Information Security Policy


Last Updated: 01/03/2025

1. Purpose

The purpose of this Information Security Policy is to protect the confidentiality, integrity, and availability of Valloop’s data and information systems. This policy provides a framework for managing and safeguarding company information assets from threats such as unauthorised access, data breaches, and service disruptions.

2. Scope

This policy applies to all employees, contractors, vendors, and third parties who access, store, transmit, or process Valloop’s information or systems, whether onsite or remotely.

3. Roles and Responsibilities

  • Executive Management: Provides oversight and ensures resource allocation for security initiatives.

  • IT Department: Implements and maintains security measures.

  • All Employees and Contractors: Adhere to this policy and report any security incidents or suspicious activities.

4. Information Classification

All data should be classified according to its sensitivity:

  • Public: Information approved for public disclosure.

  • Internal: Company information not intended for public distribution.

  • Confidential: Sensitive data that requires restricted access (e.g., financial, client, HR data).

  • Restricted: Highly sensitive data that could cause severe damage if disclosed (e.g., trade secrets).

5. Access Control

  • Access to systems and data is granted based on role and job function.

  • Strong passwords must be used and changed regularly.

  • Multi-Factor Authentication (MFA) is required for sensitive systems.

  • Access rights are reviewed quarterly and revoked immediately upon termination of employment.

6. Data Protection

  • Confidential and restricted data must be encrypted at rest and in transit.

  • Personal data must be handled in accordance with applicable data protection laws (e.g., GDPR, CCPA).

  • Data backups must be performed regularly and tested periodically.

7. Acceptable Use

  • Company IT resources must only be used for legitimate business purposes.

  • Installation of unauthorised software or hardware is prohibited.

  • Employees must not engage in activities that could compromise system security (e.g., phishing, malware).

8. Incident Response

  • All security incidents must be reported immediately to the IT department.

  • An incident response team will investigate and mitigate any breach or threat.

  • Post-incident reviews will be conducted to improve security practices.

9. Physical Security

  • Access to physical offices and server rooms must be controlled and monitored.

  • Visitors must be logged and escorted.

  • Devices must be locked when unattended.

10. Security Training and Awareness

  • All staff must complete annual security awareness training.

  • Regular phishing simulations and policy refreshers will be conducted.

11. Policy Compliance

  • Violations of this policy may result in disciplinary action, up to and including termination.

  • Regular audits will be conducted to ensure compliance.

12. Review and Updates

This policy will be reviewed annually or when significant changes occur in technology, business operations, or regulatory requirements.