<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:media="http://search.yahoo.com/mrss/"><channel><title><![CDATA[ZUAR Corporate Policies]]></title><description><![CDATA[ZUAR Corporate Policies]]></description><link>https://www.zuar.com/policies/</link><image><url>https://www.zuar.com/policies/favicon.png</url><title>ZUAR Corporate Policies</title><link>https://www.zuar.com/policies/</link></image><generator>Ghost 2.37</generator><lastBuildDate>Wed, 01 Jul 2026 14:48:59 GMT</lastBuildDate><atom:link href="https://www.zuar.com/policies/rss/" rel="self" type="application/rss+xml"/><ttl>60</ttl><item><title><![CDATA[Overview]]></title><description><![CDATA[ZUAR Corporate Policy Overview]]></description><link>https://www.zuar.com/policies/overview/</link><guid isPermaLink="false">5f7747f3cfb4a40001dd8044</guid><category><![CDATA[Getting Started]]></category><dc:creator><![CDATA[Matthew Laue]]></dc:creator><pubDate>Fri, 02 Oct 2020 15:32:08 GMT</pubDate><content:encoded><![CDATA[<p>Please contact Zuar, Inc. at security@zuar.com with any error or omissions found in these pages.</p>]]></content:encoded></item><item><title><![CDATA[Anti-Harassment and Complaint Procedure]]></title><description><![CDATA[<h2 id="objective">Objective</h2><p>Zuar strives to create and maintain a work environment in which people are treated with dignity, decency and respect. The environment of the company should be characterized by mutual trust and the absence of intimidation, oppression and exploitation. Zuar will not tolerate unlawful discrimination or harassment of any kind.</p>]]></description><link>https://www.zuar.com/policies/anti-harassment-policy-and-complaint-procedure/</link><guid isPermaLink="false">5f79151a1166d60001c161f6</guid><category><![CDATA[Company]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Sun, 04 Oct 2020 00:35:28 GMT</pubDate><content:encoded><![CDATA[<h2 id="objective">Objective</h2><p>Zuar strives to create and maintain a work environment in which people are treated with dignity, decency and respect. The environment of the company should be characterized by mutual trust and the absence of intimidation, oppression and exploitation. Zuar will not tolerate unlawful discrimination or harassment of any kind. Through enforcement of this policy and by education of employees, Zuar will seek to prevent, correct and discipline behavior that violates this policy.</p><p>All employees, regardless of their positions, are covered by and are expected to comply with this policy and to take appropriate measures to ensure that prohibited conduct does not occur. Appropriate disciplinary action will be taken against any employee who violates this policy. Based on the seriousness of the offense, disciplinary action may include verbal or written reprimand, suspension, or termination of employment.</p><p>Managers and supervisors who knowingly allow or tolerate discrimination, harassment or retaliation, including the failure to immediately report such misconduct to senior leadership or a corporate officer, are in violation of this policy and subject to discipline.</p><h2 id="prohibited-conduct-under-this-policy">Prohibited Conduct Under This Policy</h2><p>Zuar, in compliance with all applicable federal, state and local anti-discrimination and harassment laws and regulations, enforces this policy in accordance with the following definitions and guidelines:</p><h3 id="discrimination">Discrimination</h3><p>It is a violation of Zuar's policy to discriminate in the provision of employment opportunities, benefits or privileges; to create discriminatory work conditions; or to use discriminatory evaluative standards in employment if the basis of that discriminatory treatment is, in whole or in part, the person's race, color, national origin, age, religion, disability status, sex, sexual orientation, gender identity or expression, genetic information or marital status.</p><p>Discrimination of this kind may also be strictly prohibited by a variety of federal, state and local laws, including Title VII of the Civil Rights Act of 1964, the Age Discrimination Act of 1967 and the Americans with Disabilities Act of 1990. This policy is intended to comply with the prohibitions stated in these anti-discrimination laws.</p><p>Discrimination in violation of this policy will be subject to disciplinary measures up to and including termination.</p><h3 id="harassment">Harassment</h3><p>Zuar  prohibits harassment of any kind, including sexual harassment, and will take appropriate and immediate action in response to complaints or knowledge of violations of this policy. For purposes of this policy, harassment is any verbal or physical conduct designed to threaten, intimidate or coerce an employee, co-worker, or any person working for or on behalf of Zuar.</p><p>The following examples of harassment are intended to be guidelines and are not exclusive when determining whether there has been a violation of this policy:</p><ul><li>Verbal harassment includes comments that are offensive or unwelcome regarding a person's national origin, race, color, religion, age, sex, sexual orientation, pregnancy, appearance, disability, gender identity or expression, marital status or other protected status, including epithets, slurs and negative stereotyping.</li><li>Nonverbal harassment includes distribution, display or discussion of any written or graphic material that ridicules, denigrates, insults, belittles or shows hostility, aversion or disrespect toward an individual or group because of national origin, race, color, religion, age, gender, sexual orientation, pregnancy, appearance, disability, sexual identity, marital status or other protected status.</li></ul><h3 id="sexual-harassment">Sexual harassment</h3><p>Sexual harassment is a form of unlawful employment discrimination under Title VII of the Civil Rights Act of 1964 and is prohibited under Zuar 's anti-harassment policy. According to the Equal Employment Opportunity Commission (EEOC), sexual harassment is defined as "unwelcome sexual advances, requests for sexual favors, and other verbal or physical conduct of a sexual nature ... when ... submission to or rejection of such conduct is used as the basis for employment decisions ... or such conduct has the purpose or effect of ... creating an intimidating, hostile or offensive working environment."</p><p>Sexual harassment occurs when unsolicited and unwelcome sexual advances, requests for sexual favors, or other verbal or physical conduct of a sexual nature: </p><ul><li>Is made explicitly or implicitly a term or condition of employment.</li><li>Is used as a basis for an employment decision.</li><li>Unreasonably interferes with an employee's work performance or creates an intimidating, hostile or otherwise offensive environment.</li></ul><p>Sexual harassment may take different forms. The following examples of sexual harassment are intended to be guidelines and are not exclusive when determining whether there has been a violation of this policy:</p><ul><li>Verbal sexual harassment includes innuendoes, suggestive comments, jokes of a sexual nature, sexual propositions, lewd remarks and threats; requests for any type of sexual favor (this includes repeated, unwelcome requests for dates); and verbal abuse or "kidding" that is oriented toward a prohibitive form of harassment, including that which is sexual in nature and unwelcome.</li><li>Nonverbal sexual harassment includes the distribution, display or discussion of any written or graphic material, including calendars, posters and cartoons that are sexually suggestive or show hostility toward an individual or group because of sex; suggestive or insulting sounds; leering; staring; whistling; obscene gestures; content in letters, notes, facsimiles, e-mails, photos, text messages, tweets and Internet postings; or other forms of communication that are sexual in nature and offensive.</li><li>Physical sexual harassment includes unwelcome, unwanted physical contact, including touching, tickling, pinching, patting, brushing up against, hugging, cornering, kissing, fondling, and forced sexual intercourse or assault.</li></ul><p>Courteous, mutually respectful, pleasant, noncoercive interactions between employees that are appropriate in the workplace and acceptable to and welcomed by both parties are not considered to be harassment, including sexual harassment.</p><p><em>Consensual Romantic or Sexual Relationships</em></p><p>Zuar strongly discourages romantic or sexual relationships between a manager or other supervisory employee and an employee who reports directly or indirectly to that person, because such relationships tend to create compromising conflicts of interest or the appearance of such conflicts. In addition, such a relationship may give rise to the perception by others that there is favoritism or bias in employment decisions affecting the staff employee. Moreover, given the uneven balance of power within such relationships, consent by the staff member is suspect and may be viewed by others, or at a later date by the staff member, as having been given as the result of coercion or intimidation. The atmosphere created by such appearances of bias, favoritism, intimidation, coercion or exploitation undermines the spirit of trust and mutual respect that is essential to a healthy work environment. If there is such a relationship, the parties need to be aware that one or both may be moved to a different department or other actions may be taken.</p><p>If any employee of Zuar enters into a consensual relationship that is romantic or sexual in nature with an employee who reports directly or indirectly to that employee, or if one of the parties is in a supervisory capacity in the same department in which the other party works, the parties must notify a corporate officer. Because of potential issues regarding quid pro quo harassment, Zuar has made reporting mandatory. This requirement does not apply to employees who do not work in the same department or to parties where neither one supervises or otherwise manages responsibilities over the other.</p><p>Once the relationship is made known to Zuar, the company will review the situation in light of all the facts (reporting relationship between the parties, effect on co-workers, job titles of the parties, etc.) and will determine whether one or both parties need to be moved to another job or department. If it is determined that one party must be moved, and there are jobs in other departments available for both, the parties may decide who will be the one to apply for a new position. If the parties cannot amicably come to a decision, or the party is not chosen for the position to which he or she applied, senior management will decide which party will be moved. That decision will be based on which move will be least disruptive to the organization as a whole. If no other jobs are available for either party, the parties will be given the option of terminating their relationship or resigning.</p><h3 id="retaliation">Retaliation</h3><p>No hardship, loss, benefit or penalty may be imposed on an employee in response to:</p><ul><li>Filing or responding to a bona fide complaint of discrimination or harassment.</li><li>Appearing as a witness in the investigation of a complaint.</li><li>Serving as an investigator of a complaint.</li></ul><p>Lodging a bona fide complaint will in no way be used against the employee or have an adverse impact on the individual's employment status. However, filing groundless or malicious complaints is an abuse of this policy and will be treated as a violation.</p><p>Any person who is found to have violated this aspect of the policy will be subject to discipline up to and including termination of employment.</p><h2 id="confidentiality">Confidentiality</h2><p>All complaints and investigations are treated confidentially to the extent possible, and information is disclosed strictly on a need-to-know basis. The identity of the complainant is usually revealed to the parties involved during the investigation, and senior leadership will take adequate steps to ensure that the complainant is protected from retaliation during and after the investigation. All information pertaining to a complaint or investigation under this policy will be maintained in secure files in accordance with Zuar data retention policy.