An information security policy is documented, reviewed, and approved by Company management on an annual basis manage its information security and data privacy program effectively. The security policy is available to Company employees within the Carbide portal.

The organization has thoroughly examined and integrated all applicable legal and contractual requirements into its business practices. This ensures compliance, safeguards the organization’s reputation, reduces risks, and contributes to the sustainability and success of its operations.

The organization has created and shared with employees policies and procedures to provide direction, establish boundaries, and promote consistency in various areas, such as governance, security, privacy, operations, finance, human resources, and organizational issues. 

Executive Management meets on a quarterly basis. The meeting has a variable agenda to review, including at a minimum: (1) financial aspects details; (2) HR; (3) pipeline of clients; (4) support issues review; (5) discussion on the product and new features.

In addition a separate Security/Privacy Steering Committee is in place and meets at least quarterly, and is responsible for providing oversight, direction, and guidance for all matters related to Security and Privacy.

Processes exist to gather, analyze, and leverage security and privacy threat intelligence information to identify and mitigate potential threats to the organization. This includes ongoing monitoring and analysis of emerging threats and vulnerabilities and maintaining links with relevant industry organizations.

Security performance measurements are used to evaluate the effectiveness of the organization’s security controls and processes in protecting its assets, detecting security incidents, and responding to security events. It involves collecting, analyzing, and reporting security metrics to track the organization’s security posture, identify areas for improvement, and demonstrate compliance with regulatory requirements.