SmartReply Information Security Program
Effective Date: May 26, 2025
1. Purpose & Scope
This Information Security Program (“Program”) defines the minimum security requirements that apply to all SmartReply (Incharge Marketing LLC) personnel, contractors, systems, and data. It covers the full data‑lifecycle—from creation and storage to transmission, use, and deletion—for production, staging, and corporate environments.
This Information Security Program (“Program”) defines the minimum security requirements that apply to all SmartReply (Incharge Marketing LLC) personnel, contractors, systems, and data. It covers the full data‑lifecycle—from creation and storage to transmission, use, and deletion—for production, staging, and corporate environments.
2. Goverance & Responsibilities
The Chief Executive Officer holds overarching accountability for SmartReply’s security and risk posture. Day‑to‑day ownership of the Information Security Program rests with the Data Protection Officer / CISO, Jonah Belanger, who maintains the policy, coordinates internal and external audits, and approves any exceptions. The Engineering Team translates policy into practice by implementing technical controls, performing peer code reviews, and promptly patching vulnerabilities. All personnel are required to complete annual security‑awareness training and to adhere to the controls outlined in this Program. The Program itself is reviewed once a year—or sooner if significant changes in technology, regulation, or risk warrant an interim update.
The Chief Executive Officer holds overarching accountability for SmartReply’s security and risk posture. Day‑to‑day ownership of the Information Security Program rests with the Data Protection Officer / CISO, Jonah Belanger, who maintains the policy, coordinates internal and external audits, and approves any exceptions. The Engineering Team translates policy into practice by implementing technical controls, performing peer code reviews, and promptly patching vulnerabilities. All personnel are required to complete annual security‑awareness training and to adhere to the controls outlined in this Program. The Program itself is reviewed once a year—or sooner if significant changes in technology, regulation, or risk warrant an interim update.
3. Data Classification & Handeling
SmartReply categorizes information into three tiers. Public data consists of marketing materials that can be shared without restriction. Internal data covers non‑public business information; it is accessible only to employees and must always traverse secure (TLS‑protected) channels. Confidential data—including any personally identifiable information (PII) and all TikTok USDS records—demands the highest safeguards: it is encrypted at rest with AES‑256 via AWS KMS, transmitted exclusively over TLS 1.2 or higher, logged for access events, and governed by strict least‑privilege permissions.
SmartReply categorizes information into three tiers. Public data consists of marketing materials that can be shared without restriction. Internal data covers non‑public business information; it is accessible only to employees and must always traverse secure (TLS‑protected) channels. Confidential data—including any personally identifiable information (PII) and all TikTok USDS records—demands the highest safeguards: it is encrypted at rest with AES‑256 via AWS KMS, transmitted exclusively over TLS 1.2 or higher, logged for access events, and governed by strict least‑privilege permissions.
4 Access Control
- SSO via Okta with FIDO2 MFA required for all cloud resources.
- IAM roles follow least‑privilege; quarterly access reviews.
- Production credentials stored only in AWS Secrets Manager.
5. Endpoint & Network Security
- Company laptops run real‑time endpoint protection (Microsoft Defender for Business) with auto‑updates and weekly full scans.
- Production workloads live in isolated AWS VPCs; inbound traffic passes through Cloudflare Zero Trust + WAF/Bot Management.
- AWS GuardDuty, Security Hub, and CloudWatch provide continuous threat detection and alerting.
6. Vulnerability & Patch Management
- Dependencies scanned weekly with Snyk; EC2/EKS images scanned via Amazon Inspector.
- Patch SLAs: Critical ≤ 72 h, High ≤ 7 d, Medium ≤ 30 d.
- Penetration tests conducted annually by an independent third party.
7. Cryptography
- Data at rest: AES‑256 (RDS, S3) under customer‑managed KMS keys.
- Data in transit: TLS 1.2+; HSTS enforced on all public endpoints.
8 . Incident Response
- 24 × 7 on‑call engineer rotation.
- Incidents logged in Jira/Statuspage; severity triage within 1 h.
- Notification: affected merchants and TikTok Shop informed within 24 h of breach confirmation.
9. Business Continuity & Backups
- Automated daily snapshots; point‑in‑time recovery (PITR) enabled.
- Cross‑region replicas for RDS and S3; quarterly restore tests.
10. Security Awareness & Training
- Mandatory onboarding security training + annual refresher.
- Quarterly phishing simulations; targeted coaching for failures ≥ 2 times.
11. Third‑Party & Sub‑Processor Management
- All vendors undergo risk assessment; DPAs executed where required.
- No subcontractors process TikTok USDS data without prior written approval.