</p><h2 id="complaint-procedure">Complaint procedure</h2><p>Zuar has established the following procedure for lodging a complaint of harassment, discrimination or retaliation. The company will treat all aspects of the procedure confidentially to the extent reasonably possible.</p><ol><li>Complaints should be submitted as soon as possible after an incident has occurred, preferably in writing. A corporate officer may assist the complainant in completing a written statement or, in the event an employee refuses to provide information in writing, the appropriate corporate officer will dictate the verbal complaint.</li><li>Upon receiving a complaint or being advised by a supervisor or manager that violation of this policy may be occurring, the corporate officer will notify senior management and review the complaint with the company's legal counsel.</li><li>Senior leadership will initiate an investigation to determine whether there is a reasonable basis for believing that the alleged violation of this policy occurred.</li><li>If necessary, the complainant and the respondent will be separated during the course of the investigation, either through internal transfer or administrative leave.</li><li>During the investigation, senior leadership, together with legal counsel or other management employees, will interview the complainant, the respondent and any witnesses to determine whether the alleged conduct occurred.</li><li>Upon conclusion of an investigation, the appropriate senior leader or other person conducting the investigation will submit a written report of his or her findings to the company. If it is determined that a violation of this policy has occurred, senior leadership will recommend appropriate disciplinary action. The appropriate action will depend on the following factors:</li></ol><ul><li>the severity, frequency and pervasiveness of the conduct;</li><li>prior complaints made by the complainant;</li><li>prior complaints made against the respondent; and</li><li>the quality of the evidence (e.g., firsthand knowledge, credible corroboration). </li></ul><p>If the investigation is inconclusive or if it is determined that there has been no violation of policy but potentially problematic conduct may have occurred, senior leadership may recommend appropriate preventive action.</p><p>Senior management will review the investigative report and any statements submitted by the complainant or respondent, discuss results of the investigation with other management staff as appropriate, and decide what action, if any, will be taken.</p><p>Once a final decision is made by senior management, the appropriate corporate officer will meet with the complainant and the respondent separately and notify them of the findings of the investigation. If disciplinary action is to be taken, the respondent will be informed of the nature of the discipline and how it will be executed.</p><h3 id="alternative-legal-remedies">Alternative legal remedies</h3><p>Nothing in this policy may prevent the complainant or the respondent from pursuing formal legal remedies or resolution through local, state or federal agencies or the courts.</p>]]></content:encoded></item><item><title><![CDATA[Confidentiality and Inventions]]></title><description><![CDATA[<h2 id="objective">Objective</h2><p>This policy summarizes Zuar employees’ responsibilities as they relate to confidentiality and inventions. The objective of the policy is to further the interests of Zuar and to permit Zuar to comply with its obligations, including obligations to its licensors and actual and prospective customers and others with whom Zuar</p>]]></description><link>https://www.zuar.com/policies/confidentiality-and-inventions/</link><guid isPermaLink="false">5f79235b1166d60001c16323</guid><category><![CDATA[Company]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Sun, 04 Oct 2020 01:21:52 GMT</pubDate><content:encoded><![CDATA[<h2 id="objective">Objective</h2><p>This policy summarizes Zuar employees’ responsibilities as they relate to confidentiality and inventions. The objective of the policy is to further the interests of Zuar and to permit Zuar to comply with its obligations, including obligations to its licensors and actual and prospective customers and others with whom Zuar may have similar obligations regarding confidentiality and inventions.</p><h3 id="ownership-of-employee-inventions">Ownership of Employee Inventions</h3><p>By accepting employment, an employee agrees that Zuar will own any and all inventions that, in its opinion, are made on company time or with company assets, that relate to Zuar’s business, or that are required to meet its obligations, and that the employee will assist Zuar in perfecting and protecting its title to these inventions.</p><h3 id="protection-of-confidential-company-information">Protection of Confidential Company Information</h3><p>During the course of their employment at Zuar, employees may have access to Zuar’s confidential, secret and proprietary information. Employees should maintain such information in confidence and use such information only in the interest of Zuar.</p><p>The employee may use or disclose information learned or acquired through his or her association with Zuar only for the performance of his or her job or as otherwise permitted by law. Particular care must be taken to keep confidential any information that is:</p><ul><li>Of possible value to competitors.</li><li>Potentially damaging to customers and their competitors.</li><li>Information received under an express or implied secrecy obligation.</li><li>Information received from third parties outside Zuar.</li></ul><p>Confidential company information is just for Zuar’s use and is not intended for distribution outside the company. Distribution of such information requires both a need to know and a right to know the information requested.</p><p>Information acquired by an employee in the course of his or her employment with Zuar must not be used for the employee’s individual benefit. Access to Zuar’s confidential information does not carry with it personal benefit or advantage to Zuar employees but imposes an obligation on every employee to keep such information confidential and to use it solely in the interest of Zuar.</p><p>When in doubt, the employee should treat information acquired in the course of employment at Zuar in the strictest confidence and consult the legal group or the CEO for clarification.</p>]]></content:encoded></item><item><title><![CDATA[Acceptable Use Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to outline the acceptable use of computer equipment and systems at Zuar. Acceptable use requirements are designed to safeguard sensitive Zuar customer data, and to protect the company and its employees. Inappropriate use may expose Zuar to legal issues, cyber attacks and breaches,</p>]]></description><link>https://www.zuar.com/policies/acceptable-use-policy/</link><guid isPermaLink="false">683e20bee15c820001be39bd</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:08:58 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to outline the acceptable use of computer equipment and systems at Zuar. Acceptable use requirements are designed to safeguard sensitive Zuar customer data, and to protect the company and its employees. Inappropriate use may expose Zuar to legal issues, cyber attacks and breaches, and other risks.</p><h2 id="scope">Scope</h2><p>This policy applies to the use of all company-provided IT resources, regardless of their geographic location, and to all Zuar employees and contractors.</p><h2 id="ownership">Ownership</h2><p>Whitney Myers is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><p>Zuar assets are primarily intended for business purposes. Users are responsible for exercising good judgment regarding appropriate personal use of company resources, such that this use does not negatively impact Zuar in any way.</p><h2 id="acceptable-use">Acceptable Use</h2><p>The Acceptable Use Policy outlines the acceptable use of computer equipment and systems at the company.</p><h2 id="general-use">General Use</h2><h3 id="general-use-and-ownership">General Use and Ownership</h3><ul><li>Zuar proprietary and confidential information stored on electronic and computing devices remains the sole property of Zuar, whether the devices themselves are owned by Zuar, an employee, or a third party.</li><li>Theft loss, or unauthorized disclosure of Zuar proprietary and confidential information must be promptly reported.</li><li>Access, use, or sharing of Zuar proprietary information is allowed only to the extent it is both authorized and necessary to fulfill the employee's assigned job duties.</li><li>Good judgment must be exercised regarding the reasonableness of personal use of company-provided equipment.</li><li>Software must be properly licensed, free of malicious code, and authorized, before it is installed on company owned or managed assets.</li></ul><h3 id="security-and-proprietary-information">Security and Proprietary Information</h3><ul><li>System and individual user passwords must comply with the Authentication and Password Policy.</li><li>Providing one's personal access credentials to another individual, either deliberately or through failure to secure its access, is prohibited. Passwords for individual accounts may not be shared.</li></ul><ul><li>Employees are required to secure equipment and log out of or lock systems when leaving them unattended for any period of time.</li><li>All computing devices must be configured such that their use requires entering a password are at most 15 minutes of inactivity.</li><li>Employees must use extreme caution when opening email attachments, particularly those received from unknown senders, as any attachments may contain malware.</li><li>Employees must encrypt their devices if asked, and must not interfere with or reduce the level of encryption on their devices.</li><li>Employees should install operating system security updates onto their devices if asked to do so, or if prompted by the system's automatic updates feature. Employees should also be proactive about applying system security updates to their devices.</li><li>Employees must be mindful of sensitive information, whether on paper or in electronic form.</li><li>Sensitive information must be secured when left unattended, and kept out of sight when visitors are present.</li><li>Electronic media and papers that contain sensitive data must be sanitized or destroyed as soon as that data is no longer needed.</li></ul><h3 id="prohibited-use">Prohibited use</h3><p>The following activities and actions are prohibited.</p><ul><li>Using Zuar information assets in any way that violates international, federal, state, or local law or regulations or violates any Zuar policy or procedure.</li><li>Accessing data by logging into a server or account that one is not explicitly authorized to access, or accessing data in excess of one's authority.</li><li>Copying, moving, or storing sensitive customer information without a strong business need.</li><li>Sharing individual user credentials (passwords, private keys, etc.)</li><li>Sharing team or group credentials outside the authorized scope of the team or group.</li><li>Unauthorized disclosure, release, or transmission of any company data.</li><li>Downloading, storing, duplicating, distributing, printing, or otherwise using copyrighted, patented, or trademarked material from any source (including both published works as well as the internet) without the owner's permission.</li><li>Taking actions that are intended to breach, or may result in a breach, of Zuar or any other company's or individual's security, confidentiality or privacy. These actions include (but are not limited to):</li><li>Taking actions intended to capture information to which the user is not authorized</li><li>Circumventing, misusing, or exceeding any authentication, privilege, or security mechanism.</li></ul><ul><li>Impersonating any person or entity or falsely stating or otherwise misrepresenting affiliation with a person or entity.</li><li>Interfering with or denying service to any authorized user or process.</li><li>Taking actions meant to disrupt, trick, circumvent, or hide disallowed actions, including (but not limited to) flooding, spoofing, forging data, or causing a denial of service.</li><li>Writing, modifying or distributing computer viruses, Trojan horses, worms, or any other form of malicious software.</li><li>Taking any action for malicious purposes, or in any manner negatively impacting the interests of the company.