Effective Date: November 24, 2025
Owner: OutSouth Technologies Limited (“the Company”)

 

1. Purpose

The purpose of this Security Policy is to define the technical, administrative, and organizational security measures implemented to protect the confidentiality, integrity, and availability of all data processed, stored, transmitted, or accessed via the Smarter Form platform.

This policy reflects industry best practices, applicable legal and regulatory obligations, and internal governance standards. It must be read in conjunction with the Smarter Form Terms of Use, Privacy Policy, and Terms and Conditions.

2. Scope

This policy applies to:

• All users of the Smarter Form platform (administrators, end-users, reviewers, and submitters).
• All systems, infrastructure, APIs, workflows, and integrations related to Smarter Form.
• All Company personnel, contractors, and third-party service providers with access to Smarter Form data.

This policy governs security controls for both the Cloud (Web) Version and the Desktop Version of Smarter Form.

3. Data Protection

3.1 Encryption

All data handled by Smarter Form is encrypted using industry-standard protocols:

• Data in transit: TLS 1.2 or higher
• Data at rest: AES-256
• Desktop Version: All data remains locally encrypted within the user’s environment, with no cloud sync unless explicitly configured by the user.

3.2 Access Controls

• Principle of Least Privilege (PoLP) applies to all system and administrative access.
• Multi-Factor Authentication (MFA) is mandatory for all administrative and privileged accounts.
• SSO or identity federation may be used where supported.

3.3 Password Security

• Strong password policies are enforced (length, complexity, rotation rules as applicable).
• Passwords are hashed using modern, secure algorithms (e.g., bcrypt, Argon2).

4. Data Transit Policy

Smarter Form follows strict rules governing how data moves through the system:

4.1 Cloud (Web) Version

• User-submitted data travels via encrypted HTTPS/TLS connections to Azure cloud services.
• Data may be stored temporarily in Azure Blob Storage according to retention rules.
• Reviewer-to-submitter workflows (e.g., document sharing, comment exchange) use encrypted cloud routing.

4.2 Desktop Version

• All data transit occurs locally within the user’s network unless external sync or export is intentionally initiated.
• No form data, personal data, or attachments are ever transmitted to Smarter Form cloud servers.
• Desktop users may optionally export encrypted files or share documents manually.
• Desktop Version is required for high-risk, very high-risk, and critical-risk data (see Schedule 1).

4.3 External Transfers

Where a user exports or uploads data outside the platform, they are responsible for ensuring compliance with their regulatory obligations.

5. Data Storage & Usage Policy

5.1 Cloud (Web) Version

Cloud storage is used only for Low and Medium risk data categories (see Schedule 1).

• Stored in secure Azure Blob Storage.
• Encrypted at rest using AES-256.
• Used strictly for workflow processing, storage, and analytics as described in the Privacy Policy.
• Microsoft Azure provides SOC 2 Type II & ISO/IEC 27001 certified infrastructure.

5.2 Desktop Version

Required for handling High, Very High, and Critical Risk data:

• All data is stored solely on the user’s local system or local network.
• The Company does not access, process, or retain any desktop-based data.
• No cloud caching, no cloud routing, no storage replication.
• Data usage is contained fully within the user’s environment.

5.3 Data Residency

The platform supports full data residency compliance for regulated industries and jurisdictions (e.g., Cayman Islands, EU, UK).

6. Secure Development

6.1 Code Review & Testing

• Peer review required for all commits.
• Automated vulnerability scanning and dependency checks.

6.2 OWASP Compliance

All development practices align with:

• OWASP Top 10
• Secure coding standards
• Strict validation, sanitization, and authentication controls

7. Data Retention

7.1 Cloud Version

• Submitted form data retained no longer than 90 days unless otherwise required by the user’s compliance obligations.
• After 90 days, cloud-stored data is permanently and irreversibly deleted.

7.2 Desktop Version

• Retention is fully controlled by the user or their organization.

8. Incident Response

8.1 Monitoring

• Cloud infrastructure includes continuous monitoring, anomaly detection, and real-time alerting.

8.2 Response Procedures

The Company maintains a formal incident response program including:

1. Identification
2. Containment
3. Eradication
4. Recovery
5. Post-incident analysis

8.3 Breach Notification

Affected parties and regulators (where applicable) are notified in accordance with legal requirements.

9. Third-Party Providers

9.1 Vendor Due Diligence

The Company engages only providers who meet the following standards:

• SOC 2
• ISO/IEC 27001
• GDPR / CCPA alignment

9.2 Cloud Infrastructure

• Primary provider: Microsoft Azure
• Infrastructure management: Teqassist Ltd.

9.3 Sub-Processors

Defined in the Company’s Privacy Policy.

10. Backup & Recovery

10.1 Cloud Version

• Daily encrypted backups stored in isolated Azure environments.
• No removable media.
• Automatic fail-over and redundancy.

10.2 Desktop Version

Users are responsible for local backup and recovery operations.

11. Compliance

The platform aligns with:

• Cayman Islands Monetary Authority (CIMA) Cybersecurity SoG
• GDPR
• CCPA
• HIPAA (where applicable)
• Industry-specific data protection obligations

Routine audits ensure ongoing compliance.

12. Continuous Improvement

Includes:

• Regular penetration testing
• Continuous auditing
• User feedback cycles
• Threat intelligence updates

13. Roles & Responsibilities

13.1 Company

Maintains platform security, infrastructure, and compliance.

13.2 Employees & Contractors

Must follow this policy and report incidents immediately.

13.3 Users

Responsible for:

• Strong passwords
• Safe device practices
• Avoiding public Wi-Fi
• Recognizing phishing attempts

14. Enforcement

Non-compliance may result in:

• Suspension of access
• Disciplinary action
• Termination of contracts
• Legal action in cases of gross negligence

15. Review Cycle

Reviewed at least annually or sooner where triggered by:

• Regulatory changes
• Platform updates
• New risks

16. Escalation & Complaints

Unresolved concerns may be escalated to legal counsel.
Users may contact the Office of the Ombudsman (Cayman Islands) via info@ombudsman.ky or channels listed in their “Contact Us” section.

---

 

 

Data Classification Schedule

Classification Level	Description	Examples	Permitted Platform Usage
Low Risk	Public or non-sensitive data	Public info, general inquiries	Web (Cloud) Version or Desktop Version
Medium Risk	Confidential data with minimal impact if disclosed	Contact info, non-sensitive business data	Web (Cloud) Version or Desktop Version
High Risk	Sensitive data where unauthorized access may cause financial, regulatory, or reputational harm	Banking details, SOF/SOW, beneficial ownership	Desktop Version Only (Not allowed in cloud)
Very High Risk	Highly sensitive personal or client information	Passport/ID, tax docs, trust deeds, KYC files	Desktop Version Only (Not allowed in cloud)
Critical Risk	Data that can cause severe harm, identity theft, or major regulatory exposure	Authentication data, biometrics, private keys	Desktop Version Only (Not allowed in cloud)