1. Purpose

At CloudCadre, information is a critical asset. This Information Security Policy establishes the foundation for maintaining the confidentiality, integrity, and availability (CIA) of all information systems, data, platforms, and services managed or operated by CloudCadre Technologies Pvt Ltd (India) and CloudCadre Inc. (USA).

Our goal is to safeguard client trust, meet regulatory obligations, and support secure cloud and FinOps operations worldwide.

2. Scope

• All CloudCadre systems, software, services, and infrastructure (on-premises and cloud)
• All employees, consultants, interns, partners, and third-party service providers
• All data processed, stored, or transmitted by CloudCadre
• All environments including dev, staging, and production, across Azure, AWS, GCP, and hybrid models

3. Information Security Objectives

• Prevent unauthorized access, disclosure, alteration, or destruction of data
• Ensure business continuity and disaster recovery preparedness
• Promote secure development and cloud-native DevSecOps practices
• Continuously monitor, assess, and improve our security posture
• Comply with contractual, legal, and regulatory security obligations

4. Roles & Responsibilities

Role	Responsibilities
CISO / Security Head	Oversee ISMS, perform audits, incident response, compliance enforcement
IT & Cloud Engineers	Implement security controls, monitor infrastructure, enforce patching
All Employees	Follow security guidelines, report incidents, complete training
Third-Party Vendors	Ensure data handling aligns with CloudCadre’s security agreements

5. Core Security Principles

a. Access Control

• Least privilege (PoLP) principle
• Role-based access control (RBAC)
• Mandatory MFA for admin and user access
• Auto-revocation upon exit or role change

b. Data Protection

• Encryption at rest and in transit (AES-256, TLS 1.2+)
• Token-based API authentication
• Client data geo-segregated where required

c. Network Security

• WAF, IDS/IPS, VPN
• Zero Trust principles
• Hardened, isolated production environments

d. Endpoint Security

• EDR/AV on all endpoints
• Managed by MDM tools
• Dedicated BYOD policy

6. Secure Development & DevSecOps

• Security embedded in CI/CD pipelines
• Branch protections in GitHub, Azure DevOps
• Regular SAST/DAST and dependency scanning
• Integrated vulnerability tracking via Jira

7. Incident Response & Reporting

Our internal Incident Response Plan (IRP) includes:

1. Identification
2. Containment
3. Eradication
4. Recovery
5. Post-Incident Review

📧 Report incidents to: security@cloudcadre.ai

8. Business Continuity & Disaster Recovery

• Daily encrypted backups
• Multi-region DR sites (India & USA)
• Quarterly recovery testing

9. Training & Awareness

• Annual employee security training
• Phishing simulations
• Role-based awareness for engineers and leaders

10. Compliance & Audits

• Aligned with ISO/IEC 27001:2022, NIST
• Compliant with GDPR, CCPA, Indian IT Act
• Bi-annual audits and pen-testing

11. Vendor Risk Management

• Due diligence on all partners and vendors
• DPAs signed where data is shared
• Ongoing vendor scoring and reviews

12. Data Classification & Handling

Data is classified into:

• Public
• Internal
• Confidential
• Restricted

Enforced through DLP, CASB, and IRM tools.

13. Policy Violations

Violations may lead to:

• Disciplinary action or termination
• Suspension of system access
• Legal or regulatory reporting

14. Review and Updates

• Reviewed annually or upon major business/security changes
• Updates based on laws, risks, and incidents

By accessing or working with CloudCadre’s platforms or services, users agree to follow this Information Security Policy in full.