FixZone Internal Security & Access Policy

1. Purpose of This Policy

This Policy is intended to:

• Protect user data
• Restrict and monitor internal access
• Define incident response procedures
• Maintain system accountability
• Mitigate risks of unauthorized access
• Ensure compliance with U.S. security laws

2. Data Classification

2.1 Public Data

• Marketing content
• Public-facing resources

2.2 Internal Data

• Operational procedures
• Non-sensitive analytics

2.3 Sensitive Data

• User contact information
• Job details
• Provider documents

2.4 Highly Sensitive Data

• Identity verification
• GPS / address data
• Licenses & insurance
• Fraud logs
• Stripe tokens
• Internal IP logs

Access to this category is extremely restricted.

3. Internal Access Controls

3.1 Role-Based Access (RBAC)

Access is granted strictly on a least-privilege basis. Roles include Support, Developer, Fraud & Safety, and Administrator.

3.2 Authentication Requirements

• Strong passwords
• MFA
• Secure devices
• Encrypted connections
• Periodic credential renewal

3.3 Logging & Monitoring

• All access is logged and timestamped
• Fully auditable records
• Real-time monitoring
• Unauthorized access triggers alerts

3.4 Developer Access Restrictions

• No production access unless authorized
• Sandbox/anonymized data by default
• Temporary access only when required
• All sessions must be documented

3.5 Third-Party Contractors

• Confidentiality agreement required
• Limited, time-bound access
• Must undergo approval
• Violation results in immediate revocation

4. Security Incident Definition

A security incident includes unauthorized access, suspicious internal behavior, credential loss, malware detection, attempted account takeover, or policy violations.

5. Incident Response Procedure

5.1 Identification

Incidents are detected via alerts, reports, or internal monitoring.

5.2 Containment

• Disable accounts
• Block IPs
• Isolate systems
• Revoke access tokens

5.3 Investigation

The security team determines the nature of the incident, systems affected, data accessed, and root cause. Third-party forensic support may be involved.

5.4 Internal Notification

Leadership is notified immediately for high-risk incidents.

5.5 Remediation

• Code fixes
• Policy updates
• Security patches
• Access revisions
• Password resets

5.6 User Notification (If Required)

FixZone will notify users as required by the NY SHIELD Act, FTC rules, and state laws.

6. Internal Audit & Review

• Quarterly access audits
• Semi-annual security reviews
• Annual penetration tests
• Post-mortem reports for incidents

7. Data Handling Rules

• Access only needed data
• No saving data to personal devices
• Use approved tools only
• No credential sharing
• Report suspicious activity immediately

8. Violations & Disciplinary Action

• Immediate access removal
• Termination
• Legal action
• Civil liability
• Referral to law enforcement

9. Protection of Address & GPS Data

This category has the highest restriction. Only Fraud & Safety, senior engineers, and system administrators may access it, and only for:

• Fraud investigation
• Safety cases
• Dispute resolution
• Technical debugging (rare, documented)

Unauthorized access results in immediate dismissal.

10. Data Export Restrictions

Internal personnel may NOT export or store user data outside FixZone systems.

• No downloading datasets
• No unencrypted email transfers
• No saving to personal devices

Exports require encryption, documentation, and leadership approval.

11. Data Retention & Deletion Rules

Internal personnel must follow the main FixZone Data Security & Retention Policy. Unauthorized deletion or retention of data is strictly prohibited.

12. Changes to This Policy

FixZone may update this Policy at any time. Continued engagement implies acceptance.

13. Contact

📩 info@fixzone.app