Information Security Policy
Owner: Fluent Terrain LLC Security and Engineering. Effective: May 11, 2026. Last updated: May 11, 2026.
GlacialBooks is operated as a financial data system. Security decisions are made around tenant isolation, least privilege, traceable data changes, encrypted transport, protected provider credentials, and defined remediation deadlines.
Purpose and scope
This policy governs the people, systems, code, infrastructure, vendors, and operating processes used to build and run GlacialBooks. It applies to production, test, and development environments that can affect customer data, bookkeeping records, bank data, payroll data, receipts, invoices, or support workflows.
Risk management
Security risks are recorded with severity, owner, remediation plan, due date, and closure evidence. Critical risks that can expose customer financial data require containment within 24 hours and remediation or documented compensating controls within 7 calendar days. High risks require remediation within 30 calendar days. Medium risks require remediation within 90 calendar days. Low risks require remediation within 180 calendar days.
Data protection
Application traffic uses TLS 1.2 or better. Customer data stored in Azure managed databases, blob storage, and backups uses encryption at rest. Sensitive configuration is stored outside the codebase in Azure Key Vault. Production Key Vault soft delete retention is 90 days. Production database backup retention is 35 days. Production blob soft delete retention is 30 days.
Secure development
Code changes must pass automated CI checks before merge. The CI pipeline runs dependency audit, static security scan, lint, format check, typecheck, tests, and frontend build checks on pushed changes. Security-relevant behavior must include regression tests when the behavior can be exercised automatically.
Vulnerability management
Application dependency checks and static analysis run on every CI execution. Critical exploitable vulnerabilities affecting production are contained within 24 hours. High vulnerabilities are remediated within 7 calendar days. Medium vulnerabilities are remediated within 30 calendar days. Low vulnerabilities are reviewed and remediated within 90 calendar days or accepted with documented rationale.
Workforce device security
Employee and contractor devices with production access must use disk encryption, screen lock, supported operating system versions, endpoint protection, and vulnerability monitoring. Device compliance is checked at least every 14 days and before production access is granted.
Incident response
Security reports sent to [email protected] are acknowledged within 2 business days. Confirmed incidents are assigned an owner, severity, affected tenant list, containment plan, communication plan, and corrective action record. Incidents affecting regulated or sensitive customer data are assessed for notification duties within 24 hours of confirmation.
Review cadence
This policy is reviewed every 12 months by May 31 and within 30 days after a material platform, infrastructure, regulatory, or provider requirement change. Updates are approved by Fluent Terrain leadership and reflected in operational runbooks.
Related controls are described in the Access Controls Policy and Data Retention and Deletion Policy.