EXHIBIT A: Security Exhibit

Technical & Organizational Measures

This Exhibit describes the minimum security controls and practices maintained by Spin Software, Inc. ("Offerdox") to protect Client Data and Candidate Data. WE NEED TO CONFIRM SOME OF THIS WITH Google Startups. 

1. Data Encryption

  • Encryption in Transit: All data transmitted over public networks is encrypted using TLS 1.2 or higher. We enforce HTTPS for all web-based access.

  • Encryption at Rest: All data stored in our databases, including backups and resume files, is encrypted using AES-256 or an equivalent industry-standard encryption algorithm.

2. Infrastructure & Network Security

  • Cloud Hosting: The Service is hosted on Google Cloud in secure, SOC 2 Type II certified data centers located within the United States.

  • Network Isolation: We utilize Virtual Private Clouds (VPC), firewalls, and security groups to isolate our production environment from the public internet and our internal corporate network.

  • Vulnerability Management: We conduct regular automated vulnerability scanning and perform annual third-party penetration testing to identify and remediate security risks.

3. Access Control

  • Principle of Least Privilege: Access to production systems is restricted to a limited number of authorized personnel who require such access to perform their job functions (e.g., DevOps, Security).

  • Multi-Factor Authentication (MFA): MFA is strictly required for all administrative access to our cloud infrastructure and internal systems.

  • Client Access: We provide Clients with the ability to manage their own user permissions and recommend the use of Strong Password policies for all authorized users.

4. Data Resilience & Backups

  • Redundancy: Our infrastructure is designed for high availability, utilizing multiple availability zones to ensure service continuity in the event of a localized hardware failure.

  • Backups: We perform automated daily backups of all Client and Candidate Data. Backups are encrypted and stored in a separate, secure location from the production environment.

  • Disaster Recovery: We maintain a formal Disaster Recovery plan designed to restore service within [e.g., 4 to 12] hours in the event of a major regional outage.

5. Personnel & Compliance

  • Background Checks: All Offerdox employees undergo background checks (to the extent permitted by law) prior to employment.

  • Confidentiality: All employees and contractors are required to sign non-disclosure and confidentiality agreements.

  • Security Awareness: All staff undergo mandatory annual security and privacy training, specifically covering CCPA/CPRA and GDPR best practices.

6. Incident Response

  • Detection: We maintain 24/7 logging and monitoring to detect unauthorized access attempts or system anomalies.

Notification: In the event of a confirmed Data Breach, Offerdox will notify affected Clients without undue delay, and no later than 72 hours after discovery, in accordance with applicable California and federal laws.