</li><li>Assisting others in activities which violate this or other Zuar policies and standards, or authorizing others to perform such activities.</li><li>Introducing honeypots, honeynets, or similar technology to company resources, unless explicitly authorized as part of Zuar's security program.</li></ul>]]></content:encoded></item><item><title><![CDATA[Access Control Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish the principles and guidelines for controlling access to systems owned by Zuar.</p><h2 id="scope">Scope</h2><p>The policy applies to all employees and contractors, and the accounts they use in connection with fulfilling their responsibilities to Zuar.</p><h2 id="ownership">Ownership</h2><p>Whitney Myers is responsible for implementing</p>]]></description><link>https://www.zuar.com/policies/access-control-policy-2/</link><guid isPermaLink="false">683e21abe15c820001be39d0</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:12:56 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish the principles and guidelines for controlling access to systems owned by Zuar.</p><h2 id="scope">Scope</h2><p>The policy applies to all employees and contractors, and the accounts they use in connection with fulfilling their responsibilities to Zuar.</p><h2 id="ownership">Ownership</h2><p>Whitney Myers is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><p>Access to systems at Zuar must be controlled to ensure only authorized users and applications can access customer and corporate data. Access and access controls must abide by the following principles:</p><ul><li>Deny-by-default: Access must be denied by default. Gaining access requires an explicit configuration step</li><li>Least-privilege: Users and processes must be granted the lowest permission level necessary to perform their role</li><li>Auditability: Access grants are explicitly requested and approved, and an audit trail is persisted</li></ul><h2 id="least-privilege-access">Least-privilege access</h2><p>Access to sensitive systems and resources is granted based on the principle of least privilege.</p><p>The Principle of Least Privilege states that a subject should be given only the privileges needed to complete their task or responsibility. If a subject does not need an access right, the subject should not have that right. In addition, the assignment of rights to a subject should be based on that subject's function and role, rather than the subject's identity or rank.</p><p>Each Zuar employee and contractor has limited access to Zuar systems, data and applications. Access is always provisioned to the minimum necessary for the individual to perform their duties and serve the business purpose of their role.</p><p>The Principle of Least Privilege is applied not only to user accounts, but also to application-to-application service accounts, machine roles, operating system permissions, private interfaces, as well as the entire publicly-accessible surface of Zuar's systems. Each permission context is reviewed to ensure that only the minimum required rights are granted.</p><p>In order to refine access grants over time, and bolster the initial role-based approach, automated tools may be used to continuously monitor access privileges and ag unused ones to be reviewed for revocation.</p><h3 id="role-based-access-control">Role-based access control</h3><p>Defined permission roles are utilized to assign and segregate access privileges to data and systems.</p><p>In a role-based access control approach, access to resources is determined based on roles that reflect a user's set of responsibilities, rather than granted individually for each user. A role-based approach reduces permission customization, improves scalability as teams grow, reduces the likelihood of misconfigured permission settings, and simplifies the access review process.</p><p>A default least-privilege role allows for easy onboarding of new users, and reduces the likelihood that users are granted more access than they need.</p><p>Zuar employees are granted access to systems according to their role and their team.</p><p>If a Zuar employee requires access outside of that provided by their role or team, the employee initiates an access request following the policy outlined in the "requesting and approving access" section.</p><h3 id="requesting-and-approving-access">Requesting and approving access</h3><p>Access to systems is requested by ling an internal access request ticket specifying the need for the access. Access is approved by the respective manager and granted by administrators based on a least-privilege principle.</p><p>Initial access to systems is granted as part of the employee onboarding process, which is documented in full in Zuar's internal knowledge base. Access requests for new employees are typically led by the employee's manager. The ticket trail must contain an explicit approval by the owner of the respective system.</p><h3 id="temporary-access">Temporary access</h3><p>Additional access with privileges exceeding those necessitated by regular duties may be granted on a temporary basis. Each temporary access grant must be accompanied by a valid business purpose, such as an ongoing incident or an operational alert that may lead to an incident if not resolved.</p><p>In all cases, access must be revoked immediately once the original business need for the grant no longer exists.</p><p>Temporary access grants must be treated as an exception and kept to a minimum. Recurring exceptions must be investigated, and the necessary tooling must be created to alleviate the need for repeated privilege escalation.</p><h3 id="termination-process">Termination process</h3><p>Termination checklists are executed upon separation with an employee or contractor to ensure asset return, and prompt and complete access revocation.</p><p>To ensure access is revoked immediately, Operations or the manager of the departing employee or contractor must file an offboarding ticket as soon as access is no longer needed.</p><h3 id="role-changes">Role changes</h3><p>An equivalent access revocation checklist is executed when employees change roles within Zuar. New roles may require substantially different access profiles, so it is important that such an event is handled consistently.</p><h2 id="related-controls">Related Controls</h2><ul><li>Administrative access</li><li>Role-based access control</li><li>Least-privilege access</li><li>Requesting and approving access</li></ul><ul><li>Termination process</li></ul>]]></content:encoded></item><item><title><![CDATA[Asset Management Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to outline guidelines and practices to protect IT assets used to access sensitive customer or company data, and ensure any such access maintains the security and confidentiality of the data.</p><h2 id="scope">Scope</h2><p>This policy applies to Zuar's physical IT assets, such as laptops, tablets,</p>]]></description><link>https://www.zuar.com/policies/asset-management-policy/</link><guid isPermaLink="false">683e21f6e15c820001be39de</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:13:34 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to outline guidelines and practices to protect IT assets used to access sensitive customer or company data, and ensure any such access maintains the security and confidentiality of the data.</p><h2 id="scope">Scope</h2><p>This policy applies to Zuar's physical IT assets, such as laptops, tablets, and smartphones, and all employees and contractors that use them. It also applies to employee-owned devices used to access company information.</p><h2 id="ownership">Ownership</h2><p>Whitney Myers is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><h3 id="inventory">Inventory</h3><p>The company maintains an inventory of IT infrastructure devices.</p><p>Maintaining a complete asset inventory is necessary for keeping IT assets and the data they access and process secure. While Zuar considers its employees' workstations its most critical physical assets to inventory, it may additionally track other asset types, such as company-provided mobile devices or networking office equipment. Policy owner is responsible for maintaining an inventory of these assets using automated or manual means.</p><p>Each asset in the inventory is assigned an owner, typically representing its primary user. The asset owner is responsible for complying with relevant sections of the Acceptable Use and Asset Management policies. If an asset is reassigned to another employee, the asset's ownership record should be updated to reflect this change.</p><p>Company-owned IT assets which do not process or access customer data, such as printers or scanners, have no impact on data security and as such may be excluded from the inventory.</p><h2 id="related-controls">Related Controls</h2><ul><li>Inventory</li></ul>]]></content:encoded></item><item><title><![CDATA[Authentication & Password Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>This policy describes Zuar's requirements with regards to account authentication, including how passwords should be generated, used, and protected.</p><h2 id="scope">Scope</h2><p>The policy applies to all employees and contractors, and the accounts they use in connection with fulfilling their responsibilities to Zuar.</p><h2 id="ownership">Ownership</h2><p>Whitney Myers is responsible for implementing and</p>]]></description><link>https://www.zuar.com/policies/audit-logging-policy/</link><guid isPermaLink="false">683e223ee15c820001be39e6</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:20:29 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>This policy describes Zuar's requirements with regards to account authentication, including how passwords should be generated, used, and protected.</p><h2 id="scope">Scope</h2><p>The policy applies to all employees and contractors, and the accounts they use in connection with fulfilling their responsibilities to Zuar.</p><h2 id="ownership">Ownership</h2><p>Whitney Myers is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><p>The overall intent of the policy is to ensure that employees use strong credentials, leverage Single Sign-on (SSO) to reduce the need to maintain one set of credentials for each system, store them securely, and use Multi-factor authentication (MFA) at least for the most sensitive systems.</p><h3 id="single-sign-on-sso-">Single sign-on (SSO)</h3><p>The company leverages SSO authentication for sensitive systems, wherever available.</p><p>Zuar's main Identity Provider is used as its SSO provider.</p><p>SSO usage reduces risk by centralizing authentication requirements and enforcement points. It improves employee productivity by reducing the number of credentials they must manage.</p><h3 id="multi-factor-authentication-mfa-">Multi-factor authentication (MFA)</h3><p>Access to sensitive systems requires multi-factor authentication.</p><p>Multi-factor (or two-factor) authentication (MFA) has been designated as the preferred method of authentication by NIST (800-63 Digital Identity Guidelines hps://pages.nist.gov/800-63-3/) since 2017. MFA strengthens security by requiring at least one additional factor, in addition to a password, to verify identity. The additional factor is something the user has (such as their phone) or something they are (such as their fingerprint). Since a password is no longer the only means of authentication, and since these other factors are inherently different in nature from memorized secrets, MFA significantly increases the difficulty bar for executing a successful attack. In addition, by not relying solely on password verification for authentication, MFA eliminates the need for periodic password rotation and reduces password fatigue.</p><p>Multi-factor authentication is, at a minimum, required for all systems classified to contain sensitive data as per the Data Classification Policy, and strongly recommended for all other systems.</p><p>MFA support is a requirement for the adoption of new systems expected to store sensitive data.</p><p>For systems storing customer PII and other regulated data, MFA must be enforced: users should not be able to disable the second factor and retain access to these systems, and access to these systems without a second factor should not be possible.</p><h3 id="password-management-tool">Password management tool</h3><p>All users with privileged access to sensitive systems are required to use a password management solution.