Contents

Agency Information Security Policy

Last updated on: January 3, 2022

This policy defines the measures put in place to protect corporate information and the information systems, services, and equipment owned or utilised by Overwrite Agency, hereby known as “Us” or “We”.

The objectives of the Information Security Policy are:

  • To secure Overwrite Agency’s and its clients’ assets against theft, fraud, malicious or accidental damage, breach of privacy or confidentiality;
  • To protect Overwrite Agency and its clients from damage or liability arising from the use of its facilities or services for purposes contrary to their intended use.

Note. This document contains definitions already outlined in the Agency Terms of Service document and also acts as an extension of that document. Read the latest TOS here: overwrite.agency/terms.

Scope

This policy applies to all Overwrite Agency staff, its clients, or any other persons otherwise affiliated but not employed by Overwrite Agency, who may utilise its infrastructure and/or access its applications with respect to the security and privacy of information.

Data Protection

We take appropriate technical and organisational measures to help protect confidential information against unauthorised access, loss or destruction. These measures include:

  • Ensuring physical security of all devices used by Overwrite Agency employees;  
  • Using firewalls, anti-virus software, malware detection systems and other security measures on all devices;  
  • Storing passwords for all services in our preferred Zero-Knowledge Architecture Password Manager, with 2FA authentication required to access;
  • Storing client confidential information and access credentials in our preferred Zero-Knowledge Architecture Password Manager, with 2FA authentication required to access;
  • Implementing 2FA authentication on all services used by Overwrite Agency;
  • Ensuring strictly need-to-know-only access to client data;
  • Encrypting sensitive information both in transit between locations as well as at rest when stored on servers;
  • Storing customer data in secure cloud-based servers with a reliable hosting provider;
  • Protecting against unauthorised changes by ensuring backups are regularly taken and stored securely offsite; 

Staff, Client, and Associate Access Control

Overwrite Agency provides its staff, clients, and associates with access to computing and communications services in support of their business and administrative activities. These facilities include access to solutions like email and/or internet services.

We have strict internal controls in place to limit access to confidential information as needed on a need-to-know basis only. All personnel at Overwrite Agency must sign a confidentiality agreement which outlines their responsibility to keep data safe and private at all times while employed here or when they leave the company.

Where a staff member, client, or associate is assigned login credentials or system passwords, they are responsible for maintaining the use and security of any User IDs and all activity associated with that ID. Knowingly disclosing passwords to others will be deemed a breach of policy and could result in the termination of accounts.

To minimise this risk, each team member is enrolled on our preferred Zero-Knowledge Architecture Password manager and must set up 2FA to complete setup. All Password manager activity is logged, allowing us to maintain an audit trail for any activity related to client information should an audit be required in future. Again, all login credentials and other confidential information are provided on a strictly need-to-know basis.

Overwrite Agency also enforces regular password changes for all users and across all its systems every 90 days and immediately after any staff turnover where the employee’s access was at admin or ‘root’ level. 

We have preconfigured the recommended password strength requirements in the Password manager; these are a minimum of 12 characters, with at least one uppercase and lowercase letter, number and special character.

Contract / Temporary Access

Where temporary access is required for a specific purpose such as, but not restricted to, contract workers and ‘test’ accounts, a user expiry date based on the completion date of the required tasks must be used to ensure the temporary account is not accessible after that date.

In the case of ongoing maintenance and support from 3rd party companies, access is only granted to the relevant facilities within the system and is restricted to only the systems for which they provide support.

Furthermore, Overwrite Agency’s Password policies are enforced for contract workers and 3rd party companies. Password strength must be as aforementioned in the previous section and they must be changed at least every 90 days. 

Once contracts have ended with Contract workers or 3rd parties, all passwords are changed immediately and associated user accounts are deleted. 

Network Usage

Overwrite Agency provides staff, clients, and associates with access to computing and communications services in support of business solutions and administrative activities.

By working with Overwrite Agency, and signing the Employment of Contract of Work documents, all users agree to abide by all policies that relate specifically to the use of the equipment, services & facilities provided. Any breach of these policies will be deemed an infringement and dealt with accordingly which could result in the suspension of access privileges, or in severe cases, account/service removal.

Interfering, in any way, with the Overwrite Agency systems or associated equipment, be it intentional or accidental, is not permitted. Any such interference will be acted upon, and investigated and may result in dismissal from the company.

Electronic Communications

Overwrite Agency encourages staff, clients, and associates to appropriately use electronic communication to achieve the mission and goals of their business and/or administrative duties. 

Overwrite Agency promotes the use of online communication to enhance collaboration and share knowledge. We realise that implementing open dialogue where individuals can express their thoughts, whether they be novel or contested, is essential in today’s connected society as it serves to advance democratic principles within the laws of our society.

Data Breaches

Overwrite Agency understands that data breaches can happen, even with the best security measures in place. If an incident occurs that results in a breach of client data stored with us, either due to errors or breaches caused by a third-party hosting provider, we will immediately take action and contact the affected parties as soon as possible. 

We will also provide guidance on how they can secure their systems if they could be affected by the breach. All notifications regarding any incidents resulting in compromised data will be sent out within 24 hours following the discovery of the incident.

Third-Party Partners

Overwrite Agency works with various third-party partners to provide hosting, storage, and other services to our clients. While we take care to select partners that have strong security and privacy practices, we cannot be held liable for errors or breaches that may occur at these partners. 

However, we will take immediate action if we are alerted to any issues and work with our partners to resolve them as quickly as possible.

Training & Education 

We ensure our employees are equipped with the skills necessary to protect client data. We provide custom training courses and review best practices related to information security. Every employee undergoes an annual refresher on general awareness topics as well as specific instructions before accessing protected customer datasets or applications containing sensitive personal details – ensuring that only authorised personnel access confidential information securely.

Liability Disclaimer

In case of a breach caused either directly by us or due to errors or breaches caused by another third-party provider, we may not be held liable for any damages incurred due solely as a result of such breaches unless determined otherwise under applicable law(s).

Reporting Concerns

Employees are encouraged to report potential violations related to customer confidentiality directly via email to [email protected] All concerns raised over potential violations shall be investigated promptly given the sensitivity of such matters.    

Policy Updates 

This document may be updated from time to time without notice to reflect changes taking place within our organisation, new laws, regulations and relevant industry initiatives.