Security and Privacy Policy
Purpose: This Security and Privacy Policy defines the framework implemented by MomentIQ Inc. to protect the confidentiality, integrity, and availability of data. It is designed to meet the data protection and compliance requirements of key partners, including TikTok, and aligns with industry best practices and applicable regulatory standards such as GDPR, CCPA, and ISO/IEC 27001.
Data Protection and Privacy
- MomentIQ Inc. complies with all applicable data protection laws and frameworks, including but not limited to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
- Personally Identifiable Information (PII), financial data, and sensitive business data are encrypted both at rest and in transit using advanced encryption standards (AES-256, TLS 1.2+).
- Access to sensitive data is granted based on role-specific responsibilities following the principle of least privilege and enforced via role-based access control (RBAC).
- Data handling procedures are documented, monitored, and regularly reviewed.
- Data localization measures are enforced to comply with regional requirements by storing data in geographically appropriate data centers.
- Encryption keys are securely managed through a dedicated Key Management System (KMS) and are not stored with encrypted data.
Network Security
- Network architecture enforces logical segmentation via VLANs to isolate development, testing, production, and administrative environments.
- Firewalls, access control lists (ACLs), and virtual private networks (VPNs) protect perimeter and internal traffic.
- Intrusion Detection and Prevention Systems (IDS/IPS) are in place to identify and mitigate anomalous and malicious activity.
- A centralized SIEM platform continuously monitors all network traffic for real-time alerting and historical analysis.
- All company devices are protected with next-generation antivirus and EDR (Endpoint Detection and Response) tools, with updates deployed continuously.
- Vulnerability management includes automated scans, monthly patching cycles, and annual penetration testing.
- Network access logs are maintained and regularly reviewed.
Network Segregation and Threat Protection Policy
- Network environments are segregated based on business function and risk level, including isolated zones for production, staging, development, testing, and administrative systems.
- VLANs and subnetting are employed to create boundaries between internal systems and to minimize lateral movement in case of a breach.
- Firewall rules and ACLs are implemented on routers and edge devices to restrict traffic between segments based on least privilege.
- Critical assets are placed in protected zones and access to these is strictly limited and monitored.
- All external connections pass through a secure perimeter protected by stateful inspection firewalls and intrusion prevention systems (IPS).
- A Security Information and Event Management (SIEM) solution collects logs and monitors all network activity 24/7 to detect anomalous behavior and known threat patterns.
- Regular audits are performed to verify proper network segmentation and rule configurations.
- Penetration testing and vulnerability scanning tools assess potential paths between network segments and evaluate resilience against lateral movement tactics.
- Access to networking equipment and management consoles is protected with MFA and logging, and is restricted to authorized network administrators.
Endpoint Security
- All endpoints are being transitioned to a unified endpoint protection platform (e.g., CrowdStrike, SentinelOne) that provides real-time monitoring, behavioral analysis, and incident response capabilities.
- In the interim, existing endpoints are governed by strict configuration baselines, automated OS patching, endpoint firewalls, and centrally managed monitoring tools.
Security Baselines and Operational Controls
- Automatic screen lock activates after a maximum of 10 minutes of inactivity.
- Passwords must meet defined complexity requirements and are managed through 1Password, which enforces secure generation, rotation, and sharing policies.
- Multi-Factor Authentication (MFA) is enforced for all administrative accounts, system logins, and remote access portals.
- Employees must adhere to a Clear Desk Policy to prevent unauthorized physical access to confidential materials.
- System and application updates are automatically applied to ensure timely patching of vulnerabilities.
- Use of removable media is restricted, monitored, and encrypted where permitted.
- Compliance with these controls is verified through routine audits and staff compliance checks.
- Detailed audit logs are maintained and reviewed periodically.
Incident Response
- A documented and tested Incident Response Plan (IRP) is in place to manage and remediate security events.
- All incidents are tracked through an incident management system, with investigations leading to root cause analysis and documented lessons learned.
- Legal and contractual breach notification requirements are followed strictly, ensuring timely communication with affected parties and regulators.
- Regular tabletop exercises and simulated incidents are conducted to test and refine response capabilities.
Vendor and Third-Party Risk Management
- Third-party service providers undergo rigorous security assessments prior to engagement.
- Data sharing with vendors is governed by signed Data Processing Agreements (DPAs) and Non-Disclosure Agreements (NDAs).
- High-risk vendors are subject to ongoing security evaluations and annual compliance reviews.
- All third parties must demonstrate sufficient technical and organizational measures to safeguard shared data.
Compliance, Monitoring, and Auditing
- Internal audits are conducted quarterly to assess alignment with our security framework and regulatory obligations.
- Independent third-party audits and penetration tests are performed annually or as required by contractual obligations.
- The compliance team maintains awareness of emerging legal and industry standards and updates internal controls accordingly.
- Documentation of compliance activities, risk assessments, and control validations is maintained to support regulatory inquiries and partner audits.
Employee Security Awareness
- All employees undergo onboarding and annual security and privacy training, which includes modules on data protection, phishing, and incident reporting.
- Periodic phishing simulations and mandatory refreshers are conducted to maintain vigilance.
- Employees are required to complete refresher courses when significant policy changes occur.
Data Retention and Disposal
- Data is retained in accordance with contractual, legal, and operational requirements.
- When data is no longer required, it is destroyed using secure methods such as cryptographic erasure and physical media destruction.
- Data subject requests for deletion or correction are honored in accordance with applicable law and documented in our response system.
Policy Review
- This policy is reviewed bi-annually or upon significant changes to infrastructure, regulatory requirements, or business operations.
Updated 5/1/2025 DD
