Data Policy
Dependable IT Services, LLC. Data Policy
Version 1.0 – Last Updated: October 23, 2025
1. Purpose and Scope
This Data Policy summarizes the security, privacy, and compliance practices of Dependable IT Services, LLC. (“Dependable IT Services,” “we,” “our,” or “us”). It applies to all systems, applications, employees, contractors, and subprocessors handling data through our Managed IT Services, Help Desk, Security, Cloud, and related offerings.
2. Governance and Accountability
Our cybersecurity program aligns with leading industry standards:
- NIST Cybersecurity Framework (CSF) 2.0
- CIS Controls v8
- SOC 2 Trust Services Criteria
- HIPAA Security Rule (where applicable)
All staff must comply with Acceptable Use, Information Security, and Confidentiality policies.
3. Roles and Responsibilities
- Data Controller (Business Data): We determine how internal business and marketing data is processed.
- Data Processor / Service Provider (Client Data): We process client data only under written contracts or instructions.
- Business Associate (Healthcare Clients): Handle PHI under HIPAA agreements.
- Subprocessors: Third-party service providers meet our security and confidentiality standards.
4. Data Classification and Handling
| Classification | Description | Handling Requirements |
|---|---|---|
| Public | Approved for general disclosure | No restrictions beyond accuracy and integrity |
| Internal | Operational business data not intended for public use | Limited to authorized staff; basic access controls |
| Confidential | Client info, personal data, or credentials | Encryption at rest/in transit, MFA, and access logging |
| Restricted | Highly sensitive data such as PHI or financial records | Strict access controls, encryption, audit trails, minimal retention |
5. Security Program Overview
- Identify: Asset inventory, risk assessments, data classification
- Protect: Access controls, encryption, endpoint protection, patch management
- Detect: Continuous monitoring, SIEM alerts, intrusion detection
- Respond: Incident response planning, containment, notification
- Recover: Disaster recovery, backups, business continuity
6. Access Control and Identity Management
- Role-based access with least-privilege principles
- MFA required for remote and privileged accounts
- Quarterly access reviews; immediate deprovisioning upon termination
- Password management via encrypted vaults
- Secure VPN and MDM controls for mobile devices
7. Backup and Disaster Recovery
- Encrypted backups according to client agreements
- Off-site/cloud backups tested periodically
- BDR plans tested annually and after major changes
- Restoration verification tests conducted yearly
8. Incident Response and Breach Notification
- Incident Response Plan covers detection, escalation, containment, investigation, remediation
- Clients notified within 24–48 hours of confirmation
- Notifications follow state/federal laws (e.g., HIPAA, Arizona)
- Root cause analysis and remediation after every major incident
9. Subprocessors and Vendor Oversight
- Vetted third-party vendors for services like cloud hosting, monitoring, backup
- Reviewed for security certifications, data agreements, and risk posture
10. Data Retention and Disposal
| Data Type | Retention Period | Disposition Method |
|---|---|---|
| Client contracts & records | Service term + 7 years | Secure deletion |
| Backup data | Per client agreement (30 days–12 months) | Encrypted deletion |
| Support logs & tickets | Active + 3 years | Purge or anonymize |
| Financial data | 7 years | Secure archive |
| HR records | Employment term + 7 years | Shredding / wiping |
| Marketing leads | 2 years from last contact | Deletion upon request |
11. Employee Training and Awareness
- Initial and annual cybersecurity awareness training
- Phishing, password security, and incident reporting
- Specialized training for administrators and client-facing staff
- Quarterly phishing simulations and refresher modules
12. Individual Rights and Requests
- Respect privacy rights under applicable laws (e.g., CPRA)
- Individuals may request access, correction, deletion, or restriction
- We assist clients in fulfilling verified requests
- All requests logged and responded to within required timelines (typically 45 days)
13. Continuous Improvement and Audit
- Regular internal audits and third-party assessments
- Annual reviews and risk assessments
- Track metrics like patch compliance, training completion, incident response times
- Management reviews significant security changes
14. Contact Information
Dependable IT Services, LLC.
Attn: Christopher Boughton
Address: 1410 W. Guadalupe Road, Suite 102, Gilbert, Arizona 85233 USA
Phone: (480) 520-1414
Email: chris@dependableitservices.com