.

2.2. Roles and Responsibilities
       2.2.1. Pandoblox assigns security-related responsibilities to personnel based on job function and access requirements. Personnel with access to systems or data are required to comply with applicable security policies and procedures.

2.3. Risk Management
       2.3.1. Pandoblox periodically assesses security risks associated with the Services and implements reasonable measures to mitigate identified risks, taking into account the nature of the data, the Services provided, and applicable legal and regulatory requirements.
 
3. Access Controls
 
3.1. Authentication and Authorization
       3.1.1. Pandoblox implements access controls designed to ensure that only authorized personnel and users are permitted to access systems and data associated with the Services. Authentication mechanisms are used to verify user identities, and access rights are granted based on authorized roles.

3.2. Least-Privilege Principle and User Access Management
       3.2.1. Access to systems and data is limited to the minimum level necessary to perform assigned functions. User access rights are provisioned, modified, and revoked in accordance with documented procedures.

3.3. Account Monitoring and Review
       3.3.1. Pandoblox monitors access to systems supporting the Services and periodically reviews access permissions to help identify unauthorized access or misuse.
 
4. Data Protection Measures

4.1. Information processed in connection with the Services is handled in accordance with its sensitivity and intended use. Encryption or comparable safeguards are applied to protect data during transmission and, where appropriate, at rest.

4.2. Logical and administrative safeguards, including documented procedures and personnel training, help prevent unauthorized access, disclosure, alteration, or destruction of information. These measures are designed to protect information throughout its lifecycle while supporting the secure operation of the Services.
 
5. Network and Infrastructure Security

5.1. Pandoblox protects its systems and infrastructure through technical and administrative measures such as the following:
       5.1.1. Network Controls:
                  5.1.1.1. Firewalls, segmentation, and continuous monitoring reduce the risk of unauthorized access.
                  5.1.1.2. System activity is logged and monitored for potential security events.

        5.1.2. Vulnerability Management:
                   5.1.2.1. Periodic assessments identify vulnerabilities.
                   5.1.2.2. Remediation actions, such as updates and patches, are applied based on risk and impact.

5.2. These combined measures maintain security and reliability of the Services.
 
6. Incident Response
 
6.1. Incident Identification and Reporting. Security Incidents affecting the confidentiality, integrity, or availability of information are promptly identified and reported.

6.2. Response Procedures
       6.2.1. Incident response procedures guide investigation, mitigation, and remediation.
       6.2.2. Notification and corrective actions comply with applicable laws and contractual obligations.
       6.2.3. Add actual procedure?

6.3. Notification Timelines?

6.4. Procedures are continuously updated to reflect emerging threats and changes in the Services.
 
7. Vulnerability Management

7.1. Pandoblox maintains processes designed to identify, assess, and address security vulnerabilities affecting systems and infrastructure used to support its services. These processes are intended to reduce the risk of unauthorized access, data compromise, or service disruption.
        7.1.1. Monitoring and Detection. Systems are monitored for potential security weaknesses, misconfigurations, and emerging threats. Monitoring activities may include automated tools, alerts, and review of system activity to identify indicators of vulnerability or exposure. 
        7.1.2. Patching and Remediation. Identified vulnerabilities are evaluated and prioritized based on risk severity and potential impact. Remediation measures, including patches, configuration changes, or other corrective actions, are applied within time frames deemed appropriate based on the nature of the risk.
        7.1.3. Penetration Testing and Assessments. Pandoblox may conduct periodic penetration testing, vulnerability scans, or similar security assessments to evaluate the effectiveness of security controls. Findings from such assessments are reviewed and used to inform remediation efforts and ongoing improvements to the security program.

7.2. These vulnerability management activities are continuously reviewed and updated to address evolving threats and changes to the Service. While these measures are designed to reduce risk, they do not eliminate all security vulnerabilities 

8. Employee Security Practices
 
8.1. Security responsibilities are incorporated into personal management and operational practices supporting the Services. Individuals with access to systems or information are required to comply with applicable security policies and procedures.
       8.1.1. Security Awareness and Training. Personnel receive security awareness training appropriate to their roles and responsibilities. The training is intended to promote awareness of security risks, data protection obligations, and acceptable use of systems and information.
       8.1.2. Access Management Revocation. Access to systems and information is granted based on role requirements and the principle of least privilege. Access rights are reviewed periodically and are promptly modified or revoked upon termination of employment, engagement, or changes in role.
       8.1.3. Confidentiality Obligations. Personnel with access to information are subject to confidentiality obligations designed to protect the client, subscriber, and user data. These obligations apply during and after employment or engagement and are enforced in accordance with the applicable policies and agreements.

8.2. Employee security practices are reviewed and updated as necessary to address changes and operations risk or regulatory requirements.

9. Vendor and Third-Party Security

9.1. Third-party vendors, service providers, and subprocessors engaged to support the Services are required to maintain security measures appropriate to the nature of the services they provide and the risks associated with their access to the systems or information.
        9.1.1. Security Requirements. Vendors are expected to implement administrative, technical, and organizational safeguards designed to protect information and systems relevant to the Services. Security requirements may be documented through contractual obligations, policies, and other appropriate mechanisms.
        9.1.2. Vendor Assessments and Oversight. Pandoblox conducts reasonable due diligence and ongoing assessments of third-party security practices based on the risk, scope of access, and criticality of services provided. Oversight activities may include review of security documentation, assessments, or other risk-based evaluations.

9.2. Third-party access is limited to what is necessary to perform contracted services, and vendors are expected to promptly notify Pandoblox of security incidents affecting the services were required by contract or applicable law.

10. Business Continuity and Backup
 
10.1. Backups. Data associated with the Services is subject to backup processes intended to protect against data loss, corruption, or unavailability. Backups are performed on a regular basis using methods designed to protect data from accidental loss or unauthorized access. Backup frequency, retention, and storage practices may vary based on system architecture, data sensitivity, and operational requirements.

10.2. Business Continuity and Disaster Recovery.
         10.2.1. Business Continuity. Pandoblox maintains business continuity and disaster recovery measures designed to support the critical systems and services during and following a disruptive event.
         10.2.2. Disaster Recovery. Pandoblox maintains backup and recovery procedures designed to restore access to systems and data following a disruption. Backups are performed on a periodic basis using industry-accepted methods.
         10.2.3. Testing and Review. Business continuity and disaster recovery measures are periodically reviewed, tested, and updated as appropriate. 
         10.2.4. Recovery objectives, where referenced, are internal targets only and do not constitute service level commitments or guarantees.
 
11. Policy Updates
 

11.1. This Security Policy is reviewed periodically to ensure it remains appropriate to the Services, security risks, and applicable regulatory requirements. Updates may be made to reflect changes in technology, business operations, legal obligations, or security practices.

11.2. Revisions to this Security Policy are approved by designated personnel responsible for security oversight. The most current version of the Security Policy will be made available as appropriate, and continued use of the Services constitutes acknowledgment of the updated policy.

11.3. Client Notification of updates?