Information Security Policy

 

VIDLOFT, LLC

INFORMATION SECURITY POLICY

VidLoft Information Security Policy

Effective Date: July 9, 2025

1. Purpose

This policy outlines VidLoft’s approach to protecting customer and company data from unauthorized access, disclosure, alteration, or destruction. While we are a lean startup, we take data security seriously and implement reasonable safeguards aligned with our operational scale.

2. Scope

This policy applies to all VidLoft employees, contractors, and systems that handle customer data or are part of the company’s core infrastructure.

3. Data Classification

  • Basic PII: Customer names, email addresses, and billing contact info.

  • Customer Content: Video files that may contain incidental biometric data (faces, voices).

  • Financial Info: Invoicing data stored in Xero; all credit card data managed exclusively by Stripe.

4. System Access

  • All VidLoft staff may access customer content and user account data via internal tools.

  • Only the Founder and Head of Development have access to backend systems (e.g., AWS S3, platform databases) and infrastructure logs.

  • Access to sensitive systems is granted on a need-to-know basis, with administrative privileges restricted.

5. Security Practices

  • Two-Factor Authentication (2FA) is required for all services where available.

  • All team members use a password manager (currently LastPass) to ensure strong and unique credentials.

  • Full device encryption is enforced for all company devices (Mac and Windows).

  • Separation of personal and work accounts is mandatory.

  • All staff and contractors with access to systems or data are required to sign NDAs.

6. Vendor & Platform Security

We rely on several trusted third-party platforms that are contractually and technically responsible for securing data processed within their systems:

  • AWS – infrastructure and video storage

  • Stripe – payment processing (PCI DSS compliant)

  • Frame.io – video collaboration and review

  • Xero – billing and invoicing

  • Adobe Creative Suite – internal video editing

7. Incident Response

All team members are instructed to immediately notify the Founder upon discovery of any potential security breach or data exposure. The Founder will assess the situation and coordinate response efforts, including customer notification within 48 hours when appropriate.

8. Contractor Policy

Security requirements for contractors vary by role. Those who access customer data, internal systems, or proprietary processes must follow the same security requirements as employees. Short-term or peripheral contractors (e.g., makeup artists) are excluded unless granted system access.

9. Physical Security

VidLoft operates from a secured office within a controlled-access building.

  • Access to the building and our office is restricted via electronic access control systems.

  • Only authorized staff are granted physical access credentials.

  • Guests must be accompanied at all times and are not permitted to access workstations or be left unattended.

  • Team members must lock or put their computers to sleep whenever stepping away from their desks.

10. Policy Review

This policy will be reviewed annually or upon any material change in company operations or applicable regulations.