SECURITY POLICY

1. Purpose & Scope

This document describes the guidelines, standards, and organizational principles used to safeguard Turnstone's Predictive Modeling Platform (the "Platform") and ensure the confidentiality, integrity, and availability of its data and services.

This policy applies to all components of the Platform, including backend infrastructure, data storage and processing systems, user interfaces, APIs, and integrations. It extends to every employee, contractor, and third-party vendor engaging with the Platform. All such individuals must adhere to this Security Policy across all environments, including, but not limited to, Development, Staging, and Production.

2. Security Objectives

Turnstone is committed to protecting sensitive data against unauthorized access and disclosure, ensuring the reliability and uptime of Platform services, complying with relevant data protection laws and industry standards, and fostering a culture of security awareness and continuous improvement. These objectives also emphasize confidentiality, integrity, and availability throughout the software development lifecycle, and practices that address critical risk areas such as the OWASP Top 10 and the SANS Top 25.

3. Security Controls

3.1 Access Control

Turnstone supports Role-Based Access Control (RBAC) for administrators and users. Strong passwords are enforced for all accounts, and those with elevated privilege are required to use multifactor authentication (MFA). Access rights are periodically reviewed and updated to reflect changes in role, employment, or contract status.

3.2 Data Protection

Turnstone encrypts data at rest using minimum AES-256 encryption, and in transit using TLS 1.3. Daily automated backups of critical systems and databases are performed and retained for seven days, and all backups are similarly encrypted. Failover and redundancy, managed by Turnstone's SOC2-certified platform and DNS providers, are designed to minimize downtime. All personal data is retained independently of other platform data, in SOC2 certified and fully encrypted (in transit and at rest) infrastructure. Turnstone further only requests the minimum amount of personal data required to provide services that include user account management & authorization.

3.3 Network Security

Firewalls, Intrusion Detection/Prevention Systems (IDS/IPS), and network segmentation safeguard Turnstone's critical assets. Network traffic is continuously monitored for anomalies, and alerts are generated for suspicious activity that may signal threats or vulnerabilities.

3.4 Application Security

Application security is central to Turnstone's Software Development Lifecycle (SDLC). Based on the NIST CSF 2.0, secure coding practices and code reviews are mandatory, and security best practices are followed to prevent common vulnerabilities. Dependencies are regularly reviewed and updated, and vulnerability scans are performed prior to any release. All code is deployed using a secure CI/CD pipeline.

3.5 Operational Security

Turnstone logs all significant events, including access attempts and system changes, storing these logs securely for at least one year. Regular security awareness training is provided to employees and contractors, focusing on secure coding, data handling, and defenses against social engineering attacks. Internal and external audits are performed annually to confirm alignment with this policy and with relevant regulatory requirements and industry benchmarks.

3.6 Physical Security

All employees must maintain a clean desk and clear screen policy to protect sensitive information. Physical documents containing confidential data should be securely stored when not in use, and workstations must be locked when unattended. Digital screens should not display sensitive information when unauthorized individuals are present, and employees must log out or shut down devices at the end of the workday.

4. Vulnerability Management

4.1 Identification

Turnstone continuously scans the Platform using automated tools and monitors third-party advisories, vulnerability databases, and threat intelligence feeds.

4.2 Remediation

Critical vulnerabilities are addressed within 24 hours, high vulnerabilities within seven days, medium within 30 days, and low as resources allow. Issues are resolved through software updates, patches, or configuration changes, and retesting confirms that mitigations have been effective.

4.3 Communication

Turnstone promptly notifies affected stakeholders whenever a vulnerability poses a risk to their operations or data and provides periodic updates on the progress of any ongoing remediation.

4.4 Documentation

Vulnerability assessments, mitigation efforts, and resolutions are documented in detail, and Turnstone uses this information to continuously refine its security processes.

5. Incident Response

5.1 Preparation

Turnstone maintains an Incident Response Plan (IRP) that defines roles, responsibilities, and procedures. Regular tabletop exercises and drills ensure that teams remain prepared to respond effectively to potential incidents.

5.2 Detection and Analysis

Automated tools detect suspicious activities indicative of possible security incidents. Each incident is then analyzed to determine its scope, impact, and root cause, thereby informing the appropriate response steps.

5.3 Containment, Eradication, and Recovery

When a threat is detected, Turnstone immediately contains the incident to prevent further damage. Malicious elements are eradicated, and any compromised systems are restored using secure backups and validated configurations.

5.4 Post-Incident Review

After resolving an incident, Turnstone conducts a post-mortem analysis to identify lessons learned and to implement any necessary policy or procedure updates that can prevent a similar event in the future.

6. Disaster Recovery Process

6.1 Disaster Recovery Plan

Turnstone has a documented Disaster Recovery Process ("DRP"), designed to rapidly restore the Platform's services and data after incidents or disruptions, ensuring minimal impact on end users and the business. Turnstone's DRP includes strategy, scenario assessment (including related detection, mitigation, recovery time objective and recovery point objective), testing process, and roles and responsibilities.

6.2 Disaster Preparedness

Turnstone performs daily automated backups of critical systems and databases, retains those backups for seven days, and uses AES-256 encryption to secure them. Backups are stored in geographically separate SOC2-certified locations.

6.3 Disaster Recovery Plan Execution

When a disaster is declared, Turnstone activates the DRP and immediately establishes a communication plan. Traffic is redirected to secondary systems or cloud-based failover solutions, and data is recovered from the latest valid backups. The integrity and functionality of restored systems are verified before returning to normal operations. Turnstone will delay recovery if there is a potential for further damage by recovering too early.

7. Penalties

Failure to comply with this security policy may result in disciplinary action, up to and including termination of employment or contractual agreements. The severity of disciplinary measures will be determined based on the nature of the violation, its impact on the organization, and whether the breach was due to negligence or intentional misconduct. Repeated violations or deliberate breaches may lead to immediate termination and potential legal action as applicable.

8. Regulatory Compliance

Turnstone voluntarily adheres to all applicable legal, regulatory, and contractual obligations, including the General Data Protection Regulation (GDPR), state-specific privacy laws such as the California Consumer Privacy Act (CCPA), and implements processes that follow industry standards like ISO/IEC 27001 and the NIST Cybersecurity Framework. All physical infrastructure is managed by third-party, and certified SOC2 compliant.

9. Review and Updates

Turnstone conducts an annual review of this Security Policy at the beginning of each fiscal year or whenever there are substantial updates to the Platform or changes in the threat environment. Any updates are promptly communicated to all relevant stakeholders and personnel to maintain understanding and compliance.

10. Contact Information

For questions regarding this policy or to report a security issue, contact Turnstone at security@turnstonedata.com. By enforcing these measures and practices, Turnstone aims to provide municipalities with a secure, reliable, and trustworthy predictive modeling platform that prioritizes proactive defense, continuous improvement and recognized security standards.