Hashes Agency Security Policy

Last Updated: September 10, 2025.

---

Preamble

Hashes Agency LLC (“Agency,” “we,” “our,” “us”) is committed to safeguarding the confidentiality, integrity, and availability of all information systems and client data entrusted to us. This Security Policy (“Policy”) outlines the framework through which we manage information security in compliance with international standards and payment processor requirements including:

• PCI-DSS (Payment Card Industry Data Security Standard)

• ISO/IEC 27001 (Information Security Management)

• GDPR (General Data Protection Regulation)

• CCPA (California Consumer Privacy Act)

• FTC Advertising Guidelines

• Merchant requirements of Stripe, PayPal, Wise, Payoneer, and Square

This Policy applies to all employees, contractors, affiliates, vendors, clients, and third-party partners who access or interact with Hashes Agency systems.

Security concerns should be directed to:

• Security: security@hashesagencyllc.com

• Privacy: privacy@hashesagencyllc.com

• Escalations: management@hashesagencyllc.com

• Legal: legal@hashesagencyllc.com

---

Article I: Purpose and Scope

1.1 Purpose

The purpose of this Policy is to establish a security framework that:

• Protects client data and agency assets.

• Ensures regulatory compliance.

• Provides a baseline for all employees and contractors.

• Establishes clear lines of responsibility and accountability.

1.2 Scope

This Policy applies to:

• All systems, networks, and databases controlled by Hashes Agency.

• Cloud services and third-party vendors engaged by the Agency.

• All employees and clients who use or manage Agency systems.

---

Article II: Definitions

2.1 Agency Data — Information created, collected, processed, or stored by Hashes Agency.
2.2 Client Data — Any personally identifiable, confidential, or proprietary information belonging to a client.
2.3 Information Asset — Systems, devices, files, or communications that contain Agency or Client Data.
2.4 Security Incident — Any event that compromises confidentiality, integrity, or availability of data.
2.5 Authorized User — Individuals with explicit permission to access Agency systems.
2.6 Third-Party Vendor — External entities providing services involving data handling.

---

Article III: Security Governance

3.1 Roles and Responsibilities

• Chief Security Officer (CSO): Overall responsibility for security strategy.

• Security Team: Implements day-to-day controls.

• Employees: Follow security practices, report incidents.

• Vendors: Comply with Agency’s vendor security requirements.

3.2 Policy Review

• This Policy will be reviewed annually.

• Updates will be communicated to all stakeholders.

3.3 Enforcement

• Violations may result in disciplinary action, contract termination, or legal consequences.

---

Article IV: Access Control

4.1 Authentication

• All accounts must use multi-factor authentication (MFA).

• Passwords must follow complexity rules (minimum 12 characters, mix of cases, symbols, numbers).

4.2 Authorization

• Access is based on the principle of least privilege.

• Roles determine system access levels.

4.3 Account Management

• Termination of employee/contractor → immediate revocation of system access.

• Client accounts must be unique; sharing credentials is prohibited.

---

Article V: Data Protection

5.1 Encryption

• Data in transit → TLS 1.2+.

• Data at rest → AES-256.

5.2 Data Minimization

• Only necessary data is collected and stored.

• Payment details are never stored by the Agency.

5.3 Backups

• Daily encrypted backups stored in geographically diverse locations.

• Tested quarterly for restoration integrity.

---

Article VI: Security Incident Response

6.1 Reporting

• All incidents reported to security@hashesagencyllc.com.

• Anonymous reporting channel available for employees.

6.2 Classification

• Critical: Compromise of sensitive data.

• High: Service disruption >4 hours.

• Medium: Attempted breach detected.

• Low: Policy violation with no impact.

6.3 Response Timeline

• Critical → acknowledge within 1 hour.

• High → within 4 hours.

• Medium → within 24 hours.

• Low → within 72 hours.

6.4 Client Notification

• Affected clients notified within 72 hours in compliance with GDPR/CCPA.

---

Article VII: Physical Security

7.1 Office facilities secured with access badges, CCTV, and restricted areas.
7.2 Data centers must be Tier-3+ with biometric access.
7.3 Unauthorized entry is strictly prohibited.

---

Article VIII: Vendor Security

8.1 Vendors must sign Data Protection Agreements (DPAs).
8.2 Vendors handling sensitive data undergo annual security audits.
8.3 Non-compliant vendors may be terminated.

---

Article IX: Employee Obligations

9.1 Annual security awareness training is mandatory.
9.2 Employees must not use personal devices without encryption.
9.3 Social engineering & phishing simulations are conducted quarterly.

---

Article X: Monitoring and Auditing

10.1 All system access is logged and retained for 12 months.
10.2 Regular vulnerability scans and penetration testing.
10.3 Quarterly reports submitted to management@hashesagencyllc.com.

---

Article XI: Compliance Requirements

11.1 PCI-DSS: All payment data processed only by PCI-certified processors.
11.2 GDPR/CCPA: Clients may request data access or deletion.
11.3 FTC: Marketing practices must comply with advertising laws.

---

Article XII: FAQs

• Q1: What happens if my account is compromised?
  A: Immediate investigation, suspension, and password reset.

• Q2: How is payment data secured?
  A: Payment processors (Stripe, PayPal, Wise, Payoneer, Square) handle PCI-DSS storage. Hashes Agency does not store card data.

• Q3: How do I report a phishing attempt?
  A: Forward details to security@hashesagencyllc.com.

(20+ FAQs to be included in the final expansion.)