# Information Security Policy — Apache-3 Inc.

**Document version:** 1.0
**Effective date:** 2026-05-20
**Next review:** 2026-11-20
**Approved by:** Snake Blocker, President / CEO

## 1. Purpose

Apache-3 Inc. ("Apache-3") provides government and commercial services that depend on the trust of our customers. This Information Security Policy establishes the baseline controls Apache-3 maintains to protect Apache-3 and Customer Data.

## 2. Scope

This policy applies to:

- All Apache-3 employees, contractors, and key personnel
- All systems, applications, and data managed by Apache-3
- All third-party services Apache-3 uses to deliver work

## 3. Policy statements

### 3.1 Acceptable use

Apache-3 systems, accounts, and data are for business use. Personal use is permitted incidentally where it does not impact security or capacity. Apache-3 prohibits:

- Sharing of authentication credentials
- Use of personal email or personal cloud storage for Apache-3 business data
- Storing customer data on personal devices
- Installing unauthorized software on Apache-3 workstations

### 3.2 Access management

- All systems require unique user accounts. No shared accounts.
- Multi-factor authentication is required for any system that supports it.
- Access is granted on the principle of least privilege.
- Access is reviewed at engagement start, mid-engagement quarterly, and at engagement end.
- Account access is revoked within 1 business day of personnel departure or role change.

### 3.3 Workstation security

- Disk encryption (FileVault on macOS, BitLocker on Windows) is required on all workstations used for Apache-3 work.
- OS-level antimalware (XProtect on macOS, Defender on Windows) must remain enabled.
- OS security updates must be applied within 30 days of release (90 days for major version upgrades, sooner for critical CVEs).
- Screen lock after 10 minutes of inactivity.

### 3.4 Network security

- Apache-3 does not operate its own network infrastructure beyond home/office networks. WiFi must be WPA3 (or WPA2 minimum) with a strong unique password.
- Production systems are accessed only over HTTPS (TLS 1.2+).
- VPN use is required when accessing administrative consoles from public WiFi.

### 3.5 Data classification and handling

Apache-3 classifies data in three tiers:

**Public**: marketing materials, public-facing documents (e.g., capability statement, certifications, this policy)

**Internal**: business records, financial data, customer engagement records. Encrypted at rest and in transit. Stored on cloud platforms with audit logging.

**Confidential**: customer data, employee personally-identifiable information, secrets/credentials. Encrypted at rest and in transit. Restricted access. Not stored on workstations except in transient working state.

### 3.6 Credentials and secrets

- Production credentials are stored in encrypted secrets storage (dotenv private repo, per-project).
- Production credentials are never committed to version control.
- Credentials are rotated quarterly or on suspected exposure.
- Personal API keys are not used for production work.

### 3.7 Vendor management

- New vendor onboarding requires a vendor-risk review (see vendor-management-policy.md).
- High-risk vendors (data processors, payment processors, identity providers) require explicit documentation and SOC 2 review.
- Annual vendor inventory + risk assessment.

### 3.8 Incident response

- All security incidents must be reported to s@apache-3.com immediately upon discovery.
- The incident-response runbook (apache3.com/compliance/incident-response-runbook.md) governs the response process.
- Affected customers will be notified within 72 hours of confirmation of a data breach.

### 3.9 Backup and recovery

- Cloud platforms provide their own backup mechanisms (Supabase point-in-time, GitHub, Stripe).
- Critical business records are backed up to a secondary location.
- Backup recovery is tested annually.

### 3.10 Software development security

- Customer-facing applications use trunk-based development with branch protection on main.
- Pull requests are reviewed before merge for repos with paying customers.
- Dependency scanning runs on every push (CI-gated).
- Production deployments flow through CI; no direct console deploys to live environments.

### 3.11 Awareness and training

- All personnel complete annual security-awareness training.
- Phishing-simulation drills run quarterly.
- New hires complete onboarding security training within 30 days of start.

### 3.12 Physical security

- Workstations are kept at residences or in locked offices.
- Devices left unattended in public spaces must be locked or removed.
- Confidential documents are stored in cloud platforms, not on physical paper.

## 4. Enforcement

Violations of this policy may result in disciplinary action up to and including termination of employment or contractor engagement.

## 5. Exceptions

Policy exceptions require written approval from the CEO. Approved exceptions are documented and reviewed quarterly.

## 6. Review and updates

This policy is reviewed at least annually and updated when material changes occur in Apache-3's operations, the threat landscape, or applicable regulations.

---

**Approved:** Snake Blocker, President / CEO
**Date:** 2026-05-20

*Apache-3 Inc. — UEI JQMHLJNNJYN1 — CAGE 8DFR5*