Security Policy

Last Updated: January 2025

1. Security Commitment

SpinSci is committed to maintaining the highest standards of information security to protect our clients' data, intellectual property, and business operations. This Security Policy outlines our comprehensive approach to safeguarding information assets and ensuring compliance with industry standards and regulations.

2. Information Security Framework

Our security program is built on industry best practices and compliance frameworks including:

  • HIPAA (Health Insurance Portability and Accountability Act)
  • SOC 2 Type II compliance
  • ISO 27001 standards
  • NIST Cybersecurity Framework
  • PCI DSS (where applicable)
  • GDPR and other data protection regulations

3. Data Protection

Data Classification

We classify data into the following categories:

  • Public: Information that can be freely shared
  • Internal: Information for internal use only
  • Confidential: Sensitive business information
  • Restricted: Highly sensitive data including PHI and PII

Data Encryption

  • Data encrypted in transit using TLS 1.3
  • Data encrypted at rest using AES-256
  • Database encryption for all sensitive data
  • End-to-end encryption for communications

4. Access Control

Authentication and Authorization

  • Multi-factor authentication (MFA) for all systems
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews and recertification
  • Single sign-on (SSO) integration
  • Strong password policies and requirements

Identity Management

  • Centralized identity and access management
  • Automated provisioning and deprovisioning
  • Session management and timeout controls
  • Privileged access management (PAM)

5. Network Security

  • Firewall protection and network segmentation
  • Intrusion detection and prevention systems (IDS/IPS)
  • DDoS protection and mitigation
  • Secure VPN access for remote workers
  • Network monitoring and traffic analysis
  • Regular security assessments and penetration testing

6. Application Security

  • Secure software development lifecycle (SDLC)
  • Code reviews and static analysis
  • Dynamic application security testing (DAST)
  • Dependency scanning and vulnerability management
  • API security and rate limiting
  • Input validation and output encoding

7. Infrastructure Security

Cloud Security

  • Secure cloud architecture and configuration
  • Container security and orchestration
  • Infrastructure as Code (IaC) security
  • Cloud security monitoring and logging
  • Backup and disaster recovery procedures

Endpoint Security

  • Endpoint detection and response (EDR)
  • Antivirus and anti-malware protection
  • Device encryption and management
  • Patch management and vulnerability remediation
  • Mobile device management (MDM)

8. Monitoring and Incident Response

Security Monitoring

  • 24/7 security operations center (SOC)
  • Security information and event management (SIEM)
  • Log aggregation and analysis
  • Threat intelligence and hunting
  • Automated alerting and response

Incident Response

  • Documented incident response procedures
  • Incident response team and roles
  • Communication and notification protocols
  • Forensic analysis and evidence preservation
  • Post-incident review and improvement

9. Business Continuity and Disaster Recovery

  • Comprehensive business continuity planning
  • Regular backup and recovery testing
  • Redundant systems and failover procedures
  • Recovery time objectives (RTO) and recovery point objectives (RPO)
  • Emergency communication procedures

10. Vendor and Third-Party Security

  • Vendor security assessments and due diligence
  • Third-party risk management program
  • Contractual security requirements
  • Regular vendor security reviews
  • Incident notification and response coordination

11. Employee Security Awareness

  • Regular security awareness training
  • Phishing simulation and testing
  • Security policies and procedures training
  • Incident reporting procedures
  • Security best practices and guidelines

12. Compliance and Auditing

  • Regular compliance assessments and audits
  • Internal and external security audits
  • Penetration testing and vulnerability assessments
  • Regulatory compliance monitoring
  • Continuous improvement and remediation

13. Security Contact Information

For security-related questions, concerns, or to report security incidents:

SpinSci Security Team
Email: security@spinsci.com
Phone: 972-891-8656

Incident Response
Email: incident@spinsci.com

Physical Address
14850 Quorum Dr., Ste 325
Dallas, TX 75254

14. Policy Updates

This Security Policy is reviewed and updated regularly to reflect changes in technology, threats, and regulatory requirements. All employees will be notified of significant changes to this policy.