Legal · Security

Information Security Policy

How Spectrum Future Tech protects information assets — client data, intellectual property, employee records, and systems — through an ISO 27001-aligned Information Security Management System (ISMS).

Effective June 5, 2026 · Last updated June 5, 2026

This Policy is a summary for transparency. Specific client engagements may be governed by additional security schedules, NDAs, data processing agreements, or client security standards that take precedence where stricter.

This Information Security Policy ("Policy") establishes the principles, responsibilities, and minimum controls Spectrum Future Tech ("Spectrum," "we," "us," or "our") applies to safeguard information throughout its lifecycle.

It applies to all personnel — employees, contractors, and authorized third parties — who access Spectrum systems, networks, or client environments in connection with software development, AI automation, cloud, DevOps, and related professional services.

This Policy supports our contractual commitments, regulatory obligations, and internationally recognized frameworks including ISO/IEC 27001:2022 and the SOC 2 trust principles (security, availability, processing integrity, confidentiality, and privacy).

Corporate IT, collaboration platforms, and approved development tooling
Client projects delivered in Spectrum-managed or client-controlled environments
Personal data processed on our website, sales, and support channels
Third-party suppliers with access to Spectrum or client information

See also our Privacy Policy for personal data processing practices.

Standards alignment

International frameworks we align with

Our ISMS is designed around globally recognized security and privacy standards.

ISO/IEC 27001:2022
Systematic ISMS covering risk assessment, Annex A controls, management review, and continual improvement.
SOC 2 Trust Principles
Security, availability, processing integrity, confidentiality, and privacy for service organization controls.
GDPR & Global Privacy
Alignment with EU/UK GDPR, and privacy laws in regions where we operate or serve clients.
NIST CSF & Secure SDLC
Identify, protect, detect, respond, recover — applied to engineering, cloud, and AI delivery.

At a glance

Summary of key points

Quick answers — each section below expands on these topics.

What is our security commitment?
Protect confidentiality, integrity, and availability of information through documented policies, risk management, and management accountability.
Read section
How is client data protected?
Segregated environments, encryption in transit and at rest where applicable, least-privilege access, and work within client-approved boundaries when required.
Read section
How is access controlled?
Role-based access, MFA for privileged accounts, provisioning and de-provisioning workflows, and periodic access reviews.
Read section
What happens during a security incident?
Documented detection, classification, containment, eradication, recovery, and notification procedures with defined roles and timelines.
Read section
How are vendors assessed?
Third-party risk review, contractual security requirements, and monitoring of subprocessors with access to sensitive data.
Read section
Are staff trained on security?
Mandatory security awareness, secure coding practices, phishing simulations, and role-specific training for engineers and leads.
Read section
How is compliance verified?
Internal audits, control testing, vulnerability management, and management review with corrective actions tracked to closure.
Read section
How do I report a concern?
Email [email protected] with subject "Security Report" — we treat good-faith reports seriously and without retaliation.
Read section

Control map

Control domains at a glance

Mapped to ISO 27001:2022 themes and SOC 2 expectations — each section below expands on these areas.

Domain	Objective	Key controls
Governance & risk	Define accountability and manage security risks systematically	ISMS scope, risk register, policy approval, management review
Asset & data classification	Know what we protect and apply handling rules by sensitivity	Data classification, retention schedules, secure disposal
Access control	Grant only necessary access and revoke when no longer needed	RBAC, MFA, privileged access management, access recertification
Cryptography	Protect data in transit and at rest with approved algorithms	TLS 1.2+, encrypted storage, key management procedures
Secure engineering	Build and deploy software without introducing undue risk	Secure SDLC, code review, dependency scanning, CI/CD gates
Operations & monitoring	Maintain resilient systems and detect anomalies early	Logging, patching, backup verification, vulnerability management
Physical security	Protect facilities and equipment from unauthorized access	Office access controls, clean desk, secure device handling
Incident response	Respond quickly to limit impact and meet notification duties	IR playbooks, severity matrix, forensics, post-incident review
Business continuity	Restore critical services after disruption	BCP/DR plans, tested backups, alternate communication channels
Supplier security	Extend controls to vendors and subprocessors	Due diligence, DPAs, security clauses, ongoing monitoring

Table of contents

1. Purpose and scope
2. Governance and management commitment
3. Information security objectives
4. Roles and responsibilities
5. Risk management
6. Asset management and classification
7. Access control
8. Cryptography and data protection
9. Operations security
10. Secure development and AI delivery
11. Physical and environmental security
12. Human resources security and awareness
13. Supplier and third-party security
14. Incident management and breach notification
15. Business continuity and disaster recovery
16. Compliance and legal requirements
17. Monitoring, audit, and continual improvement
18. Acceptable use
19. Contact and reporting security concerns

Section 1

Purpose and scope

In short

This Policy sets Spectrum's security baseline for all personnel and systems involved in delivering our services worldwide.

The purpose of this Policy is to protect information assets against unauthorized access, disclosure, alteration, and destruction — whether accidental or deliberate.