</p><p>Password management software improves both convenience and security. A master password is more likely to be long and unique, since only that password needs to be remembered in order for the user to gain easy access to all their other accounts and passwords.</p><p>In addition, password managers facilitate generating and using passwords that are unique for each account and significantly stronger than those the typical human can remember.</p><p>A user's master password should be memorized and never recorded or shared. Since a password management system is only as secure as the master password used to unlock it, this password should be as long as possible, and should never be reused.</p><p>Some password managers also allow secure sharing of credentials, for cases where unique credentials are not required or available. While unique credentials are always preferred, using these sharing mechanisms is encouraged over sharing credentials through other, less secure channels.</p><h3 id="unique-user-ids">Unique User IDs</h3><p>Individual accounts are required for access to systems storing or processing sensitive information. Unique IDs allow for granular, least-privilege access which minimizes the impact of any single compromised user account. They also improve accountability since every action in an audit trail can be directly associated with a unique individual.</p><p>User IDs and passwords are used to control access to Zuar systems and may not be disclosed to any other employee for any reason.</p><p>Sharing of credentials is only permitted for systems storing data with low sensitivity as per the Data Classification Policy, or upon the explicit approval of the CEO. Access must still be restricted to the smallest teams and there must be an established business needs. Any shared credentials must be rotated upon the departure of any employee in the share group. Sharing is best done using a Password Management system or a secure password vault.</p><h3 id="password-configurations">Password Configurations</h3><p>Password configuration settings are managed in compliance with the company's Password Policy.</p><p>Strong passwords are defined as:</p><ul><li>Having minimum length of 12 characters, maximum length not shorter than 64 characters.</li><li>Containing multiple character types, such as numbers, uppercase, lowercase, and special characters, though these are not required and should not be enforced, and longer passwords are preferred over more complex ones.</li><li>"Longer is stronger". While special characters increase the strength of a password, length is ultimately the biggest contributing factor to its quality. Longer passwords have a greater number of possible combinations, thus making them harder to brute-force.</li><li>Not appearing in a list of commonly-known weak passwords. One such list is maintained at hps://cry.github.io/nbp/.</li><li>Not having been previously used in this or any other systems. Systems should keep a history of previous password and disallow reuse; please refer to the Encryption Policy for details on how these can be securely stored and accessed.</li><li>Not containing easily discoverable personal information such as birthdays, addresses, phone numbers, family names, pet names, friend names, company name, company slogans, co-worker names and favorite popular characters.</li><li>Not containing personal information specified above with common modifications such as substituting '1' for 'i', '0' for 'o', or '@' for 'a'.</li></ul><p>Strong passwords are required for all systems classified to contain sensitive data as per the Data Classification Policy, and strongly recommended for all other systems.</p><p>The ability to enforce or monitor for strong passwords is a requirement for the adoption of new systems expected to store sensitive data.</p><h3 id="password-handling">Password handling</h3><p>Password storage must be encrypted. Passwords should not be written down physically (in notebooks, sticky notes, etc) or be stored unencrypted on any device.</p><p>Passwords must not be emailed or sent via other messaging and communication methods. Initial passwords for new accounts are exempt from this rule, but must be changed by the new account holder on first use, as detailed below.</p><p>Passwords submitted for authentication purposes must only be transmitted via encrypted channels.</p><p>Passwords may not be reused across multiple accounts, including between personal and work accounts. Any reused passwords increase the impact of a single compromised account.</p><p>Users who believe their account has been compromised are required to immediately reset their password and promptly report the incident to the CEO. Breached credentials must be changed and never used again.</p><p>In systems where a password is automatically generated upon account creation or password reset, the user is required to change their temporary password to a permanent one upon first login. To reduce the risk of a complete set of temporary credentials falling into the wrong hands, each part of the credential (password, email, username, etc) must be communicated out-of-band and in a separate channel.</p><h2 id="related-controls">Related Controls</h2><ul><li>Password management tool</li><li>Single sign-on (SSO)</li><li>Multi-factor authentication (MFA)</li><li>Password Configurations</li></ul>]]></content:encoded></item><item><title><![CDATA[Backup Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to institute the necessary controls to mitigate the accidental loss of Zuar data. These controls assume that events such as accidental data corruption, deletion, or destruction will occur, and mitigate the impact of such events by maintaining reliable backup copies from which data</p>]]></description><link>https://www.zuar.com/policies/backup-policy/</link><guid isPermaLink="false">683e23d6e15c820001be39f9</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:21:46 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to institute the necessary controls to mitigate the accidental loss of Zuar data. These controls assume that events such as accidental data corruption, deletion, or destruction will occur, and mitigate the impact of such events by maintaining reliable backup copies from which data can be readily restored.</p><h2 id="scope">Scope</h2><p>This policy applies to all Zuar systems storing data classified as Customer Confidential, as defined in the Data Classification Policy.</p><h2 id="ownership">Ownership</h2><p>Engineering is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><p>Customer data stored on Zuar infrastructure is backed up in order to mitigate the impact of events such as:</p><ul><li>Accidental deletion by customer or employee</li><li>Corruption of data due to software or human error</li><li>General system failure</li><li>Physical or environmental disaster at a data center site</li><li>External attack resulting in stolen or ransomed data</li></ul><p>In order to ensure timely and reliable restoration of data, Zuar backup and restore procedures are tested on a periodic basis. Data backups are protected with security equal or greater to that of the original system where said data was stored. Backup copies are retained for a sufficient period of time to ensure that data loss events can be mitigated even in the event of multiple, concurrent system failures or unforeseen incidents.</p><h3 id="backup-plan">Backup Plan</h3><p>Customer data is automatically backed up according to a backup configuration scheduled described in the Backup Policy.</p><p>Full backups of Zuar production databases are performed weekly and up to four generational backups are maintained. Where available, database transaction logs are enabled and retained to support point-in-time recovery.</p><p>Customer data stored in cloud storage such as S3 or GCS may be backed up using those systems' built-in versioning capabilities. Versioned systems record version history for each stored object, and offer the ability to restore that object to any previously saved state. Versioning is typically simpler to operate and more cost-efficient than full backup snapshots, especially for le objects that change less frequently.</p><h3 id="restore-testing">Restore Testing</h3><p>Backup restore tests are performed at least quarterly and ensure that the restored system works end-to-end.</p><p>On their own, regularly performed backups are not a sufficient mitigator of data loss events. It is possible that, over time, backed-up data and the method used to perform backups drift relative to the rest of the system. As a result of such drift, available backup copies may become unusable, or require extended database recovery times in order to correct the differences.</p><p>To safeguard against this possibility, Zuar performs quarterly testing of its backup restoration process. Backup copies are restored into a sandbox environment, and end-to-end tests are used to verify correct system operation. Once tests are complete, the full sandbox environment is deleted.</p><p>This entire end-to-end process encompassing restoration, testing, and cleanup may be fully automated and executed as part of a test suite.</p><h3 id="backup-storage">Backup Storage</h3><p>Backups are encrypted, stored in geographically independent regions, and have equivalent access control to the original system.</p><p>Backup copies of Customer Confidential data contain all customer information that was present in the original system. Therefore, it is critical that these artifacts have the same or greater level of protection as that of data in the original system.</p><p>Access to backup artifacts is limited to individuals or systems involved in restore testing, as well as infrastructure administrators. Backups are encrypted in accordance with Zuar’s Encryption Policy.</p><p>To ensure the resilience of Zuar data, it is critical for backups to be resilient to local data center issues. As such, backup copies are only stored on fault-tolerant systems offering high availability, or are replicated across multiple geographically-disparate cloud regions.</p><h3 id="backup-retention">Backup Retention</h3><p>Backup retention is governed by customer agreements, and business, legal and regulatory requirements.</p><p>Full backup copies are retained for a minimum of 30 days, or longer as required by customer agreements or regulatory requirements. The same retention window applies to cloud filestore backups performed using versioning.</p><p>Backup copies older than the retention window are promptly deleted by Zuar using the cloud provider's default secure deletion method, other automated means, or, when they can be configured to do so, automatically expire and are securely deleted by the cloud provider.</p><p>Transaction logs used for point-in-time recovery may be retained for a shorter window than that of full backups, resulting in a potential Recovery Point Objective increase. For more information, see the Business Continuity and Disaster Recovery Policy.</p><h2 id="related-controls">Related Controls</h2><ul><li>Restore Testing</li><li>Backup Retention</li><li>Backup Storage</li><li>Backup Plan</li></ul>]]></content:encoded></item><item><title><![CDATA[Business Continuity Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish requirements and plans to recover Zuar operations following a disruption due to causes such as natural disaster, loss of access to premises, pandemic, or malicious activity from external or internal sources.</p><h2 id="scope">Scope</h2><p>This policy applies to all Zuar systems determined to</p>]]></description><link>https://www.zuar.com/policies/business-continuity-policy/</link><guid isPermaLink="false">683e2408e15c820001be3a05</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:22:56 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish requirements and plans to recover Zuar operations following a disruption due to causes such as natural disaster, loss of access to premises, pandemic, or malicious activity from external or internal sources.</p><h2 id="scope">Scope</h2><p>This policy applies to all Zuar systems determined to be of critical importance to the business, as described in the Impact Analysis</p><h2 id="ownership">Ownership</h2><p>Jen Crane is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><p>Zuar employs continuity planning and disaster recovery to enable the continuous operation of its product(s) without unacceptable interruptions or data loss. Zuar establishes plans and technical measures that are commensurate with the complexity and risk of each component, taking into account its function and data.