Effective Date: December 26, 2025
Owner: OutSouth Technologies Limited (the “Company”)

 

1. Purpose

The purpose of this Security Policy is to define the technical, administrative, and organizational security measures implemented to protect the confidentiality, integrity, and availability of all data processed, stored, transmitted, or accessed via the use of the Company’s  Smarter Form platform (the “Application“).

This policy reflects industry best practices, applicable legal and regulatory obligations, and internal governance standards. It must be read in conjunction with the Company’s Smarter Form Terms of Use, Privacy Policy, and Terms and Conditions.

2. Scope

This policy applies to:

• All users of the Smarter Form platform (administrators, end-users, reviewers, and submitters).
• All systems, infrastructure, APIs, workflows, and integrations related to Smarter Form.
• All Company personnel, contractors, and third-party service providers with access to Smarter Form data.

This policy governs security controls for both the Cloud (Web) Version and the Desktop Version of Smarter Form.

3. Data Protection

3.1 Encryption

All data handled by Smarter Form is encrypted using industry-standard protocols:

• Data in transit: TLS 1.2 or higher
• Data at rest: AES-256
• Desktop Version: All data remains locally encrypted within the user’s device and local network, with no cloud sync unless explicitly configured by the user.

3.2 Access Controls

• Principle of Least Privilege (PoLP) applies to all system and administrative access.
• Multi-Factor Authentication (MFA) is mandatory for all administrative and privileged accounts.
• SSO or identity federation may be used where supported.

3.3 Password Security

• Strong password policies are enforced (length, complexity, rotation rules as applicable).
• Passwords are hashed using modern, secure algorithms (e.g., bcrypt, Argon2).

4. Data Transit Policy

Smarter Form enforces strict controls governing how data is transmitted within the platform.

4.1 Cloud (Web) Version

• User-submitted data is transmitted via encrypted HTTPS/TLS connections to Microsoft Azure cloud services.
• Data may be stored temporarily in Microsoft Azure Blob Storage in accordance with defined data retention rules.
• Submitter-to-Reviewer workflows (including document sharing, messaging, and commentary) are conducted using encrypted cloud-based routing.

4.2 Desktop Version

• All data transmission occurs locally within the User’s environment, including local devices, systems, or private networks, unless an external transfer is intentionally initiated by the user.
• No form data, personal data, or file attachments are transmitted to, routed through, or stored on Smarter Form cloud servers.
• Desktop Users may optionally export encrypted files or manually share documents at their discretion.
• The Desktop Version is required for the handling of High risk, and Critical risk data, as defined in the Company’s Data Classification Schedule.

4.3 External Transfers

Where users export, transmit, or upload data outside the Smarter Form platform, responsibility for regulatory compliance, data protection, and lawful transfer rests solely with the user.

5. Data Storage & Usage Policy

5.1 Cloud (Web) Version

The Cloud (Web) Version is used solely for Low and Medium risk data categories, as defined in the Company’s Data Classification Schedule.

• Data is stored within a secured, third-party cloud service provider utilizing Microsoft Azure Blob Storage.

• All data is encrypted at rest using AES-256 encryption.

• Data is used strictly for workflow processing, secure storage, and analytics, in accordance with the Company’s Privacy Policy.

• Microsoft Azure provides infrastructure certified under SOC 2 Type II and ISO/IEC 27001 standards.

5.2 Desktop Version

The Desktop Version is mandatory for the handling of High risk, and Critical risk data.

• All data is stored solely on the User’s local device, local system, or private network.

• The Company does not access, process, store, or retain any data handled by the Desktop Version.

• No cloud caching, cloud routing, or data replication occurs.

• All data usage and processing remain fully contained within the user’s controlled environment.

5.4 Data Residency

The platform supports full data residency compliance for regulated industries and jurisdictions (e.g., Cayman Islands, EU, UK).

6. Secure Development

 Smarter Form follows secure-by-design and secure-by-default development principles throughout the software lifecycle.

6.1 Code Review & Testing

• Peer review is mandatory for all code commits prior to deployment.
• Automated vulnerability scanning and third-party dependency checks are performed as part of the development pipeline.
• Security testing is conducted to identify and remediate known vulnerabilities before release.

6.2 OWASP Alignment

All development practices align with recognized industry security standards, including:

• OWASP Top 10
• Secure coding best practices
• Strict input validation, sanitization, authentication, and authorization controls

7. Data Retention

Smarter Form enforces clear and controlled data retention policies based on deployment model and data risk classification.

7.1 Cloud Version

• Submitted form data is retained for no longer than 90 days, unless a longer retention period is required by the user’s regulatory or compliance obligations.

