Security Policy

As of last update on February 1, 2025, at Longtime Friends, LLC we are committed to ensuring the security, confidentiality, and integrity of our customers' data. As part of our commitment to providing secure services, this Security Policy outlines the measures and practices we implement to protect data from unauthorized access, disclosure, alteration, and destruction.

1. Data Protection & Encryption

We take all reasonable precautions to ensure that all sensitive customer data is encrypted and protected. These measures include:

• Data Encryption in Transit: All data transmitted between users and our service is encrypted using HTTPS (SSL/TLS) to ensure secure communication channels.
• Data Encryption at Rest: All sensitive data stored in our systems is encrypted using industry-standard encryption protocols, ensuring that data is protected even in the event of unauthorized access to storage.

2. Access Control

To safeguard against unauthorized access, we implement strict access control measures:

• Authentication: Our services require secure authentication methods, such as username/password and multi-factor authentication (MFA), to access the system.
• Role-Based Access Control (RBAC): We restrict access to personal data and critical services based on the user's role within the system. Only authorized personnel with the appropriate permissions can access certain data or system functionalities.
• Least Privilege: Employees and contractors are given the minimum level of access necessary to perform their job duties, reducing the risk of unauthorized access to sensitive data.

3. Network Security

Our infrastructure is protected by a variety of network security measures:

• Firewalls and Intrusion Detection Systems (IDS): We utilize firewalls and intrusion detection systems to monitor, filter, and block malicious traffic from entering our network.
• DDoS Protection: We use distributed denial-of-service (DDoS) mitigation services to prevent attacks that aim to disrupt the availability of our services.
• Regular Security Audits: Our systems undergo regular security assessments and vulnerability scans to detect and mitigate any potential weaknesses.

4. Incident Response & Monitoring

We monitor our systems and networks continuously to detect any potential security incidents and have a formal process in place to respond to and address these incidents:

• 24/7 Monitoring: Our infrastructure is monitored 24/7 for suspicious activity, and security alerts are triggered immediately upon detection of potential threats.
• Incident Response Plan: We maintain an incident response plan that details the procedures for detecting, responding to, and recovering from security incidents. In the event of a security breach, we notify affected users in a timely manner in accordance with applicable laws and regulations.

5. Data Backup & Disaster Recovery

To ensure data availability and business continuity in the event of a disaster or system failure, we maintain:

• Regular Backups: We perform regular backups of all critical data to prevent data loss. Backups are securely stored and encrypted.
• Disaster Recovery Plan: We have a comprehensive disaster recovery plan in place to ensure that we can quickly restore services in the event of data loss or system failure.

6. User Responsibilities

In addition to our own security measures, users are responsible for maintaining the security of their accounts. We recommend the following best practices for our users:

• Strong Passwords: Users should create strong, unique passwords for their accounts and avoid reusing passwords across different platforms.
• Multi-Factor Authentication (MFA): We strongly encourage users to enable multi-factor authentication (MFA) to add an additional layer of security.
• Account Monitoring: Users should regularly monitor their accounts for any suspicious activity and report any potential security concerns to us immediately.

7. Compliance with Industry Standards and Regulations

We strive to comply with relevant security standards and regulations, including but not limited to:

• General Data Protection Regulation (GDPR): We comply with the GDPR for customers located in the European Union and provide appropriate safeguards for data privacy.
• Payment Card Industry Data Security Standard (PCI DSS): We require our payment processing providers to implement PCI DSS-compliant processes for the secure handling of payment card information.

8. Employee Training

All employees are trained on data protection and security best practices. This training is mandatory and covers:

• Secure Software Development: Developers are trained to follow secure coding practices and to implement security features into our software applications.
• Phishing and Social Engineering: Employees are trained to recognize and avoid common tactics used by attackers, such as phishing emails and social engineering techniques.
• Incident Reporting: Employees are encouraged to report any suspicious activities, vulnerabilities, or breaches in a timely manner.

9. Third-Party Security

We also ensure that third-party vendors and service providers who have access to our data meet our security standards. All third-party partners must undergo security assessments and sign data protection agreements to ensure the confidentiality and integrity of our users' information.

10. Changes to This Security Policy

We may update or modify this Security Policy from time to time to reflect changes in security practices or regulatory requirements. Any changes will be posted on this page, and the “Last Updated” date will be revised accordingly. We encourage you to check this page periodically for updates.

11. Contact Us

If you have any questions about this Security Policy, please feel free to contact us at support@longtime.app.