Search
Ask AI
Terms & Privacy

Exhibit C — Information Security Policy

SOC 2 Type II Compliance

Effective Date: April 30, 2026

This Information Security Policy describes how Maestra.io LLC ("Maestra") protects the security, confidentiality, and availability of customer data and the Maestra platform. It is incorporated by reference into the Maestra Software-as-a-Service Agreement (the "SSA") as Exhibit C and applies to all Maestra products and services, including the SaaS platform, supporting infrastructure, and personnel.

This policy reflects Maestra's information security program. Operational implementation details, internal procedures, and configuration specifics are maintained separately as confidential internal documentation, available to customers under non-disclosure agreement on reasonable request.

1. Compliance Certifications and Frameworks

Maestra maintains the following certifications and compliance commitments:

  • SOC 2 Type II — Maestra undergoes annual independent third-party audit against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality.
  • HIPAA — Maestra supports HIPAA-covered entities and will execute a Business Associate Agreement (BAA) where applicable.
  • GDPR — Maestra acts as a data processor under the EU General Data Protection Regulation and supports Standard Contractual Clauses for cross-border data transfers where applicable.
  • CCPA / CPRA — Maestra acts as a service provider under California privacy law.

SOC 2 Type II reports and supporting audit documentation are made available to customers under non-disclosure agreement upon reasonable request.

2. Security Governance

Security ownership. Maestra has a designated Chief Information Security Officer (CISO) responsible for the information security program, including policy ownership, risk oversight, and security operations leadership.

Risk Committee. A formally constituted Risk Committee with representation independent of the control function meets at least quarterly to oversee internal security controls, approve and monitor adherence to the security policy, ensure data handling responsibilities are documented and assigned, and review the annual risk assessment. Meeting minutes are maintained.

Policy review. The CISO reviews this policy and supporting procedures at least annually, and updates them as needed based on changes to the Maestra environment, regulatory requirements, or industry practices.

3. Risk Management

Maestra performs an enterprise-level risk assessment at least annually, and additionally upon significant changes to the environment. The risk assessment process includes identification of objectives, threats, and vulnerabilities; assessment of likelihood and magnitude of harm; documentation of results in a risk registry; communication to relevant stakeholders; and integration with management decision-making.

Identified risks are tracked, prioritized, and addressed in accordance with Maestra's risk tolerance, with remediation actions documented and reviewed.

4. People Security

Confidentiality agreements. All Maestra personnel sign a confidentiality agreement upon hire prohibiting disclosure of company and customer data. Acknowledgment of the agreement is verified before access to Maestra systems is granted.

Background checks. As a condition of hire, Maestra requires either a background screen (preferred) or a reference check, conducted through a reputable provider where lawful. Access to production systems, source code, and customer data is withheld until screening is complete. Any exception requires CISO approval with documented justification.

Security awareness training. All personnel complete security awareness training within 30 days of hire and at least annually thereafter. Training covers significant security threats, the security awareness framework, system-specific security requirements, and incident reporting procedures. Training completion is monitored and tracked.

5. Access Control

Least privilege and role-based access. Access to Maestra systems and customer data is granted on a least-privilege, role-based basis. Privileged access (e.g., system administration, IT engineering) is limited to authorized personnel whose role and responsibilities require it.

Multi-factor authentication (MFA). MFA is required for all employee access to in-scope systems, including production environments and any system processing customer data. Shared or non-authenticated user IDs are prohibited.

Provisioning and deprovisioning. Access is provisioned through a formal request and approval process documented in a ticketing system. Access is revoked within 24 hours of role change or employee termination.

Access reviews. All employee access to production systems is reviewed by management at least quarterly. Reviews and any modifications are documented and tracked.

Authentication controls. User authentication uses unique IDs combined with strong passwords or authorized cryptographic keys. Password complexity, length, and lockout policies are enforced through automated system controls.

Remote access. Remote access to production systems is restricted to authorized employees with a valid MFA token, using approved encrypted protocols (e.g., VPN, SSH).

6. Data Protection

Data classification

Maestra classifies data into three categories for purposes of internal handling: Sensitive (most sensitive — passwords, encryption keys, certain authentication and financial data), Confidential (less sensitive but restricted to Maestra and its customers — including most Customer Data and Personally Identifiable Information), and Public.

For purposes of customer Software-as-a-Service Agreements, Customer Data, End Customer Data, and PII (as those terms are defined in the SSA) are treated as Confidential or Sensitive depending on content. Resultant Data and Anonymized Data, as defined in the SSA, are not Customer Data and are not Confidential Information of the customer.