Scope includes Spectrum Future Tech and Spectrum Future Technology LLC operations, personnel, information systems, and project delivery activities across India, the United States, Canada, Australia, Saudi Arabia, and other regions where we engage clients or subprocessors.

Applies to full-time employees, contractors, interns, and third parties with authorized access
Covers cloud, on-premises, and hybrid environments used for delivery
Complements project-specific security requirements agreed with clients
Reviewed at least annually or when significant changes occur to risk, regulation, or services

Section 2

Governance and management commitment

In short

Leadership approves this Policy, allocates resources for security, and reviews ISMS performance on a planned cadence.

Spectrum management is accountable for establishing, maintaining, and continually improving the Information Security Management System (ISMS).

Security objectives are aligned with business goals, client commitments, and applicable legal requirements. Topic-specific policies — such as access control, acceptable use, and incident response — support this master Policy.

A designated security lead coordinates policy maintenance, risk treatment, and audit activities
Management review evaluates incidents, audit findings, metrics, and improvement opportunities
Exceptions require documented risk acceptance and time-bound approval from authorized management
All personnel must acknowledge applicable policies as part of onboarding and refresher training

Section 3

Information security objectives

Spectrum maintains measurable objectives to guide control selection and demonstrate continual improvement. Objectives may include:

Zero unmitigated critical vulnerabilities in production systems under Spectrum management
Timely patching of systems according to severity-based SLAs
100% MFA enrollment for privileged and remote access accounts
Security awareness completion by all personnel annually
Incident response drills and tabletop exercises at planned intervals
Client security and privacy commitments honored in statements of work and DPAs

Section 4

Roles and responsibilities

Information security is a shared responsibility. The following roles illustrate typical accountability — specific names and escalation paths are maintained internally.

Executive management

Approve the Information Security Policy and ISMS scope
Ensure adequate budget and staffing for security controls
Review significant risks and accept residual risk where appropriate

Security lead / ISMS owner

Maintain policies, risk register, and control documentation
Coordinate internal audits, external assessments, and corrective actions
Serve as primary contact for serious security incidents and regulatory inquiries

Engineering and delivery teams

Follow secure development, deployment, and access procedures
Report vulnerabilities, anomalies, and policy violations promptly
Protect client credentials, keys, and intellectual property

All personnel

Complete mandatory security awareness training
Use strong authentication and protect devices issued or approved by Spectrum
Handle information according to classification and need-to-know principles

Section 5

Risk management

In short

We identify, assess, and treat information security risks using a documented methodology aligned with ISO 27001.

Spectrum maintains a risk management process that identifies threats and vulnerabilities to information assets, evaluates likelihood and impact, and selects treatment options: mitigate, transfer, avoid, or accept.

Risk assessments are performed at least annually, when launching new services or technologies (including AI/ML tooling), and when material changes occur to infrastructure or client obligations.

Asset inventory covers systems, applications, data stores, and third-party services
Risk owners are assigned for treatment actions with target dates
Residual risks are documented and approved by management
Client-specific risks may be addressed in project risk registers and shared reviews

Section 6

Asset management and classification

Information assets are inventoried and classified to ensure appropriate handling throughout their lifecycle — creation, storage, transmission, archival, and secure disposal.

Classification levels typically include Public, Internal, Confidential, and Restricted (client/regulated data)
Labeling and handling rules define storage locations, encryption, sharing, and retention
Media and equipment disposal uses secure wipe or destruction methods
Return of client assets and data at project end follows contractual offboarding procedures

Section 7

Access control

In short

Access is granted on least privilege and need-to-know, with MFA for sensitive systems and regular recertification.

Logical and physical access to Spectrum and client environments is controlled through documented provisioning workflows. Access rights are tied to job function and revoked upon role change or termination.

Unique user identities — shared accounts are prohibited except where technically required and approved
Multi-factor authentication (MFA) for VPN, cloud consoles, source control, and privileged admin access
Privileged access management with enhanced logging and just-in-time elevation where feasible
Quarterly or event-driven access reviews for critical systems
Automatic session timeout and lockout after failed authentication attempts

Remote and client environments

When delivering in client-controlled environments, Spectrum personnel use client-approved identity providers, jump hosts, and network paths. Client credentials are never stored in personal accounts or unapproved password managers.

Section 8

Cryptography and data protection

In short

Sensitive data is encrypted in transit and at rest using industry-standard algorithms; keys are managed securely.

Spectrum applies cryptographic controls proportionate to data classification and regulatory requirements.

TLS 1.2 or higher for data in transit over public networks; HSTS where applicable on web properties
Encryption at rest for laptops, mobile devices, and approved cloud storage containing confidential data
Secrets and API keys stored in approved vaults — not in source code repositories or chat messages
Pseudonymization and minimization applied when designing analytics and AI workflows
Secure file transfer mechanisms for exchanging sensitive deliverables with clients

Section 9

Operations security

Operational procedures protect systems against malware, unauthorized change, and capacity failures while preserving evidence for investigation.