</p><h2 id="business-continuity">Business Continuity</h2><h3 id="impact-analysis">Impact Analysis</h3><p>As part of its continuity planning, Zuar performs analysis of its systems and assets classified according to the Data Classification Policy, and determines the criticality of each component to the business. This analysis is performed annually, or upon significant architectural changes or additions of new key vendors.</p><p>Critical systems are systems that store Customer Confidential data, as well as those that are deemed business-critical by the team. For each critical system, Zuar determines impact and risk, and plans contingencies accordingly.</p><h3 id="business-location">Business location</h3><p>Zuar's operations do not require access to a physical office. Company employees are fully equipped and empowered to work from home and perform all business critical functions, including developing and operating its products, and communicating with each other as well as with customers. Further information on home office security is available in the Physical Security Policy, and Authentication and Password Policy.</p><h3 id="data-backups">Data Backups</h3><p>Zuar data backups are stored, retained and tested as described in the Backup Policy and all related backup controls.</p><h3 id="data-centers">Data Centers</h3><p>Zuar uses established Infrastructure-as-a-Service cloud providers to procure the necessary infrastructure required to meet its business objectives. These cloud vendors provide and manage best-in-class data centers that offer asset management, redundant power and networks, and physical security. The company employs security controls to govern its obligations as part of the shared responsibility model required by each cloud provider.</p><h3 id="contingency-planning">Contingency Planning</h3><p>Zuar's operating infrastructure consists of 2 main parts:</p><ul><li>Cloud environment hosting Zuar's product</li><li>Critical third-party vendors</li></ul><h3 id="cloud-environment">Cloud environment</h3><p>As mentioned in the "Data Centers provided by Cloud Providers"</p><h3 id="business-continuity-disaster-recovery-program">Business Continuity / Disaster Recovery Program</h3><p>The company maintains a Business Continuity Policy and Plan which outlines the requirements and a process to recover from prolonged disruptions of business operations.</p><p>Jen Crane is responsible for managing any disaster recovery efforts by following the plan outlined herein.</p><p>The Disaster Recovery plan outlines the main stages that Zuar follows to bring its systems back online following a major disruption. The exact actions performed in each phase will differ depending on the type of the disruption, but following this plan will facilitate consistency, clear communication, and minimization of impact.</p><p>Phase 1: Declaration and notification</p><p>A disaster is declared when it becomes clear that an ongoing disruption or outage will significantly exceed the standard time required to resolve an incident. Since exact definitions are hard to formalize, the incident manager and their team of subject-matter experts (SMEs) must determine on a case-by-case basis whether to move into the Recovery phase of the plan, or whether to wait for the issue to be resolved following Zuar's standard resolution strategy.</p><p>Jen Crane is responsible for leading disaster recovery efforts, involving any necessary SMEs, and communicating to business stakeholders.</p><p>Phase 2: Recovery</p><p>The Recovery phase consists of the steps required to create a new production environment and divert trac to it. If the original cloud region is experiencing degraded performance or is otherwise unavailable, the new environment may be created in a different region. In order to prepare for this phase, Zuar maintains:</p><ul><li>Infrastructure scripts and code for creating a new production environment, including the creation and configurations of networks, accounts, databases, and any computing clusters</li><li>Access to sufficient backup copies to satisfy the required Recovery Time Objective</li><li>An ability to update DNS records to point to a new environment</li></ul><p>Explicit procedures to recover and validate individual components belong with the component's internal documentation, and are not outlined in this policy.</p><p>After all components are restored, testing is performed to ensure that the new environment is fully functional, before making it accessible for customers. As a final step, the team communicates resolution to all affected customers using the appropriate channels.</p><p>Phase 3: Retrospective</p><p>The Retrospective phase establishes a blame-free environment that allows all parties to gain a clear understanding of the incident and its resolution. A retrospective meeting should occur within 1 week of a disaster recovery event.</p><p>Retrospective meetings must definitely outline the root case and response timeline, along with any lessons, as well as action items for improving tooling, process, and software. Following the meeting, a retrospective report outlining key items should be created and shared with all participants and relevant stakeholders. Depending on customer impact, a customer-facing version of the report may be created and shared with customers as required by legal obligations and customer agreements.</p><p>Disaster Recovery Testing</p><p>Disaster recovery testing is essential for ensuring Zuar's readiness to stay within its RTO and RPO goals, and for confirming Zuar's ability to both act and communicate quickly both internally and externally.</p><p>The main DR capability of Zuar is the ability to create a new production environment from scratch, potentially in a separate cloud region, and seeding it with a restore of previously backed up production data.</p><p>This capability has two requirements:</p><ul><li>Data backups are sufficiently isolated from the regular production infrastructure boundary. If backups are stored along with the data, then the attacker or an accident can affect both. Sufficient isolation requires that the backups are stored in a separate physical region, under a separate cloud account with a different set of account credentials.</li><li>Infrastructure setup is maintained as code or equivalent procedural documentation exists, to ensure a speedy recovery in an automated or scripted fashion.</li></ul><p>This capability addresses disaster scenarios such as:</p><ul><li>Ransomware and cyberattacks</li><li>Unintentionally erased databases, files or folders/buckets</li><li>Prolonged datacenter outage</li></ul><p>Due to its distributed workforce, Zuar's operations are well protected against pandemics, because all employees are equipped to securely work from home.</p><h2 id="related-controls">Related Controls</h2><ul><li>Business Continuity / Disaster Recovery Program</li><li>Disaster Recovery Testing</li></ul>]]></content:encoded></item><item><title><![CDATA[Change Management Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to provide guidance on the process of managing change across Zuar's critical systems and products.</p><p>Achieving Zuar's business goals requires continuous innovation and rapid improvements to its products and tools. Since any product development carries additional risk, it is imperative that Zuar follow</p>]]></description><link>https://www.zuar.com/policies/change-management-policy/</link><guid isPermaLink="false">683e244ee15c820001be3a10</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:23:45 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to provide guidance on the process of managing change across Zuar's critical systems and products.</p><p>Achieving Zuar's business goals requires continuous innovation and rapid improvements to its products and tools. Since any product development carries additional risk, it is imperative that Zuar follow a well-defined process to ensure that sufficient checks and balances are in place to mitigate this risk.</p><h2 id="scope">Scope</h2><p>The policy covers changes to Zuar's production systems, as well as to related tools classified as Customer Confidential as per the Data Classification Policy.</p><p>Outside of the scope of this policy are changes such as:</p><ul><li>Changes in development environments</li><li>Internal document updates</li><li>Routine IT changes such as fixing a computer or a printer</li><li>Management of user access to various systems, which is subject to the Access Control policy</li><li>Resolution of data or configuration issues for a particular customer as a result of a support ticket</li><li>Data changes resulting from the use of a established, special-purpose tools or user interfaces</li></ul><h2 id="ownership">Ownership</h2><p>Engineering is responsible for implementing and maintaining this policy for critical systems housing Customer Confidential. For all other systems, this policy is maintained by Whitney Myers.</p><h2 id="policy-statement">Policy Statement</h2><p>Zuar performs changes on its production systems by following the Change Management Policy outlined in this document and related procedures.</p><h3 id="infrastructure-as-code">Infrastructure-as-code</h3><p>All infrastructure is managed as code and follows the standard code review process including approvals and automated testing.</p><p>Infrastructure-as-code is the process of configuring infrastructure through the use of scripts or declarative configuration files, as opposed to manual configuration via interactive configuration tools. Infrastructure code is stored in source control, alongside application code, enabling the same tracking, review and approval processes that are followed by application code.</p><p>This approach greatly decreases the risk of human error by creating repeatable processes, and improves development velocity, capacity management responsiveness, and Disaster Recovery due to fewer manual steps required to configure and provision systems.</p><h3 id="change-management-workflow">Change Management Workflow</h3><p>The Change Management documentation outlines the internal workflow for propagating application and infrastructure code changes to the production environment, including tracking, testing, reviewing and approving.</p><p>Zuar maintains a detailed change management procedure. The procedure describes the processes followed as changes ow from development to production, including:</p><ul><li>How changes are developed within a development environment</li><li>How changes are tested, including unit, integration, end-to-end, manual, load, and acceptance testing</li><li>How changes are documented and communicated internally and externally</li><li>How changes are reviewed, including a feedback process leading to eventual approval</li><li>How changes are deployed</li><li>How changes are monitored post deployment and reverted if needed</li></ul><p>To support the business goal of high development velocity at low risk, Zuar's change management procedure is maintained as a living document, and is continuously updated.</p><p>The documented change management procedure is maintained in Zuar's internal knowledge base. Following best practices, many aspects of the procedure are automated, and as such, do not require additional documentation aside from that which is already a part of their implementation.</p><p>By default, performing any step outlined in the change management workflow results in the creation of a log entry for auditing and improvement purposes. Such steps include test runs, the approval flow, and the execution of deployment commands.</p><h3 id="change-management-approvals">Change Management Approvals</h3><p>All application and infrastructure changes are reviewed by a separate technical resource and approved by authorized personnel before being delivered to the production environment.</p><p>Before any new code change is merged into the code base, it must be submitted for review as a pull/merge request. A detailed overview of the code review process is part of Zuar's internal development process documentation.</p><p>A code review is typically performed after any relevant automated tests have passed, to ensure that the reviewer's time is efficiently allocated.</p><p>Depending on the component being changed and the criticality of the change, a review may require approval from multiple individuals.