Security Policy

Our comprehensive approach to protecting your data, systems, and business operations with enterprise-grade security measures.

Effective Date: January 23, 2025

Last Updated: January 23, 2025

Our Security Commitment

Convergent Studios LLC is committed to maintaining the highest standards of information security.

As a Tennessee-based software development company serving healthcare, AI, and enterprise clients, we understand that security is not optional—it's fundamental to everything we do.

SOC 2 Compliant

HIPAA Ready

Enterprise Grade

Information Security Framework

Security Governance

Leadership & Accountability

• Designated Security Officer responsible for oversight
• Regular security training for all team members
• Executive leadership commitment to security
• Board-level security reporting and review

Policy & Procedures

• Comprehensive security policy documentation
• Regular policy reviews and updates
• Employee security handbooks and guidelines
• Incident response and escalation procedures

Risk Management

We conduct regular risk assessments to identify and mitigate security threats.

• Annual comprehensive risk assessments
• Quarterly threat landscape reviews
• Continuous vulnerability monitoring
• Third-party security audits

• Risk treatment and mitigation plans
• Business impact assessments
• Security metrics and KPI tracking
• Regular penetration testing

Data Protection Measures

Encryption Standards

Data at Rest

• AES-256 encryption for stored data
• Encrypted database storage
• Secure key management systems
• Hardware security modules (HSMs)
• Regular key rotation procedures

Data in Transit

• TLS 1.3 for all web communications
• VPN connections for remote access
• Encrypted API communications
• Secure file transfer protocols (SFTP)
• Certificate pinning for mobile apps

Data Classification & Handling

Classification	Examples	Protection Level
Public	Marketing materials, website content	Standard web security
Internal	Business documents, project files	Access controls, encryption
Confidential	Client data, source code, contracts	Strong encryption, MFA, audit logs
Restricted	PHI, PII, financial data	Highest security, compliance controls

Access Controls & Authentication

Identity & Access Management

User Authentication

• Multi-factor authentication (MFA) required
• Single sign-on (SSO) integration
• Strong password policies
• Biometric authentication support
• Regular password rotation requirements

Authorization Controls

• Role-based access control (RBAC)
• Principle of least privilege
• Regular access reviews and audits
• Automated access provisioning/deprovisioning
• Privileged access management (PAM)

Network Security

Perimeter Defense

• Next-generation firewalls
• Intrusion detection systems
• DDoS protection
• Web application firewalls

Network Monitoring

• 24/7 security monitoring
• Network traffic analysis
• Anomaly detection
• Real-time threat intelligence

Secure Communications

• VPN for remote access
• Zero-trust network architecture
• Network segmentation
• Encrypted internal communications

Application Security

Secure Development Lifecycle

Development Practices

• Security by design principles
• Secure coding standards and training
• Code review requirements
• Static application security testing (SAST)
• Dynamic application security testing (DAST)

Testing & Validation

• Automated security testing in CI/CD
• Dependency vulnerability scanning
• Container security scanning
• Penetration testing
• Security regression testing

Runtime Protection

• Web application firewalls (WAF)
• Runtime application self-protection (RASP)
• API security gateways
• Bot protection and rate limiting

• Input validation and sanitization
• Output encoding
• Session management security
• Error handling and logging

Infrastructure Security

Cloud Security

AWS Security

• AWS Well-Architected Framework
• IAM roles and policies
• VPC security groups and NACLs
• AWS CloudTrail audit logging
• AWS Config compliance monitoring

Azure Security

• Azure Security Center
• Azure Active Directory
• Network Security Groups
• Azure Monitor and Log Analytics
• Azure Policy compliance

Container & Orchestration Security

Container Security

• Minimal base images
• Image vulnerability scanning
• Runtime security monitoring
• Non-root container execution

Kubernetes Security

• RBAC policies
• Pod security standards
• Network policies
• Admission controllers

Secrets Management

• HashiCorp Vault
• Kubernetes secrets
• External secret operators
• Secret rotation

Compliance & Standards

Healthcare Security (HIPAA)

For healthcare clients, we maintain HIPAA-compliant security measures:

• Business Associate Agreements (BAAs)
• PHI encryption and access controls
• Audit logging and monitoring
• Risk assessments and documentation

• Employee training and certification
• Breach notification procedures
• Secure PHI disposal
• Regular compliance audits

SOC 2 Type II Compliance

Security

Availability

Confidentiality

Privacy

Processing Integrity

Additional Standards

ISO 27001

Information security management system framework

NIST Framework

Cybersecurity framework implementation

OWASP Top 10

Web application security best practices

Security Monitoring & Incident Response

24/7 Security Operations

Monitoring Capabilities

• Security Information and Event Management (SIEM)
• Real-time threat detection and analysis
• Automated alerting and escalation
• Log aggregation and correlation
• Behavioral analytics and anomaly detection

Response Capabilities

• Dedicated incident response team
• Automated threat containment
• Forensic analysis capabilities
• Client communication protocols
• Recovery and remediation procedures

Incident Response Process

Detection

Identify and validate security incidents

Response

Contain threat and assess impact

Recovery

Restore systems and services

Learning

Post-incident review and improvement

Security Reporting & Transparency

Vulnerability Disclosure

We welcome security researchers and clients to report potential vulnerabilities responsibly.

• Email: security@convergent-software.com
• Response Time: 24 hours acknowledgment
• Investigation: 5 business days assessment
• Resolution: Timeline based on severity

• Coordinated disclosure process
• Credit to responsible researchers
• Transparent communication
• Regular security bulletins

Security Metrics & Reporting

Monthly Reports

Security posture, incidents, and metrics for enterprise clients

Annual Audits

Third-party security assessments and compliance certifications

Transparency Reports

Annual security and privacy transparency reporting

Employee Security Program

Background Checks & Vetting

• Comprehensive background verification
• Professional reference checks
• Security clearance requirements for sensitive projects
• Ongoing monitoring for security-critical roles

Security Training & Awareness

• Mandatory security awareness training
• Role-specific security training
• Regular phishing simulation exercises
• Incident response training and drills

Security Culture

We foster a security-first culture where every team member is empowered and responsible for maintaining security:

• Regular security team meetings and updates
• Security champion program
• Incentives for security improvements
• Open communication about security concerns
• Continuous learning and certification support
• Security-focused code reviews

Security Contact Information

Security Team

Security Officer: Convergent Studios LLC

Location: Maury County, Tennessee

Security Email: security@convergent-software.com

General Contact: contact@convergent-software.com

Phone: (615) 492-0053

Emergency Response

Security Incidents: 24/7 response available

Vulnerability Reports: 24 hours acknowledgment

Business Hours: 8:00 AM - 6:00 PM CT

After Hours: Emergency escalation procedures

Note: This Security Policy is reviewed and updated regularly to address evolving threats and comply with new regulations. For the most current version, please visit our website or contact our security team directly.

Convergent Software