Information Security Policy
Last Updated: 2026-02-12 Standard: ISO 27001:2022 Review Cycle: Annually
1. Purpose#
This policy establishes the framework for managing information security at cloak.business. It ensures the confidentiality, integrity, and availability of all information assets, including customer data, platform systems, and supporting infrastructure.
2. Scope#
This policy applies to:
- All cloak.business systems, services, and infrastructure
- All personnel with access to information assets
- All data processed, stored, or transmitted by the platform
- All third-party services and sub-processors involved in service delivery
3. Principles#
cloak.business information security is guided by the following principles:
Risk-Based Approach#
Security controls are selected and implemented based on assessed risk levels. Resources are directed toward the areas of highest risk, ensuring proportionate and effective protection.
Defense in Depth#
Multiple layers of security controls protect information assets. No single point of failure is relied upon; instead, overlapping controls ensure that a failure in one layer does not compromise overall security.
Least Privilege#
Access to information and systems is restricted to the minimum necessary for each individual or service to perform their function. Permissions are granted on a need-to-know basis and regularly reviewed.
Separation of Duties#
Critical functions are divided among different individuals or systems to reduce the risk of error or misuse. No single person has unchecked control over sensitive operations.
Secure by Default#
Systems and services are configured securely from the outset. Optional features that involve data storage or sharing are disabled by default and require explicit user action to enable.
4. Key Commitments#
cloak.business commits to:
| Commitment | Description |
|---|---|
| Protect customer data | Implement technical and organizational measures to safeguard all data entrusted to us |
| Comply with regulations | Maintain compliance with GDPR, ISO 27001:2022, and applicable data protection laws |
| Continuous improvement | Regularly assess and enhance our security posture through audits, reviews, and incident learning |
| Transparency | Communicate security practices, incidents, and changes openly to affected parties |
| Incident readiness | Maintain tested incident response procedures to detect, contain, and resolve security events |
| Employee awareness | Ensure all personnel understand their security responsibilities through training and policy communication |
5. Information Security Objectives#
The following objectives guide our security program:
- Maintain confidentiality of all customer data and business information
- Ensure integrity of data processing operations, producing accurate and reliable results
- Guarantee availability of platform services in accordance with defined service levels
- Minimize data exposure through in-memory processing and minimal data retention
- Detect and respond to security incidents within defined timeframes
- Comply with all applicable legal, regulatory, and contractual requirements
6. Management Responsibility#
Leadership Commitment#
Senior management is responsible for:
- Approving and endorsing the information security policy
- Allocating resources for information security activities
- Reviewing ISMS performance and effectiveness
- Ensuring integration of security requirements into business processes
- Promoting a culture of security awareness
Roles and Responsibilities#
| Role | Responsibility |
|---|---|
| Management | Overall accountability for information security; policy approval and resource allocation |
| Security Lead | Day-to-day management of the ISMS; risk assessment coordination; incident management |
| Development Team | Secure development practices; vulnerability remediation; code review |
| Operations | System hardening; monitoring; patch management; backup management |
| All Personnel | Adherence to security policies; reporting of incidents and vulnerabilities |
7. Policy Framework#
This Information Security Policy is supported by subordinate policies and procedures:
- Access Control Policy -- Governs user access, authentication, and authorization
- Incident Response Plan -- Defines procedures for handling security incidents
- Risk Assessment Framework -- Methodology for identifying and treating security risks
- Data Retention Policy -- Retention periods and disposal procedures
- Cryptographic Controls -- Standards for encryption and key management
- Business Continuity Plan -- Procedures for maintaining service availability
- Supplier Security Policy -- Requirements for third-party service providers
8. Compliance#
Failure to comply with this policy and its supporting documents may result in disciplinary action. All personnel are required to acknowledge and adhere to this policy.
External compliance requirements include:
- ISO 27001:2022 -- Information Security Management System
- GDPR (EU) 2016/679 -- General Data Protection Regulation
- BDSG -- German Federal Data Protection Act
9. Review#
This policy is reviewed:
- Annually as part of the ISMS management review cycle
- After significant security incidents to incorporate lessons learned
- When business or regulatory changes require policy updates
All revisions are documented and communicated to relevant personnel.
Revision History#
| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-02-09 | Initial policy publication |
Document maintained by cloak.business Contact: support@cloak.business