INTRODUCTION

OBJECTIVE

The main objective of this Policy is to define the basic principles and rules for managing information security. The ultimate goal is to ensure that suppliers and third parties working with CAPILLARY IO guarantee the security of information and minimize the risks arising from the impact of ineffective information management.

THIRD-PARTY MANAGEMENT

OBJECTIVE

The main objective is to mitigate potential risks associated with access to CAPILLARY IO’s information, information systems, or resources by service providers, regardless of the type of service provided or the nature of their relationship with CAPILLARY IO (legal, contractual, or any other non-employment relationship), to protect the confidentiality, integrity, availability, traceability, and authenticity of CAPILLARY IO’s and its clients’ information.

CAPILLARY IO reserves the right to modify this document when necessary. Any changes will be communicated to all service providers to whom it applies using appropriate means. Each provider is responsible for ensuring that its personnel have read and are familiar with the most recent CAPILLARY IO security policies and for obtaining their commitment to comply with these regulations. In case of non-compliance with any of these obligations, CAPILLARY IO reserves the right to apply appropriate sanctions, which may include the termination of current contracts with the provider.

PRINCIPLES

  • Service providers shall provide CAPILLARY IO, when requested, with a list of individuals, profiles, roles, and responsibilities associated with the service, and must inform of any changes (onboarding, offboarding, role changes, etc.).

  • Providers must ensure that their personnel have the appropriate education and training, both in the specific area of service delivery and in information security.

  • At a minimum, providers must ensure that all personnel associated with the service are aware of and agree to comply with the provisions of this policy. CAPILLARY IO may request proof of this awareness at any time.

  • Providers must allow CAPILLARY IO to carry out security audits as requested, cooperating with the audit team and providing all required evidence and records.

  • The scope and depth of each audit will be defined by CAPILLARY IO in each case. Audits will follow the calendar agreed upon with the service provider.

  • CAPILLARY IO reserves the right to perform additional extraordinary audits if specific causes justify them.

INFORMATION CONFIDENTIALITY

All information, documents, software and/or applications, methods, organization, business strategies, and activities related to CAPILLARY IO or its business to which service providers have access for the purpose of providing services shall be considered confidential. Access to, sharing of, and handling of such information shall always comply with the purposes outlined in the contract and maintain confidentiality both during and after the service relationship with CAPILLARY IO.

All resources and information accessed, created, modified, or copied during service delivery must be returned upon completion. CAPILLARY IO may request secure deletion of any devices that had access to CAPILLARY IO’s information.

Labeling is designed to protect in this scenario.

INFORMATION EXCHANGE

Any exchange of information between CAPILLARY IO and service providers is understood to be carried out within the framework of the corresponding contract. Therefore, such information may not be used outside this framework or for other purposes.

The distribution of information, whether in electronic or physical format, will be carried out using the means defined in the contract and solely for the purposes associated with the contract. Depending on the identified risk, CAPILLARY IO reserves the right to implement control, logging, and audit measures.

The following activities related to information exchange will be considered unauthorized:

  • Transmission or receipt of copyrighted material in violation of Intellectual Property Law.

  • Transmission or receipt of any pornographic, sexually explicit, racially discriminatory, or otherwise offensive or illegal content.

  • Transmission or receipt of sensitive information unless the communication is encrypted and authorized in writing.

  • Transfer of protected information to unauthorized third parties.

  • Transmission or receipt of non-business-related requests.

  • Participation in unrelated Internet activities, such as newsgroups, games, or other services not related to the contract.

  • Any activity that could harm CAPILLARY IO’s image or reputation is prohibited online and elsewhere.

Labeling is designed to protect in this scenario.

USER RESPONSIBILITIES

Service providers must ensure that all personnel with access to CAPILLARY IO’s information, systems, or resources during their work with CAPILLARY IO comply with the following basic principles:

  • Each person is responsible for all activity performed under their user ID. Authentication systems must be controlled, and passwords must remain confidential.

  • Users must not use another user’s identifier, even with permission.

  • Users must be aware of and apply existing policies and procedures regarding handled information.

  • All users must choose strong passwords (refer to password policy).

  • All users must change default or temporary passwords upon first login. The new password must be exclusive to CAPILLARY IO and not reused elsewhere. CAPILLARY IO implements a non-expiring password policy based on Microsoft’s latest recommendations.

CAPILLARY IO reserves the right to enforce annual password renewal for security reasons.
More info:
Password Policy Recommendations: Microsoft 365 Admin | Microsoft Learn

  • Users must ensure that unattended devices are properly secured.

  • Users must follow clean desk rules to protect documents, media, and portable storage devices against unauthorized access, loss, or damage during and outside working hours (e.g., locked storage, screen lock, secure destruction, etc.).

  • Users must not conduct unauthorized testing to detect or exploit security weaknesses.

  • No provider is allowed to breach CAPILLARY IO’s systems or capture network traffic without prior written authorization. Sniffing, scanning, and password discovery tools are strictly prohibited unless used for authorized audits.

SECURITY REQUIREMENTS FOR THIRD-PARTY DEVICES

All devices accessing CAPILLARY IO information, regardless of ownership, must comply with CAPILLARY IO’s security policies, especially the following:

  • System access must always be authenticated using at least a personal identifier and associated password.

  • All installed software must be licensed, current, and compliant with usage terms.

  • Devices must be kept up to date with the latest security patches for all software and the operating system.

  • Only Windows 11 or later and macOS Sonoma or later are permitted on desktop devices.

  • Devices must have up-to-date and active anti-malware software, including the latest engine and signature files.

  • Devices must auto-lock after 5 minutes of inactivity, requiring secure credentials (e.g., passwords or unlock patterns) for access.

  • Devices must not include tools or files that violate CAPILLARY IO’s security policies or interfere with corporate software, including sniffers, network scanners, password discovery tools, etc.

SECURITY INCIDENT REPORTING BY THIRD PARTIES

Service providers must immediately report any incident, weakness, or threat (observed or suspected) involving CAPILLARY IO systems or data to the CISO or CEO. Reports must be sent via email to security@capillary.io, managed by the CISO.

THIRD-PARTY DEVELOPMENT SECURITY

All service providers performing development and/or application testing for CAPILLARY IO:

  • Environments used for these tasks must be isolated from each other and from the production environment.

  • Access to information systems hosting or processing data must be protected by a firewall and proper folder permission management.

  • All outsourced software development must be controlled and supervised by CAPILLARY IO.

  • Requirement specifications must include defined security needs.

  • Identification, authentication, access control, auditing, and data integrity mechanisms must be included across the entire application lifecycle.

  • Applications must validate input data to ensure correctness and to prevent code injection.

  • Internal processes must include validations to ensure data is not corrupted.

  • Where necessary, authentication and integrity controls must be included for communication between application components.

  • Output from applications must be limited to relevant and necessary data only.

  • Source code access must be restricted to authorized personnel.

  • Real data may only be used in testing environments with CISO approval or when equivalent security measures are applied.

  • Testing must ensure no uncontrolled data leakage channels exist, and only expected information is transmitted.

  • Only applications approved by the CISO may be deployed to production.

THIRD-PARTY CONTINUITY MANAGEMENT

  • Service providers must have a business continuity plan and an IT disaster recovery plan to ensure service continuity in the event of contingencies. This plan must be based on a risk assessment (at least annually) to identify potential disruptions and establish adequate controls.

  • Providers must test their continuity and recovery plans to ensure successful service restoration within agreed timelines. Tests must be conducted annually or after significant changes or improvements affecting the services.