Malware protection on endpoints; restrictions on unauthorized software installation
Change management for production systems with rollback plans and approval gates
Vulnerability scanning and penetration testing at planned intervals
Security logging and time-synchronized audit trails for critical systems
Backup and restore procedures tested periodically

Section 10

Secure development and AI delivery

In short

Security is embedded in SDLC and AI workflows — from design and code review to deployment and monitoring.

Spectrum integrates security into software and AI/automation delivery through secure coding standards, automated testing, and DevSecOps practices.

Threat modeling for new features handling sensitive or regulated data
Peer code review and static analysis for security defects
Dependency and container image scanning in CI/CD pipelines
Separation of development, staging, and production environments
AI-specific controls: prompt injection awareness, output validation, human review for high-impact decisions, and governance of training data sources
No use of client production data in model training without explicit written authorization

Section 11

Physical and environmental security

Physical access to Spectrum offices and facilities is restricted to authorized personnel. Visitors are escorted where required.

Secure areas for server/network equipment where applicable
Clean desk and clear screen practices for confidential materials
Lost or stolen devices reported immediately for remote wipe and credential rotation
Environmental controls for equipment rooms aligned with vendor specifications

Section 12

Human resources security and awareness

Personnel security measures apply before, during, and after employment to reduce insider risk and maintain a security-aware culture.

Background checks proportionate to role and client requirements where legally permitted
Confidentiality and IP assignment agreements for employees and contractors
Mandatory security awareness at onboarding and annual refreshers
Phishing simulation and secure coding training for technical roles
Offboarding checklist: revoke access, recover assets, and transfer knowledge securely

Section 13

Supplier and third-party security

In short

Vendors with access to Spectrum or client data undergo due diligence and contractual security obligations.

Third-party services — cloud providers, SaaS tools, AI APIs, and subcontractors — are assessed for security and privacy before adoption and monitored during use.

Security questionnaires and review of certifications (e.g., ISO 27001, SOC 2) where available
Data processing agreements and subprocessors disclosed to clients when required
Minimum security clauses in contracts covering confidentiality, breach notification, and audit rights
Annual re-assessment for critical suppliers

Section 14

Incident management and breach notification

In short

Security events are reported fast, classified by severity, and handled through documented response phases.

All personnel must report suspected security incidents, lost devices, phishing attempts, or policy violations without delay. Spectrum maintains an incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review.

Severity levels (e.g., Critical, High, Medium, Low) with defined escalation paths
Incident lead coordinates technical response, communications, and evidence preservation
Forensic procedures applied when required to support investigation or legal obligations
Post-incident lessons learned documented and tracked to closure
Client and regulator notification performed per contract and applicable law (e.g., GDPR breach timelines)

Illustrative response targets

Critical incidents: immediate escalation and containment initiation
Confirmed personal data breach: client notification without undue delay per agreement and law
Post-incident report for significant events within agreed client or internal timelines

Section 15

Business continuity and disaster recovery

Spectrum maintains business continuity and disaster recovery plans to restore critical operations and client-facing services after disruptive events.

Business impact analysis identifies critical processes and recovery priorities
Backup strategies with off-site or geo-redundant storage where appropriate
Communication plans for internal teams and affected clients during outages
Plans tested through tabletop exercises and technical restore drills

Section 16

Compliance and legal requirements

Spectrum complies with applicable information security, privacy, and sector-specific regulations in jurisdictions where we operate and where our clients are located.

GDPR and UK GDPR for EU/UK personal data processing
CCPA/CPRA and US state privacy laws where applicable
India Digital Personal Data Protection Act and local requirements
Client industry frameworks (e.g., HIPAA BAA, PCI DSS scope) when contractually in scope
Export control and sanctions screening where relevant to project delivery

Section 17

Monitoring, audit, and continual improvement

The effectiveness of the ISMS is measured through metrics, internal audits, and management review. Nonconformities trigger corrective and preventive actions.

Key performance indicators: patch compliance, training completion, incident volumes, audit findings
Internal audits against ISO 27001 control themes at planned intervals
External assessments and client security audits accommodated under NDA
Policy review at least annually or upon significant organizational or regulatory change

Section 18

Acceptable use

Personnel must use Spectrum and client systems lawfully and only for authorized business purposes.

Prohibited: unauthorized copying of client IP, sharing credentials, bypassing security controls, or introducing unapproved high-risk software
Personal use of corporate resources must not introduce security or legal risk
AI tools and public cloud services require approval before processing confidential or client data
Violations may result in disciplinary action, contract termination, and legal remedies

Section 19

Contact and reporting security concerns

For security questions, vulnerability reports, or incident notification, contact Spectrum using the details below. We encourage responsible disclosure and will not retaliate against good-faith reports.

Email: [email protected] — subject line: "Security Report"
India (HQ): LALS Enclave, Mehdipatnam, Hyderabad - 500028, India · +91 707 505 4555
USA: Spectrum Future Technology LLC, 4747 W Pendleton, Peoria, IL 61615 · +1 312 219 3929
Include sufficient detail to reproduce or investigate the issue; PGP key available on request for sensitive disclosures

Report a security concern

Contact us to report vulnerabilities, incidents, or policy questions. We respond to good-faith security reports promptly and treat them confidentially where appropriate.

[email protected]