Data Security Policy

At Infos B4B, data security is foundational to everything we do. As a provider of B2B contact data, email appending, data cleansing, and data hygiene services, we understand that our clients trust us with sensitive business information. This Data Security Policy outlines the technical, administrative, and physical safeguards we maintain to protect that trust.

This policy applies to all employees, contractors, partners, and systems that access, process, store, or transmit data on behalf of Infos B4B and our clients.

We employ robust encryption protocols to protect data both in transit and at rest:

• Data in Transit: All data transmitted between our systems and external parties is encrypted using TLS 1.2 or higher. Our website and all API endpoints enforce HTTPS exclusively.
• Data at Rest: Stored data is encrypted using AES-256 encryption. Database backups, file storage, and archive systems all employ encryption at the storage layer.
• Key Management: Encryption keys are managed through a centralized key management system with automatic rotation schedules. Access to encryption keys is restricted to authorized security personnel only.

We implement strict access controls based on the principle of least privilege:

• Role-based access control (RBAC) ensures employees only access data necessary for their specific job functions
• Multi-factor authentication (MFA) is required for all employee accounts and administrative systems
• Access permissions are reviewed quarterly and revoked immediately upon role change or employment termination
• Privileged access to production systems requires additional approval and is logged and audited
• Unique user credentials are assigned to every individual; shared accounts are prohibited

Our infrastructure is designed for security, reliability, and redundancy:

• Data is hosted in SOC 2 Type II certified data centers located within the United States
• Redundant storage with automated failover ensures business continuity and data availability
• Regular backups are performed with encrypted copies stored in geographically separate locations
• Database environments are segmented to isolate client data from internal operational systems
• Development and testing environments use anonymized data sets and are isolated from production

We maintain a comprehensive incident response plan to address security events promptly and effectively:

• A dedicated incident response team is on call to investigate and respond to security events
• All suspected security incidents are triaged within 1 hour of detection and escalated according to severity
• Affected clients are notified within 72 hours of confirming a data breach, consistent with applicable regulations
• Post-incident reviews are conducted to identify root causes and implement preventive measures
• Incident response procedures are tested through tabletop exercises at least twice per year

Security is a shared responsibility across our entire organization:

• All employees complete mandatory security awareness training during onboarding and annually thereafter
• Phishing simulation exercises are conducted quarterly to test and reinforce awareness
• Specialized training is provided to employees handling sensitive data or administering security systems
• Employees are required to sign confidentiality and data protection agreements as a condition of employment
• Security policies and best practices are documented and accessible to all staff through our internal knowledge base

Our network infrastructure is protected by multiple layers of security:

• Enterprise-grade firewalls with intrusion detection and prevention systems (IDS/IPS) monitor all network traffic
• Network segmentation separates public-facing systems from internal databases and administrative networks
• Continuous vulnerability scanning and penetration testing are performed by both internal teams and independent third parties
• Web application firewalls (WAF) protect our public-facing applications against common attack vectors
• All remote access to internal systems requires VPN connections with MFA

Physical access to our facilities and data center infrastructure is tightly controlled:

• Data centers feature 24/7 security personnel, biometric access controls, and video surveillance
• Office facilities require badge access with visitor logs maintained at all entry points
• Server rooms and network closets have additional access restrictions limited to authorized IT personnel
• Hardware disposal follows NIST 800-88 guidelines for media sanitization to prevent data recovery

We hold our vendors and partners to the same security standards we maintain internally:

• All third-party vendors undergo security assessments before engagement and are re-evaluated annually
• Data processing agreements (DPAs) are executed with all vendors who access or process data on our behalf
• Vendors are required to maintain appropriate security certifications and provide evidence of compliance
• Third-party access is limited to the minimum data and systems required to fulfill their contractual obligations

Our security program is aligned with recognized industry standards and regulatory frameworks:

• Our controls are designed in alignment with SOC 2 Type II criteria covering security, availability, and confidentiality
• We follow ISO 27001 best practices for information security management
• Our data handling practices comply with GDPR, CCPA, CAN-SPAM, and TCPA requirements
• Regular internal and external audits are conducted to verify compliance and identify areas for improvement

If you have questions about our data security practices or wish to report a security concern, please contact us:

• Email: info@infosb4b.com
• Phone: +1 833-209-5599
• Address: 228 Park Ave S 60111, New York, NY 10003