• Upon expiration of the retention period, cloud-stored data is permanently and irreversibly deleted in accordance with secure deletion standards.

7.2 Desktop Version

• Data retention is fully controlled by the User or their organization.

• The Company does not access, enforce, manage, or retain data stored within the Desktop Version environment.

8. Incident Response

8.1 Monitoring

• Cloud infrastructure includes continuous monitoring, anomaly detection, and real-time alerting.

8.2 Response Procedures

The Company maintains a formal incident response program including:

1. Identification
2. Containment
3. Eradication
4. Recovery
5. Post-incident analysis

8.3 Breach Notification

Affected parties and regulators (where applicable) are notified in accordance with legal requirements.

9. Third-Party Providers

9.1 Vendor Due Diligence

The Company engages only providers who meet the following standards:

• SOC 2
• ISO/IEC 27001
• GDPR / CCPA alignment

9.2 Cloud Infrastructure

• Primary provider: Microsoft Azure
• Infrastructure management: Teqassist Ltd.

9.3 Sub-Processors

Defined in the Company’s Privacy Policy.

10. Backup & Recovery

10.1 Cloud Version

• Daily encrypted backups stored in isolated Azure environments.
• No removable media.
• Automatic fail-over and redundancy.

10.2 Desktop Version (Backup & Recovery)

• Users are solely responsible for configuring, managing, and maintaining local backup and recovery procedures for data stored within the Desktop Version environment.
• The Company does not perform, manage, or retain backups of Desktop Version data.

11. Compliance

11. Compliance

The Smarter Form platform is designed to align with applicable legal, regulatory, and industry standards, including:

• Cayman Islands Monetary Authority (CIMA) Cybersecurity Statement of Guidance
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Health Insurance Portability and Accountability Act (HIPAA), where applicable
• Other industry-specific data protection and regulatory obligations, as required by the user’s jurisdiction and sector

Routine internal and third-party assessments are conducted to support ongoing compliance and continuous risk management.

12. Continuous Improvement

Smarter Form maintains a continuous improvement program to proactively address evolving security and compliance risks, including:

• Regular penetration testing
• Continuous security auditing and monitoring
• Structured user feedback and review cycles
• Ongoing threat intelligence monitoring and security updates

13. Roles & Responsibilities

Clear accountability is maintained across all stakeholders.

13.1 Company

• The Company is responsible for maintaining platform security, system integrity, infrastructure, and applicable compliance controls within the Smarter Form platform.
• The Company is not responsible for any data exported, downloaded, stored, processed, or maintained by the user outside of the platform, including data residing on the user’s local device, local systems, or private networks.

13.2 Employees & Contractors

• Must comply with this policy and all related security procedures.
• Required to immediately report any suspected or confirmed security incidents.

13.3 Users

Users are responsible for maintaining secure usage practices, including:

• Using strong, unique passwords and secure authentication methods
• Maintaining safe device and endpoint security practices
• Avoiding the use of unsecured public Wi-Fi when accessing the platform
• Remaining vigilant and recognizing phishing, social engineering, and other security threats

14. Enforcement

Non-compliance may result in:

• Suspension of access
• Disciplinary action
• Termination of contracts
• Legal action in cases of gross negligence

15. Review Cycle

Reviewed at least annually or sooner where triggered by:

• Regulatory changes
• Platform updates
• New risks

16. Escalation & Complaints

Unresolved concerns may be escalated to legal counsel.
Users may contact the Office of the Ombudsman (Cayman Islands) via info@ombudsman.ky or channels listed in their “Contact Us” section.

---

  

Data Classification Schedule

Classification Level	Definition	Examples	Permitted Platform Usage
Low Risk	Public or non-sensitive data	Company or individual name Registered office address Country of incorporation Public registry extracts Published annual reports General public information or documents	Web (Cloud) Version or Desktop Version
Medium Risk	Confidential data with minimal impact if disclosed	Contact information Unsigned (draft) agreements General corporate documents (i.e. certificate of incorporation, articles of association, etc.) Share class details (without ownership identity)	Web (Cloud) Version or Desktop Version
High Risk	Sensitive data where unauthorized access may cause financial, regulatory, or reputational harm	Signed contracts and agreements Registers of shareholders Trust deeds (excluding beneficiary details) Source of Funds summaries Internal risk assessments	Desktop Version Only (Not allowed in cloud)
Critical Risk	Highly sensitive data whose exposure could lead to severe regulatory penalties or personal harm	Full KYC files (ID + verification + risk profile) Beneficial ownership structures with control details Trust beneficiary identities and entitlements Financial account, tax, or social security numbers Regulatory filings containing personal data Biometrics	Desktop Version Only (Not allowed in cloud)