Encryption

  • In transit. Sensitive and Confidential data is transmitted using TLS 1.2 or higher (or equivalent industry-standard transport encryption).
  • At rest. Sensitive and Confidential data at rest — including production and development databases containing such data, and Maestra-issued workstations — is encrypted using AES-256 (or equivalent industry-standard encryption).
  • Key management. Encryption keys are managed in accordance with industry best practices, including periodic rotation and access restricted to authorized personnel.

Multi-tenant data segregation

Maestra operates a multi-tenant SaaS platform. Customer Data is logically segregated from data of other customers through application-level access controls, unique customer identifiers, and database-level partitioning. Cross-tenant data access is prevented by design.

Data retention and disposal

Sensitive and Confidential data is retained only as long as necessary to fulfill the purposes for which it was collected, unless longer retention is required by law or to meet legal or contractual obligations. Maestra's data retention practices are reviewed at least annually.

Data disposal is performed using industry-accepted secure deletion methods, including secure wipe, degaussing, and (for hard-copy media) cross-shredding. Customer data disposal events are tracked through a ticketing system to document the actions taken.

Customer Data return and destruction post-termination

Upon termination or expiration of a Software-as-a-Service Agreement, Maestra returns or destroys Customer Data in accordance with the contractual commitments set forth in the SSA. Specifically:

  • Within 30 days of termination, Maestra returns to the customer (or, at the customer's written request, destroys) all documents and tangible materials containing Customer Data and the customer's Confidential Information.
  • Customer Data is permanently erased from all systems Maestra directly or indirectly controls, except as set forth in the SSA.
  • Maestra may, in its discretion, retain Customer Data as backup for up to six (6) months following termination for the benefit of the customer or for legitimate business need.
  • These obligations do not apply to Resultant Data or Anonymized Data, which Maestra may continue to use as set forth in the SSA.

Production and non-production environments

Maestra sanitizes production data before use in non-production environments. Sensitive and Confidential customer data is not used in development or test environments.

7. Network and System Security

Network segmentation. Maestra segments its network to prevent direct or unauthorized connections between external networks and its information systems, particularly between external networks and Confidential data in cloud environments. Segmentation is established through demilitarized zones (DMZ), security tools that isolate subnetworks and security groups, and monitored interfaces.

Cloud infrastructure. Maestra hosts production systems with reputable cloud service providers that maintain SOC 2 Type II, ISO 27001, or equivalent independent attestations. Physical security of cloud infrastructure is the responsibility of the underlying cloud provider, in accordance with its certifications.

System hardening. Maestra adopts secure baseline configurations for production systems, drawing on the most restrictive applicable guidance from the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST), and cloud provider baseline configurations.

Endpoint protection. Maestra-issued workstations and laptops are protected with antivirus / anti-malware software configured for automatic updates and periodic scans, with logs forwarded for monitoring and alerting.

8. Vulnerability Management

Maestra maintains a risk-based vulnerability management program designed to protect the confidentiality, integrity, and availability of Maestra's information systems. The program includes continuous vulnerability identification, severity classification, prioritized remediation, and patch management.

Vulnerability identification

Maestra identifies vulnerabilities through automated scanning of internet-facing services and container workloads, monitoring of vendor security advisories and CVE feeds, third-party penetration testing, and reports from external researchers and internal personnel.

Severity classification

Vulnerabilities are classified as Critical, High, Medium, or Low based on factors including impact on confidentiality / integrity / availability, exploitability, exposure (internet-facing vs. internal), existence of compensating controls, and regulatory or customer expectations.

Remediation timelines

Maestra remediates identified vulnerabilities according to the following timelines, measured from identification and classification:

  • Critical: no later than 7 days.
  • High: within 14 days.
  • Medium: within 30 days.
  • Low: addressed during routine development and maintenance based on risk-prioritized review.

Where a fix cannot be applied within these timelines (e.g., due to vendor limitations or operational risk), the deviation and risk acceptance or mitigation plan are documented and reviewed in accordance with Maestra's risk management processes.

Patch management

Patches and security updates from vendors and trusted third parties are evaluated and applied on an ongoing basis according to the same severity-based timelines. Critical and high-severity patches affecting internet-facing services are prioritized.

Vulnerability scanning and penetration testing

Maestra performs internal and external vulnerability scans of in-scope systems at least quarterly. Independent third-party penetration tests are conducted at least annually on systems handling Confidential data or assigned a critical risk rating. Findings are reviewed by Maestra's security and engineering teams and addressed based on risk.

