Security Policy - bitStudio

bitStudio Security Policy

1. Introduction

bitStudio is committed to implementing thorough safeguards for the confidentiality, integrity, and availability of our information assets, services, and supporting infrastructure. This policy applies to all systems we operate, the data we process on behalf of our customers, and the team members and service providers who support those systems.

2. Governance and Responsibilities

We maintain an information security program led by our executive team. Designated owners are accountable for security controls within their areas, and all personnel are required to follow this policy, and acknowledge updates when material changes are published.

3. Risk Management

We evaluate security and privacy risks on an ongoing basis, focusing on the impact to our customers and business. Risks are documented, prioritized, and tracked to closure, with results informing control updates and investment decisions.

4. Asset Management

We keep inventories of production infrastructure, source code, and data stores. Assets are classified based on sensitivity, and handling requirements are defined for customer data, internal data, and public content.

5. Access Control

Access to systems and data follows the principle of least privilege. Account provisioning, periodic reviews, and revocation follow documented procedures to reflect role changes. Shared credentials are prohibited, and strong authentication is required wherever the platform supports it.

6. Secure Development and Change Management

We build and deploy software using version control, code reviews, and automated checks. Changes to production systems follow documented procedures that include testing, approval, and rollback planning. Sensitive secrets are managed through environment configuration, not stored in source code.

7. Data Protection

We require encryption in transit (TLS) for customer data moving through our services. We rely on trusted cloud providers for storage encryption at rest and the physical security of underlying facilities, and we review the controls they make available. We limit the data we collect to what is described in our Privacy Policy and process it only for the purposes disclosed there.

8. Operational Security and Monitoring

We maintain logging for production services, monitor for anomalous activity, and apply security updates to our infrastructure and dependencies in a timely manner. Backups are scheduled and periodically tested for restoration.

9. Incident Response

We operate incident response procedures that define detection, escalation, containment, eradication, and post-incident review activities. Customers are notified without undue delay when an incident materially affects their data or service availability.

10. Business Continuity and Disaster Recovery

We maintain continuity plans that cover critical services and supporting vendors. These plans are reviewed at least annually and exercised to verify recovery objectives, ensuring we can restore essential operations following disruptive events.

11. Supplier and Third-Party Management

Third-party services are evaluated for security posture before use and reviewed on a regular cadence. Contracts require appropriate confidentiality, availability, and privacy commitments, and access granted to suppliers is limited to the minimum necessary scope.

12. Personnel Security and Training

Team members agree to confidentiality obligations and complete security and privacy awareness training during onboarding. Responsibilities for handling customer data are documented, and violations of this policy may result in disciplinary action.

13. Compliance and Policy Maintenance

This policy is reviewed at least annually, as well as after significant changes to our services or threat landscape. Our privacy practices are described in the companion Privacy Policy.

14. Contact

Questions about this policy or reports of security concerns can be sent to [email protected].

Last Updated: 23 September, 2025