Our Security Policy

This policy establishes the information security requirements for We Summit Mountains LLC ("WSM"). It protects the confidentiality, integrity, and availability of information assets used to deliver Salesforce development and related consulting services. WSM does not operate as an application-hosting provider or offer a platform for running third-party software.

Applies to all WSM personnel (employees, contractors, interns), company-issued devices, cloud services, and data processed in the course of business. Client environments and tools remain under client control; WSM applies and recommends appropriate security configurations within those environments as part of our professional services.

1. Security Lead (Policy Steward): Owns this policy, conducts annual reviews, coordinates risk assessments, and leads incident response.
2. Systems Administrator: Manages Google Workspace Enterprise, MDM, device security baselines, and the company password manager.
3. Project Leads: Ensure adherence to data‑handling rules on projects; approve temporary client data storage where strictly required.
4. All Personnel: Follow this policy, complete training, promptly report incidents or suspected risks.

1. Least Privilege: Access is limited to what is necessary to perform a role.
2. Secure by Default: Strong authentication, encryption in transit and at rest, and hardened device baselines.
3. Minimize Data: WSM does not retain client data beyond what is required to perform migrations/transformations or other authorized services.
4. Transparency & Auditability: Changes and access are logged where feasible; clients may request activity summaries for work performed in their environments.

WSM operates entirely within Google Workspace Enterprise for email, files, and collaboration.

1. SSO & MFA: Multi‑factor authentication is required for all Google accounts and integrated services.
2. Context‑Aware Access: Admin enables device‑based and risk‑based access rules where available.
3. DLP & Drive Controls: Sharing is restricted to specific domains or users; external sharing requires a business need. Sensitive files must be stored in company‑owned shared drives with appropriate permissions.
4. Email Security: SPF, DKIM, and DMARC are enforced; automated detection/quarantine for phishing is enabled.

WSM uses a company‑controlled password manager for all credentials, API keys, and secrets.

1. Vault Ownership: Admin owns master recovery; user vaults are provisioned via role‑based groups.
2. MFA Required: Password manager logins require MFA.
3. Prohibited Storage: Secrets must not be stored in code repositories, plaintext docs, chat, or tickets.
4. Key Rotation: Project‑specific credentials are rotated at project close or every 90 days, whichever comes first, unless client policy dictates stricter intervals.

WSM supplies company‑managed computers for all work. Personally‑owned devices are not permitted for client work.

1. Baseline Controls: Full‑disk encryption, automatic screen lock ≤ 10 minutes, OS auto‑updates, and centrally managed EDR/antivirus.
2. MDM: Devices are enrolled in MDM for configuration, patching, and remote wipe on loss/termination.
3. Removable Media: Use is restricted; client data must not be copied to removable media unless explicitly approved and encrypted.
4. Local Admin: Local admin rights are limited to IT/Admin staff and granted temporarily when needed.

1. Corporate access requires MFA‑protected identity.
2. Public Wi-Fi use requires a company‑approved VPN.
3. Administrative access to client systems uses client‑approved secure channels (e.g., SSO, VPN, bastion hosts) with least privilege and time‑bound access.

WSM develops exclusively on Salesforce; we do not host applications or platforms.

1. Secure SDLC: Code follows secure coding guidelines (e.g., input validation, avoiding SOQL injection, principle of least privilege in Apex/Flows).
2. Change Control: Changes are tracked in version control; peer review is required prior to deployment.
3. Secrets: No hard‑coded secrets; use secure named credentials, externalized secrets, or client‑provided secret stores.
4. Logs & Monitoring: Use Salesforce logging and change‑audit features as enabled in client orgs; recommend additional controls (Shield/Field Audit Trail) where appropriate.

1. Collection: WSM does not intentionally collect or retain client data artifacts beyond what is necessary to perform authorized migrations, transformations, testing, or other client‑approved services.
2. Minimization: Only the minimum required data fields and sample sizes are used; prefer synthetic or masked datasets when feasible.
3. Encryption: Client data in transit uses TLS; at‑rest encryption is enforced via Google Workspace and managed drives.
4. Access: Restricted to assigned project personnel; access is removed at project close or role change.
5. Temporary Storage: If temporary files or staging databases are required for a migration/transformation, they must reside in company‑controlled, encrypted storage with restricted permissions and project‑specific folders.
6. Data Deletion: All temporary client data stores, staging files, and transformation outputs are deleted upon project completion or within 30 days of final acceptance (whichever comes first), unless the client requests or contractually requires a different retention period.
7. Certificates of Destruction: Upon request, WSM provides written confirmation of deletion for client data handled by WSM tools/storage.
8. Prohibited: Client data must not be used for training AI models or shared to third‑party services without explicit written client permission.

1. WSM uses a minimal, approved list of vendors/tools necessary for operations (e.g., Google Workspace, password manager, code repository, deployment tools).
2. New vendors require Security Lead review for data handling, security posture, and contract terms.
3. Integrations with client systems follow client vendor/risk procedures when applicable.

1. Google Workspace: Admin audit logs are enabled and retained per plan capabilities.
2. Password Manager: Access and sharing events are logged.
3. Projects: Where feasible, maintain change logs, deployment notes, and activity records to support traceability.
4. WSM will share relevant audit evidence with clients under NDA upon request.

1. Reporting: All personnel must immediately report suspected security incidents to the Security Lead.
2. Triage & Containment: Begin within 24 hours of discovery; isolate affected accounts/devices, reset credentials, and notify impacted stakeholders.
3. Eradication & Recovery: Remove root cause, restore services, and validate systems.
4. Client Notification: If client data or systems may be affected, notify the client contact promptly and coordinate communication per contract requirements.
5. Post‑Incident Review: Conduct lessons‑learned and track remediation actions.

1. WSM’s operational data (documents, project plans, code) is stored in Google Workspace, Lucid Software, and Salesforce with platform‑native resilience.
2. WSM does not retain backups of client data unless expressly requested and approved by the client; any approved backups must be encrypted, access‑controlled, and deleted at project close per Section 10.

1. All personnel complete security awareness training at onboarding and annually thereafter, including phishing, data handling, and device security.

1. WSM will adhere to applicable laws, contracts, and client policies that govern work performed.
2. If regulated data is in scope (e.g., HIPAA, PCI, GDPR/CCPA), WSM will follow client‑mandated controls.
3. NDAs and MSAs must reflect data‑handling and deletion obligations consistent with this policy.

Exceptions to this policy require written approval by the Security Lead and a defined expiration/review date. Compensating controls must be documented.

Violations may result in disciplinary action up to and including termination of employment/contract.

This policy is reviewed annually or upon material change to business operations, threats, technology, or legal requirements. Version history is maintained below.

v1.1 (2025‑9‑5): Update used software listed.

v1.0 (2025‑10‑30): Initial release reflecting Salesforce‑centric delivery model, company‑managed devices, Google Workspace Enterprise identity, password‑manager‑based secrets, and strict client‑data minimization and deletion practices.