</p><h3 id="emergency-changes">Emergency changes</h3><p>During an active incident involving downtime, performance degradation, or a security issue, some workflow checks and reviews may be expedited in order to fast track the change and patch the ongoing issue. Any such incidents must be evaluated on a case-by-case basis, and require the explicit approval of the incident manager.</p><p>Commonly, any workflow steps skipped as a result of an emergency change must be completed retroactively once the incident has been resolved.</p><h2 id="related-controls">Related Controls</h2><ul><li>Infrastructure-as-code</li><li>Change Management Approvals</li><li>Change Management Workflow</li><li>SDLC - Separation of environments</li><li>SDLC - Security Reviews</li><li>Change Management Tooling</li><li>Agile Process</li></ul>]]></content:encoded></item><item><title><![CDATA[Data Classification Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to define a data classification framework that can be used to determine the sensitivity of Zuar's data and systems, and to provide guidance surrounding the processes of assigning controls to protect the data's security, confidentiality and integrity.</p><h2 id="scope">Scope</h2><p>The policy applies to all</p>]]></description><link>https://www.zuar.com/policies/data-classification-policy/</link><guid isPermaLink="false">683e2481e15c820001be3a1c</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:24:54 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to define a data classification framework that can be used to determine the sensitivity of Zuar's data and systems, and to provide guidance surrounding the processes of assigning controls to protect the data's security, confidentiality and integrity.</p><h2 id="scope">Scope</h2><p>The policy applies to all data and systems owned or operated by Zuar.</p><h2 id="ownership">Ownership</h2><p>Whitney Myers is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><p>All Zuar data is valuable to the organization. However, not all information has an equal value, or requires the same level of protection. Identifying the value of information assets is key to understanding the level of security that is required to protect them. Once the appropriate level of security is identified, relevant controls can be implemented to maintain the security, confidentiality and integrity of the asset. Incorrect classification of assets may result in inadequate or incorrect controls, and inadvertent disclosure or compromise.</p><h2 id="data-classification">Data classification</h2><p>All company and customer data is classified as per the data classification policy.</p><p>Zuar classifies its data in four different categories: Customer Confidential, Zuar Restricted, Zuar Confidential, and Public.</p><p>Zuar's systems are then classified based on the classification of the data stored within them. If more than one class of data is stored on a system, the highest class determines the system's classification. The system classification is used to assign controls to each system.</p><h3 id="customer-confidential">Customer Confidential</h3><p>Customer Confidential is the highest level of data classification, and information classified as such is protected with the strictest safeguards against unauthorized disclosure or modification. The confidentiality of this data is typically required by law or customer/partner agreements, and access to it must be severely limited and based only on a clear business need.</p><p>By default, customer data belongs in this classification. Customer data is defined as data that Zuar's customers would consider themselves owners of, and would regard as their own confidential data. Typically, this data has either been sent to Zuar for storing or processing, or has been created as a result of using Zuar's products.</p><p>Examples include:</p><ul><li>Operational customer data</li><li>Personally Identifiable Information (PII) belonging to Zuar's customers</li><li>Data subject to a confidentiality agreement with a customer, such as intellectual property or confidential communication</li><li>Regulated data, such as electronic personal health information (ePHI)</li></ul><ul><li>Credentials that can be used to access Customer Confidential data</li></ul><p>Compromising data that falls within this classification could expose the company to legal action. In addition, any exposure of such data could adversely affect Zuar customers and partners, and as a result severely damage the company's reputation, competitive advantage, and industry confidence.</p><p>Control applicability varies by the specific type of the system, but Customer Confidential systems (sometimes referred to as "sensitive systems" in control language) require all available data protection controls.</p><h3 id="zuar-restricted">Zuar Restricted</h3><p>Zuar Restricted data is internal to the company, and it is used to operate its business. Very few people in Zuar have access to Zuar Restricted data.</p><p>Examples include:</p><ul><li>Sensitive internal communication not intended for all employees, such as emails and confidential documents</li><li>Legal documents and contractual agreements</li><li>Employee PII</li><li>Customer PII, further detailed below</li><li>Private employee records, such as compensation details and performance reviews</li><li>Customer support cases, as long as they don't contain Customer Confidential data, whether directly embedded or as attachments</li><li>Sensitive company intellectual property (IP)</li><li>Credentials that can be used to access Customer Confidential data</li></ul><p>As mentioned above, some limited customer PII can be classified as Zuar Restricted. Examples includes:</p><ul><li>Business contact information</li><li>Sales leads and opportunities</li><li>Confidential communication around establishing and maintaining the relationship between Zuar and its customers</li></ul><p>Exposure of Zuar Restricted data can adversely affect Zuar, and can result in adverse effects such as erosion of employee trust and ceding critical information beneficial to competitors. Significant exposure of employee PII could pose a legal risk.</p><p>Access to Zuar Restricted data should be restricted to a limited set of employees based on their role (such as Operations or Legal), seniority (executives), or other similar business need.</p><h3 id="zuar-confidential">Zuar Confidential</h3><p>Zuar Confidential data is data internal to the company that is used to operate the business. Many people in the company have access to this data.</p><p>Examples include:</p><ul><li>Data in common messaging channels</li><li>All-hands quarterly presentations</li><li>Company policies</li><li>Documents shared with everyone on the company's domain</li><li>Intellectual Property, such as source code, which is not of significant competitive advantage</li></ul><p>Access to some Zuar data and documents may be restricted, but its internal disclosure will not have any adverse impact. Examples in this category are product and engineering design documents, and product analytics data.</p><p>Zuar Confidential data is intended to stay private and confidential to Zuar, and should not be made public. Exposure of information within this classification could result in ceding critical information beneficial to competitors, as well as erosion of employee trust.</p><h3 id="public">Public</h3><p>Public information may be disclosed to any entity or person within or outside of the company. The data may be available through a public website, and does not have confidentiality requirements.</p><p>Data owned by Zuar is private by default, as are the information systems storing that data. As such, most company data and systems are not classified as Public. Making data public requires an explicit authorization and publishing step by the owner of the data or the system storing it.</p><p>As is true for any data associated with or produced by Zuar, the integrity of public data is an important factor that can affect the company's reputation and brand. For example, a press release must be thoroughly vetted by Zuar leadership, and open source software must be properly licensed and vetted by qualified engineers to be of sufficient quality.</p><p>Examples of public data include:</p><ul><li>Press releases</li><li>Sales messaging and advertising</li><li>Reports and ebooks intended for public distribution</li><li>Software released under an open source license</li></ul><p>Due to Zuar's need to control and vet any publicly-available information in order to ensure its integrity, any systems hosting public data must themselves not be public. Such systems must be protected using adequate safeguards, such as strong authentication and limited access.</p><h3 id="data-system-ownership">Data/System Ownership</h3><p>All data and systems are required to have a designated owner. Owners are responsible for appropriately classifying their data and systems, as guided by this policy, and in coordination with the policy owner. Owners are stewards of the data within their purview, and do not legally own it. They are responsible for understanding the nature of the data within their system as well as the security requirements and safeguards associated with it. Owners make decisions about who will have access to the data, including administrative access.</p><h2 id="related-controls">Related Controls</h2><ul><li>Data classification</li></ul>]]></content:encoded></item><item><title><![CDATA[Encryption Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish practices for protecting Zuar data in the event of unauthorized access through the use of encryption. The policy describes the different components that can be configured to utilize encryption, the algorithm that must be used for each, and how encryption keys</p>]]></description><link>https://www.zuar.com/policies/encryption-policy/</link><guid isPermaLink="false">683e24e6e15c820001be3a2e</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:26:10 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish practices for protecting Zuar data in the event of unauthorized access through the use of encryption. The policy describes the different components that can be configured to utilize encryption, the algorithm that must be used for each, and how encryption keys should be managed.</p><h2 id="scope">Scope</h2><p>The policy applies to all systems that store or process Zuar data classified as Customer Confidential as per the Data Classification Policy.</p><h2 id="ownership">Ownership</h2><p>Engineering is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><p>All sensitive data classified according to Zuar's Data Classification policy is encrypted at rest and in transit using strong, industry-recommended algorithms. Encryption at rest is used across multiple systems and layers of the stack including le systems, le object stores, databases, third-party SaaS services, and directly in Zuar's own developed components. Encryption in motion is primarily achieved through the use of Transport Layer Security (TLS), but may include other secure protocols.</p><h3 id="cloud-storage-encryption">Cloud storage encryption</h3><p>Third-party cloud storage such as S3 and GCS are configured with a minimum server-side encryption using the vendor's key.</p><p>All Zuar files stored in S3 are encrypted using industry-standard AES-256 encryption with AWS-managed keys. S3 encrypts each object on the server, using a unique key, and then further encrypts the keys themselves with a master key stored in AWS KMS.</p><h3 id="data-store-encryption">Data store encryption</h3><p>Data stores are configured to enable encryption at rest. Zuar utilizes Digital Ocean &amp; AWS for hosting and storing Customer Confidential data. More information on these datacenter providers can be found at <a href="https://www.digitalocean.com/security" rel="noreferrer noopener">https://www.digitalocean.com/security</a> and <a href="https://aws.amazon.com/security/" rel="noreferrer noopener">https://aws.amazon.com/security/</a>, respectively.</p><h3 id="tls-certificates-and-endpoints">TLS certificates and endpoints</h3><p>TLS usage is evaluated on a quarterly basis using tools such as ssllabs and any grades lower than A are promptly corrected.