Dependable IT Services, LLC. Data Policy

Version 1.0 – Last Updated: October 23, 2025

1. Purpose and Scope

This Data Policy summarizes the security, privacy, and compliance practices of Dependable IT Services, LLC. (“Dependable IT Services,” “we,” “our,” or “us”). It applies to all systems, applications, employees, contractors, and subprocessors handling data through our Managed IT Services, Help Desk, Security, Cloud, and related offerings.

2. Governance and Accountability

Our cybersecurity program aligns with leading industry standards:

• NIST Cybersecurity Framework (CSF) 2.0
• CIS Controls v8
• SOC 2 Trust Services Criteria
• HIPAA Security Rule (where applicable)

All staff must comply with Acceptable Use, Information Security, and Confidentiality policies.

3. Roles and Responsibilities

• Data Controller (Business Data): We determine how internal business and marketing data is processed.
• Data Processor / Service Provider (Client Data): We process client data only under written contracts or instructions.
• Business Associate (Healthcare Clients): Handle PHI under HIPAA agreements.
• Subprocessors: Third-party service providers meet our security and confidentiality standards.

4. Data Classification and Handling

Classification	Description	Handling Requirements
Public	Approved for general disclosure	No restrictions beyond accuracy and integrity
Internal	Operational business data not intended for public use	Limited to authorized staff; basic access controls
Confidential	Client info, personal data, or credentials	Encryption at rest/in transit, MFA, and access logging
Restricted	Highly sensitive data such as PHI or financial records	Strict access controls, encryption, audit trails, minimal retention

5. Security Program Overview

• Identify: Asset inventory, risk assessments, data classification
• Protect: Access controls, encryption, endpoint protection, patch management
• Detect: Continuous monitoring, SIEM alerts, intrusion detection
• Respond: Incident response planning, containment, notification
• Recover: Disaster recovery, backups, business continuity

6. Access Control and Identity Management

• Role-based access with least-privilege principles
• MFA required for remote and privileged accounts
• Quarterly access reviews; immediate deprovisioning upon termination
• Password management via encrypted vaults
• Secure VPN and MDM controls for mobile devices

7. Backup and Disaster Recovery

• Encrypted backups according to client agreements
• Off-site/cloud backups tested periodically
• BDR plans tested annually and after major changes
• Restoration verification tests conducted yearly

8. Incident Response and Breach Notification

• Incident Response Plan covers detection, escalation, containment, investigation, remediation
• Clients notified within 24–48 hours of confirmation
• Notifications follow state/federal laws (e.g., HIPAA, Arizona)
• Root cause analysis and remediation after every major incident

9. Subprocessors and Vendor Oversight

• Vetted third-party vendors for services like cloud hosting, monitoring, backup
• Reviewed for security certifications, data agreements, and risk posture

10. Data Retention and Disposal

Data Type	Retention Period	Disposition Method
Client contracts & records	Service term + 7 years	Secure deletion
Backup data	Per client agreement (30 days–12 months)	Encrypted deletion
Support logs & tickets	Active + 3 years	Purge or anonymize
Financial data	7 years	Secure archive
HR records	Employment term + 7 years	Shredding / wiping
Marketing leads	2 years from last contact	Deletion upon request

11. Employee Training and Awareness

• Initial and annual cybersecurity awareness training
• Phishing, password security, and incident reporting
• Specialized training for administrators and client-facing staff
• Quarterly phishing simulations and refresher modules

12. Individual Rights and Requests

• Respect privacy rights under applicable laws (e.g., CPRA)
• Individuals may request access, correction, deletion, or restriction
• We assist clients in fulfilling verified requests
• All requests logged and responded to within required timelines (typically 45 days)

13. Continuous Improvement and Audit

• Regular internal audits and third-party assessments
• Annual reviews and risk assessments
• Track metrics like patch compliance, training completion, incident response times
• Management reviews significant security changes

14. Contact Information