Security & Data Handling Policy

1. Purpose and Scope

This Security & Data Handling Policy ("Policy") establishes the standards and procedures for protecting client data processed by Grable Auction Inc., operating as Zynous ("Zynous", "we", "us"). This Policy applies to all systems, personnel, and processes involved in accessing, storing, transmitting, or otherwise handling client data in connection with our SaaS services.

2. Roles and Responsibilities

• Zynous Management: Approves security policies, oversees implementation, ensures regulatory compliance.
• Developers: Authorized personnel responsible for maintaining secure systems, following encryption, authentication, and logging standards.
• All Personnel: Must adhere to security procedures and report incidents immediately.

3. Data Classification

Client data collected and processed by Zynous includes:

• Page IDs
• Social media post content
• Analytics and performance metrics

All such data is classified as Confidential and must be handled accordingly.

4. Infrastructure and Hosting

• Hosting Provider: Amazon Web Services (AWS) in us-east-1 region (United States)
• Data storage is encrypted at rest using AES-256 standards.
• AWS security controls, monitoring, and logging are utilized as part of the hosting infrastructure.
• Regular security updates and patches are applied to all systems.

5. Data Transmission Security

• All communications between client systems and Zynous services occur over HTTPS/TLS encrypted channels.
• Internal API communications are secured via JWT-based authentication.
• No unencrypted sensitive data is transmitted over public networks.

6. Access Control

• Access is strictly limited to authorized internal developers with a need-to-know basis.
• There is no client-facing admin panel; all administrative operations occur on locally run secure environments.
• Authentication mechanisms include JWT tokens and controlled local execution; possession of tokens alone is insufficient to access systems.

7. Physical Security

• Internal systems storing sensitive credentials are maintained in secure facilities or office environments.
• Devices accessing administrative systems must adhere to company-approved endpoint security controls.

8. Data Retention and Deletion

• Client data is retained indefinitely unless a deletion request is submitted.
• Deletion requests are processed promptly and verified.
• Plans to automate periodic data purging (e.g., every 90 days) are under consideration.

9. Monitoring and Logging

• All administrative actions are logged internally.
• Logs are reviewed for anomalous activity or unauthorized access attempts.
• Logs are retained in accordance with operational and legal requirements.

10. Incident Response and Breach Management

• Security incidents, suspected breaches, or unauthorized access are documented and reported internally.
• Affected clients are notified without undue delay for confirmed data breaches.
• Remediation measures are implemented promptly to mitigate risk and prevent recurrence.

11. Third-Party Services

• Third-party providers include AWS and Google services (Gmail, Google Docs, Google Sheets).
• These providers are contractually obligated to implement industry-standard security controls for handling client data.

12. Training and Awareness

• Internal personnel receive periodic security and compliance training.
• Policies are reviewed regularly and updated to reflect best practices and evolving threats.

13. Policy Review and Updates

• This Policy is reviewed annually or upon significant changes to infrastructure, personnel, or regulatory requirements.
• Updates are documented, and relevant staff are notified of changes.

14. Governing Law

This Security & Data Handling Policy is governed by the laws of Canada and applicable federal and state laws of the United States where clients are located.