</p><p>Strong encryption of data in transit based on TLS requires up-to-date cipher suites on any TLS-enabled endpoints. The list of suite components that must be kept updated includes the TLS version, configuration options, as well as available algorithms and key lengths. Critical vulnerabilities in older SSL and TLS versions, such as the Beast and Poodle attacks, as well as subsequent deprecations of TLS v1.0 and v1.1 over the past several years, have made securing TLS termination endpoints a necessary major focus of any strong security program.</p><p>Zuar maintains a secure and updated configuration of its TLS endpoint, and performs continuous external tests. A passing test requires TLS v1.2 or higher, and AES-128 or higher.</p><h3 id="data-in-transit-encryption">Data in transit encryption</h3><p>Data in transit over the public Internet is encrypted with industry-standard algorithms.</p><p>All public interfaces must only be accessible over secure ports and protocols, such as TLS and ssh. Where possible, communication between Zuar Customers and Zuar's network components and software is encrypted with AES-256 or equivalent to ensure any accidental or malicious exposure of a communication channel is unreadable to unauthorized parties.</p><p>Data in transit encryption at Zuar is applied universally to all data, without consideration of that data's classification or its status as Sensitive or Regulated.</p><h2 id="related-controls">Related Controls</h2><ul><li>TLS certificates and endpoints</li><li>File store encryption</li><li>Data store encryption</li><li>Data in transit encryption</li><li>Encryption Documentation</li><li>File systems encryption</li></ul>]]></content:encoded></item><item><title><![CDATA[Human Resources Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish the requirements for a comprehensive human resources process wherein Zuar attracts, develops, and retains competent and high-performing individuals capable of achieving the company's business and security objectives.</p><h2 id="scope">Scope</h2><p>This policy applies to all Zuar employees and contractors.</p><h2 id="ownership">Ownership</h2><p>Jen Crane is</p>]]></description><link>https://www.zuar.com/policies/human-resources-policy/</link><guid isPermaLink="false">683e2510e15c820001be3a36</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:26:55 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish the requirements for a comprehensive human resources process wherein Zuar attracts, develops, and retains competent and high-performing individuals capable of achieving the company's business and security objectives.</p><h2 id="scope">Scope</h2><p>This policy applies to all Zuar employees and contractors.</p><h2 id="ownership">Ownership</h2><p>Jen Crane is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><h3 id="background-checks">Background checks</h3><p>Background checks are performed on newly hired employees as required by customers and where permitted by law.</p><p>Background verification checks carried out by Zuar are proportional to its business requirements and perceived risks. The primary risk component taken into account when determining appropriate background checks is the classification of the information that will be accessed by the employee while performing their role.</p><ul><li>Background checks may include:</li><li>Prior employment verification.</li><li>Personal and professional references.</li><li>Educational verification.</li><li>Criminal history.</li><li>Social Security verification (US-specific).</li></ul><p>Background check reports will be reviewed to determine employment eligibility.</p><h3 id="disciplinary-process">Disciplinary process</h3><p>Material violations of the company's Acceptable Use Policy, Code of Conduct, and Information Security policies and procedures applicable to each employee subjects the individual to disciplinary action that could include termination.</p><p>Workforce members who violate Zuar policies are subject to disciplinary steps. Disciplinary steps shall be proportionate to the severity of the violation, and will be enhanced in the event of repeated violations by the same person. The disciplinary process will be carried out in a timely manner in accordance with business needs.</p><p>Disciplinary steps may include:</p><ul><li>No Action - for minor violations not serious enough to warrant formal disciplinary action.</li><li>Retraining - If the individual violated a policy, procedure, or standard that was covered in training, the individual may be required to redo the training or complete additional remedial training.</li><li>Warning - for minor violations serious enough to warrant formal action, a warning may be given.</li><li>Improvement Plan - For serious or repeated violations, the individual may be placed on an improvement plan.</li><li>Dismissal - For serious or repeated violations, including failure to correct as a result of an improvement plan, the individual may be terminated from the company.</li></ul><h3 id="policy-acknowledgement">Policy acknowledgement</h3><p>Company employees are required to sign and attest their adherence to applicable company policies and procedures.</p><p>Zuar requires all employees to sign an agreement confirming their understanding of and commitment to their security roles and responsibilities. Each employee's attestation is saved for auditing purposes, and is a required condition of employment.</p><h3 id="confidentiality-agreement">Confidentiality agreement</h3><p>All employees and contractors must sign a confidentiality agreement with the company prior to gaining access to any sensitive information.</p><p>Zuar workforce members, contractors, and partners with access to information are required to execute a non-disclosure agreement reflecting Zuar's requirements to protect its data and operational information. The agreement is a legal document and is drafted and reviewed by the legal council.</p><h3 id="job-descriptions">Job Descriptions</h3><p>Roles and responsibilities of company employees are communicated through documented job descriptions. Job descriptions are written by hiring managers and reviewed by their manager, peers and HR.</p><p>Job descriptions are available internally for all employees to read.</p><h3 id="employee-performance-reviews">Employee performance reviews</h3><p>The company has an informal review process that encourages annual employee self-reviews and immediate manager reviews. Reviews include performance assessments, goal setting, and an evaluation of resources required for the next review period.</p><p>Reviews are performed by the employee's direct manager, and include performance feedback and growth goal setting for the next review period. In addition to the periodic formal review process, frequent, continuous feedback is given to employees regarding their performance.</p><p>Ongoing feedback complements scheduled reviews, and ensures that employees can learn about their strengths and potential areas of improvement as early as possible, and that they are given ample opportunity to adapt and avoid any negative consequences to themselves or the company.</p><h2 id="related-controls">Related Controls</h2><ul><li>Confidentiality agreement</li><li>Disciplinary process</li><li>Job Descriptions</li><li>Employee performance reviews</li><li>Background checks</li><li>Policy acknowledgement</li></ul>]]></content:encoded></item><item><title><![CDATA[Information Security Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish an Information Security Program which protects the confidentiality, integrity, and availability of Zuar, Inc.'s data and assets.</p><p>The program defines and implements safeguards that help Zuar, Inc. prevent unauthorized access, disclosure, loss, or inappropriate use of data. It aims to</p>]]></description><link>https://www.zuar.com/policies/information-security-policy-2/</link><guid isPermaLink="false">683e253ce15c820001be3a42</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:28:10 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish an Information Security Program which protects the confidentiality, integrity, and availability of Zuar, Inc.'s data and assets.</p><p>The program defines and implements safeguards that help Zuar, Inc. prevent unauthorized access, disclosure, loss, or inappropriate use of data. It aims to ensure that data is protected, both during transmission and at rest, from internal, external, accidental, and deliberate threats.</p><h2 id="scope">Scope</h2><p>The policy applies to all employees of Zuar, Inc., and all systems and data owned by it.</p><h2 id="ownership">Ownership</h2><p>Whitney Myers is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><p>The Information Security Program institutes technical, physical, and administrative safeguards to protect data and assets from unauthorized access, disclosure, or inappropriate use. The program establishes requirements and standards, and organizes them into Policy documents. Policies encompass, but are not limited to the areas listed below.</p><h3 id="backup">Backup</h3><p>Zuar, Inc.'s backup procedures are documented in its Backup Policy. The purpose of this policy is to institute the necessary controls to mitigate the accidental loss of Zuar, Inc. data. These controls assume that events such as accidental data corruption, deletion, or destruction will occur, and mitigate the impact of such events by maintaining reliable backup copies from which data can be readily restored.</p><h3 id="encryption">Encryption</h3><p>Encryption practices are documented in Zuar, Inc.'s Encryption Policy. The purpose of this policy is to establish practices for protecting Zuar, Inc. data in the event of unauthorized access through the use of encryption. The policy describes the different components that can be configured to utilize encryption, the algorithm that must be used for each, and how encryption keys should be managed.</p><h3 id="change-management">Change Management</h3><p>Zuar, Inc.'s change management process is documented in its Change Management Policy. The purpose of this policy is to provide guidance on the process of managing change across Zuar, Inc.'s critical systems and products in order to ensure that sufficient checks and balances are in place to mitigate the risks inherent in continuous product development.</p><h3 id="vulnerability-management">Vulnerability Management</h3><p>Zuar, Inc.'s Vulnerability Management program is documented in the Vulnerability Management Policy. The purpose of this policy is to establish vulnerability management controls and provide guidelines for their implementation. Vulnerability management encompasses source code, operating systems, runtimes, and devices, and vulnerability scans are performed externally via penetration testing and web application scans.</p><h3 id="access-control">Access Control</h3><p>Zuar, Inc.'s access control practices are documented in its Access Control Policy. The purpose of this policy is to establish the principles and guidelines for controlling access to systems owned by Zuar, Inc.</p><h3 id="authentication-and-password">Authentication and Password</h3><p>Zuar, Inc.'s approach to authentication and password management is documented in Zuar, Inc.'s Authentication and Password Policy. This policy describes Zuar, Inc.'s requirements with regards to account authentication, including how passwords should be generated, used, and protected.</p><h3 id="security-incident-response">Security Incident Response</h3><p>Zuar, Inc.'s procedures for handling security incidents are documented in its Security Incident Management Policy. The purpose of this policy is to establish requirements and plans for reporting and responding to security incidents impacting Zuar, Inc. 's corporate or customer systems.</p><h3 id="business-continuity">Business Continuity</h3><p>Zuar, Inc.'s business continuity plan is documented in the Business Continuity Policy. The purpose of this policy is to establish requirements and plans to recover Zuar, Inc. operations following a disruption due to causes such as natural disaster, loss of access to premises, pandemic, or malicious activity from external or internal sources.</p><h3 id="risk-management">Risk Management</h3><p>Zuar, Inc. maintains a risk management program to identify, prioritize, and mitigate risk to acceptable levels. The program consists of regularly performed risk assessments, which identify and prioritize security and compliance gaps, and recommend additional security controls needed to mitigate the risk carried by the gaps.