9. Monitoring and Logging

Maestra implements auditing and monitoring controls to capture security-relevant events, including:

  • Authentication and authorization activities (successful and unsuccessful logins).
  • Access to, creation, modification, or deletion of Sensitive or Customer Data.
  • Actions taken by privileged users.
  • Detection of malicious activity.

Security-relevant logs are forwarded to centralized, tamper-protected storage and retained for a period consistent with regulatory and operational requirements (and in any event for a minimum period sufficient to support security investigations and audit obligations). Anomalies are escalated through Maestra's incident management process.

Performance monitoring. Maestra monitors production systems for process health, network interface status, CPU and memory utilization, and disk capacity, with alerting and notification when thresholds are exceeded.

10. Change Management

Maestra follows a documented system development life cycle and change management process designed to balance release velocity with appropriate oversight.

Environment segregation. Development, testing, and production environments are appropriately segregated. Sensitive and Confidential customer data is prohibited from use in development and testing environments.

Pre-production validation. Changes undergo automated unit and integration testing, security scanning (including for known vulnerabilities and embedded secrets), code review, and validation in a staging environment that mirrors production. Deployment to production is initiated only after successful staging validation.

Approval. Security-sensitive changes (such as identity and access management policy changes and network ingress configuration changes) require explicit approval by a second member of the engineering team who did not implement the change.

Rollback. Maestra maintains automated rollback capability for critical services, allowing rapid reversion to a previous version when post-deployment monitoring detects elevated error rates.

11. Incident Management

Maestra maintains a documented incident response program. A designated Incident Response Team has clear roles and responsibilities for preparing for, detecting, responding to, containing, and recovering from security events and incidents, and for post-incident review and improvement.

Severity classification

  • Low (Security event): attempted suspicious activity that did not compromise the network.
  • Medium (Security event, may be elevated): suspicious activity deviating from normal behavior, possibly indicative of a resource compromise.
  • High (Security incident): confirmed compromise of a system resource being used for unauthorized purposes.

Customer notification

For confirmed security incidents affecting Customer Data, Maestra notifies affected customers without undue delay and in any event within seventy-two (72) hours after Maestra's confirmation of the incident, unless a shorter timeline is required by applicable law or contractual commitment. Notifications include the nature of the incident, the categories of Customer Data affected (to the extent then known), the measures taken or proposed in response, and a point of contact for further information. Maestra notifies regulatory authorities and law enforcement where required by applicable law.

Program testing

Maestra tests its incident response program through tabletop exercises at least annually.

12. Business Continuity and Disaster Recovery

Maestra maintains a Business Continuity and Disaster Recovery (BC/DR) program designed to support service availability and the recovery of customer data following a disruption. The program is tested at least annually through a tabletop exercise simulating an unexpected service disruption, with results documented in a post-simulation report covering response actions, identified issues, and performance against key indicators.

13. Backup

Maestra performs regular backups of production systems and data stores, including data necessary to support service-level commitments. Backups are encrypted and stored in a secure remote location at sufficient distance from the primary processing site to escape damage from a disaster at the primary site. Backups are tested at least annually to verify restoration capability and alignment with restoration time objectives.

As provided in the SSA, Maestra's backup practices supplement — and do not replace — the customer's responsibility to maintain its own data backups and redundant data archives where appropriate.

14. Vendor and Subprocessor Management

Vendor selection. Maestra performs security due diligence on vendors and subprocessors that may have access to Customer Data, including review of the vendor's security infrastructure, expertise, and reputation. Each vendor is assigned a criticality rating that determines the level of initial diligence and ongoing monitoring.

Vendor review. Maestra collects and reviews compliance documentation at least annually for vendors rated Critical or High, including (where available) the vendor's SOC 2 Type II report or equivalent independent attestation.

Flow-down of obligations. Vendors and subprocessors with access to Customer Data are contractually required to maintain confidentiality and security obligations no less protective than those Maestra commits to under its customer agreements.

Subprocessor transparency. Maestra maintains a current list of subprocessors with access to Customer Data and makes this list available to customers under non-disclosure agreement upon reasonable request. Material changes to the subprocessor list are communicated to customers in advance where required by applicable law or contractual commitments.

15. Customer Responsibilities

Information security is a shared responsibility. Customer obligations regarding access credentials, customer-side systems, and authorized use are set forth in Sections 7.3 and 7.4 of the SSA. Customers are responsible for, among other things: securely managing access credentials issued to their authorized users; controlling the content and use of data uploaded to the Services; promptly notifying Maestra of any actual or threatened unauthorized access; and complying with applicable law in their use of the Services.

— End of Exhibit C —

For related Maestra policies, see the SSA at https://maestra.io/msa/ and other Exhibits. Questions: support@maestra.io.