Security at Hirelexa

1. Purpose, Scope, and Organization

This policy defines behavioral, process, technical, and governance controls pertaining to security at Hirelexa that all personnel are required to implement in order to ensure the confidentiality, integrity, and availability of the Hirelexa service and data ("Policy"). All personnel must review and be familiar with the rules and actions set forth below.

1.1 Governance and Evolution

This Policy was created in close collaboration with and approved by Hirelexa executives. At least annually, it is reviewed and modified as needed to ensure clarity, sufficiency of scope, concern for customer and personnel interests, and general responsiveness to the evolving security landscape and industry best practices.

1.2 Security Team

The Hirelexa security team oversees the implementation of this Policy, including procurement, provisioning, maintenance, retirement, and reclamation of corporate computing resources, all aspects of service development and operation related to security, privacy, access, reliability, and survivability, ongoing risk assessment, vulnerability management, incident response, and security-related human resources controls and personnel training.

2. Personnel and Office Environment

Hirelexa is committed to protecting its customers, personnel, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly in the context of its established employment culture of openness, trust, maturity, and integrity.

2.1 Work Behaviors

The first line of defense in data security is the informed behavior of personnel, who play a significant role in ensuring the security of all data, regardless of format.

• Training: All employees and contractors must complete the Hirelexa security awareness and data handling training programs at least annually.
• Clean Desk: Personnel should maintain workspaces clear of sensitive or confidential material.
• Unattended Devices: Unattended devices must be locked. All devices will have an automatic screen lock function.

3. Personnel Identity and Access Management

Each individual having access to any Hirelexa-controlled system does so via a unique user account. User accounts are required to have a unique username, a strong password, and two-factor authentication (2FA).

3.1 Access Management

Hirelexa adheres to the principle of least privilege, and every action attempted by a user account is subject to access control checks.

4. Data Classification and Processing

Hirelexa maintains the following Data Confidentiality Levels:

• Confidential: Information only available to specific roles within the organization. Data must be encrypted at rest and in transit.
• Restricted: Access restricted to specific roles within the organization and authorized third parties.
• Internal: Information is available to all employees and authorized third parties.
• Public: Information is available to the public.

5. Vulnerability and Incident Management

The Hirelexa security team maintains an internal Incident Response Policy which contains steps for preparation, identification, containment, investigation, eradication, recovery, and follow-up/postmortem.

6. Business Continuity and Disaster Recovery

Hirelexa services are configured to withstand long-term outages to individual servers, availability zones, and geographic regions. Infrastructure and data are replicated in multiple geographic regions to ensure high availability.

6.1 Disaster Recovery

Hirelexa targets a Data Recovery Point Objective (RPO) of 5 minutes for at least 3 days, and no longer than is permissible by law. Hirelexa targets a Data Recovery Time Objective (RTO) of no longer than 24 hours.