</p><h3 id="policy-management">Policy Management</h3><p>The company develops and maintains formal policies that govern information security within the company. The policies are formally reviewed and approved at least once a year, and are communicated to all employees.</p><h3 id="policy-creation">Policy Creation</h3><p>Zuar, Inc.'s management team is responsible for creating policies and supporting any relevant requirements and activities through sufficient staffing and budget allocation. The management team is also responsible for ensuring that Zuar, Inc.'s staff is trained to understand and remain familiar with all relevant policies, and for keeping policies available for review both internally and externally by customers and partners.</p><h3 id="policy-reviews">Policy Reviews</h3><p>Whitney Myers is responsible for ensuring all Zuar, Inc. information security policies are reviewed at least annually by Zuar, Inc. management, and re-approved or updated as necessary.</p><p>Existing policies may be updated and new policies may be created for reasons including:</p><ul><li>Complying with applicable laws and regulations</li><li>Complying with new requirements for certification and governance by the company or its customers</li><li>Addressing new threats</li><li>Technological or business requirements</li></ul><h3 id="security-awareness-training">Security Awareness Training</h3><p>Security awareness training is provided to new employees, and to all employees on a recurring basis, to promote strong security practices for the whole company.</p><p>All workforce members are required to complete Security Awareness Training shortly after they join the company. On a periodic basis, typically annually, the company will provide additional trainings. In addition, they may be asked to complete further training as dictated by operational or environmental changes.</p><p>Changes that might lead to adjustment of the training program include:</p><ul><li>A security incident retrospective determining that additional training is required</li><li>Adoption of new technology by the company</li><li>Material changes in organizational policies</li></ul><p>Whitney Myers is responsible for creating the training program, and for selecting and updating training material over time. The program may be delivered internally, by qualified personnel, or by a third-party vendor.</p><h3 id="security-council">Security Council</h3><p>Management and the Board of Directors consider requirements relevant to security, availability, processing integrity, and confidentiality. These considerations are documented in the company's Information Security Policy, which specifically delegates the overall responsibility of security to the Security Council.</p><p>The Security Council consists of the CEO, President, CFO and VP, Engineering . As such, this Council is responsible for creating, approving, and enforcing security policies and procedures, leading the monitoring, vulnerability management, and incident detection and response initiatives, and tracking and reducing risk across the organization.</p><p>The Security Council and their supporting team are responsible for setting the direction of and taking the authoritative role in Zuar, Inc. 's Information Security Program and related activities, including:</p><ul><li>Coordinating internal and external assessments</li><li>Designing and implementing security controls</li><li>Leading security incident response activities</li><li>Monitoring systems and networks to detect vulnerabilities and misconfigurations, and to promptly resolve them</li><li>Regular testing of all security controls</li></ul><h2 id="related-controls">Related Controls</h2><ul><li>Security Awareness Training</li><li>Security Officer</li><li>Policy Management</li></ul>]]></content:encoded></item><item><title><![CDATA[Physical Security Policy]]></title><description><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish the requirements and process for controlling access to Zuar facilities and requirements for data centers hosting Zuar system components.</p><h2 id="scope">Scope</h2><p>This policy applies to the cloud providers used to host Zuar's system components, to Zuar's corporate facilities, to and to home</p>]]></description><link>https://www.zuar.com/policies/physical-security-policy/</link><guid isPermaLink="false">683e258ae15c820001be3a50</guid><category><![CDATA[Security]]></category><dc:creator><![CDATA[Whitney Myers]]></dc:creator><pubDate>Mon, 02 Jun 2025 22:29:24 GMT</pubDate><content:encoded><![CDATA[<h2 id="purpose">Purpose</h2><p>The purpose of this policy is to establish the requirements and process for controlling access to Zuar facilities and requirements for data centers hosting Zuar system components.</p><h2 id="scope">Scope</h2><p>This policy applies to the cloud providers used to host Zuar's system components, to Zuar's corporate facilities, to and to home and remote offices used by its employees.</p><h2 id="ownership">Ownership</h2><p>Whitney Myers is responsible for implementing and maintaining this policy.</p><h2 id="policy-statement">Policy Statement</h2><p>Most Zuar employees are either remote employees or work extensively from home. All employees are required to secure their physical laptops in the following manner:</p><ul><li>The confidentiality, security and privacy of company data must be preserved, by ensuring that no unauthorized individuals may view or gain access to customer data.</li><li>While in public areas, employees are required to avoid viewing customer support emails and data, and to avoid discussing confidential information in person or through teleconference.</li><li>End user devices containing access to internal company resources, such as laptops and cell phones, must be protected at all times and may not be le unattended. Reasonable precautions must be taken to protect company hardware, software, and information from the and damage.</li><li>Lost, damaged, or compromised hardware must be promptly reported.</li></ul><p>The default, company-provided means for workforce members to connect to Zuar information systems leverage secure, encrypted protocols, such as SSL/TLS and SSH, as governed by Zuar's Encryption Policy, and multi-factor authentication, governed by the Authentication and Password Policy. Employees must follow those established practices, and are barred from tampering or subverting them.</p><p>Zuar provides workstations, such as laptops, for remote use.</p><h3 id="clear-desk-policy">Clear Desk Policy</h3><p>Workforce members and contractors must take measures to avoid inadvertently exposing confidential data by allowing it to be viewed by unauthorized individuals. Displays for all workstations used to access confidential data must not be viewable from outside the immediate work area. Unauthorized viewing from windows, hallways, or by employees without access rights to the same information should be avoided.</p><p>Information not in active use that is classified as confidential must not be displayed or le out in a work area. When information is not in active use, any applications displaying it on a computer should be closed. When leaving a workstation unattended, employees must ensure that its screen is locked, and that automatic screen lock settings are not relaxed. If usage of printed or removable media is allowed by company policy, confidential media must be secured in a locked cabinet once it is not in use, and whenever employees are away from their immediate desk area.</p><h3 id="datacenters">Datacenters</h3><p>The company uses established Infrastructure-as-a-Service cloud providers to procure the necessary infrastructure required to meet the business objectives. The cloud vendor(s) provide and manage best-in-class Data Centers, including Asset Management, Redundant Power and Networks, and Physical Security. The company has security controls to govern its obligations as part of the shared responsibility model required by the cloud provider.</p><p>The capabilities of Zuar's cloud infrastructure provider are summarized below.</p><h3 id="secure-design">Secure Design</h3><ul><li>Site Selection - the site is carefully selected to mitigate environmental risks, such as flooding, extreme weather, and seismic activity.</li><li>Redundancy - data centers are designed to anticipate and tolerate failure while maintaining service levels.</li><li>Availability - each Availability Zone is engineered to operate independently with high reliability, and zones are connected to enable easy fail-over without interruptions.</li><li>Capacity Planning - a capacity planning model assesses infrastructure usage and demands, and supports future demand planning.</li></ul><h3 id="business-continuity-and-disaster-recovery">Business Continuity and Disaster Recovery</h3><ul><li>Business Continuity Plan - a plan outlines measures to avoid and lessen environmental disruptions, including steps to be taken before, during, and aer an event.</li><li>Pandemic Response - pandemic response policies and procedures are incorporated into disaster recovery planning.</li></ul><h3 id="physical-access">Physical Access</h3><ul><li>Employee Data Center Access - employees who require data center access must first provide a valid business justification. Requests are reviewed and approved by authorized personnel, and access is promptly revoked once access is no longer required.</li><li>Third-party Data Center Access - access requests are granted based on the principle of least privilege, are time-bound, and are approved by authorized personnel.</li></ul><h3 id="monitoring-and-logging">Monitoring and Logging</h3><ul><li>Data Center Access Review - access to data centers is regularly reviewed and is automatically revoked when an employee's record is terminated.</li><li>Data Center Access Logs - physical access to data centers is logged, monitored, retained, and correlated with physical monitoring systems.</li><li>Data Center Access Monitoring - data centers are monitored 24/7 by local teams ready to respond to security incidents by triaging, analyzing, and dispatching responses.</li><li>Surveillance and Detection CCTV - physical access points to server rooms are recorded by Closed Circuit Television (CCTV) cameras. Images are retained according to legal and compliance requirements.</li><li>Data Center Entry Points - physical access is controlled at building ingress points and requires multi-factor authentication.</li><li>Intrusion Detection - Intrusion detection systems are installed to monitor, detect, and automatically alert appropriate personnel of security incidents.</li></ul><h3 id="device-management">Device Management</h3><ul><li>Asset Management - assets are centrally managed through an inventory management system that tracks owner, location, status, maintenance, and descriptive information.</li></ul><ul><li>Media Destruction - media storage devices used to store customer data are decommissioned using techniques detailed in NIST 800-88.</li><li>Operational Support Systems Power - electrical power systems are designed to be fully redundant and maintainable without impact to operations.</li><li>Climate and Temperature - data centers use mechanisms to control climate and maintain an appropriate operating temperature for servers and other hardware.</li><li>Fire Detection and Suppression - data centers are equipped with automatic re detection and suppression equipment.</li><li>Leakage Detection - data centers are equipped with functionality to detect the presence of water, and mechanisms are in place to remove water.</li></ul><h3 id="infrastructure-maintenance">Infrastructure Maintenance</h3><ul><li>Equipment Maintenance - equipment maintenance procedures are carried out by qualified persons and completed according to a documented maintenance schedule.</li><li>Environment Management - electrical and mechanical systems are employed to enable automatic identification of issues, and preventative maintenance is performed.</li></ul><h3 id="governance-and-risk">Governance and Risk</h3><ul><li>Ongoing Data Center Risk Management - ongoing assessment and mitigation of potential vulnerabilities is performed through data center risk assessment activities.</li><li>Third-party Security Attestation - data centers are tested by third parties to ensure appropriately implemented security measures.</li></ul><h2 id="related-controls">Related Controls</h2><ul><li>Datacenters</li></ul>]]></content:encoded></item></channel></rss>