Information Security Policy

1. General Security Principles

This Information Security Policy is in service of the three core goals of information security:

This policy relates to all ExhibitPower web servers, application servers, database servers, development environments (including local and cloud-based environments), and any machine, resource, or account related to the development, deployment, maintenance, support, reporting or analysis of the ExhibitPower web and mobile applications and related data.

All individuals and entities with access to ExhibitPower resources must comply with the following standards:

• Data and information must be properly classified according to an appropriate level of confidentiality by all persons responsible for its creation, administration, maintenance, support, or storage;
• Information will be protected against unauthorized access in accordance with its classification level;
• Information will be protected against loss or corruption using at least the minimum standards of accepted best practices;
• Access to information shall be made solely in furtherance of assigned responsibilities or the intended functionality of an authorized application or resource;
• Unauthorized access, or access in excess of authorization, to any system or data shall be immediately reported to ExhibitPower management;
• Any event that does or reasonably may compromise the confidentiality, integrity, or availability of any system or data shall be immediately reported to ExhibitPower management.

2. Password, Access, and Authorization Policy

Access rights to ExhibitPower electronic resources will be accorded following the principles of least privilege and need-to-know. Elevated access rights (e.g., local administrator, domain administrator, super-user, root access) shall be restricted and controlled.

Authorization shall be provided only by the system administrator, who shall notify ExhibitPower management or the project manager upon the addition of each new user, including the scope of access and level of authorization granted. All users granted access must be made aware of the confidentiality provisions of all relevant agreements.

2.1 Password Requirements

All users, including contractors and vendors, are responsible for selecting and maintaining secure passwords in accordance with the following:

• Access shall be provided through a unique user account and a complex password meeting current industry standards (minimum 12 characters, including uppercase, lowercase, numbers, and special characters);
• Passwords must never be shared. No authorized system user may disclose their username or password to another person under any circumstances;
• Passwords may never be communicated by telephone. Passwords may only be communicated electronically if the password is temporary and must be changed upon initial login;
• No password may reside in the main, executing body of a program's source code in clear text, or in a location accessible through a web server;
• Multi-factor authentication (MFA) is required for all accounts with administrative access or access to Confidential or Restricted data;
• Passwords must be changed immediately upon any suspected or actual compromise.

2.2 Access Provisioning and Deprovisioning

• Access to Confidential, Restricted, and Protected information will be limited to authorized persons whose job responsibilities require it, as determined by the data owner or their designated representative;
• Requests for access or authorization to be granted, changed, or revoked must be made in writing and approved by ExhibitPower management;
• Technical teams shall not issue single-level authorization rights to entire teams unless a compelling reason is presented to and approved by ExhibitPower management;
• All user-level accounts must be deactivated immediately upon the completion of that person's need for access and no later than the time of termination of their engagement with ExhibitPower.

3. Database Security Policy

Access to ExhibitPower's internal databases by software programs must be granted only after proper authentication with credentials. The following standards apply:

• Database credentials must not reside in the main, executing body of a program's source code in clear text, or in any location accessible through a web server;
• Database administrator passwords must be issued on a single-user basis — multiple users must not share database login credentials;
• Passwords used by applications or source code for database connections must be unique between applications and may not be identical to the credentials of a human system user account;
• Pass-through authentication must not allow database access based solely upon a remote user's authentication on a remote host;
• Passwords must be immediately changed upon the departure of any employee or contractor with knowledge of the password.

4. Data Access and Integrity Policy

No person shall make direct access to system data, including but not limited to user information, except as necessary to achieve their legitimate and assigned business purpose and within the properly granted scope of their authorization.

• No ExhibitPower system shall permit a system user to access unencrypted user passwords;
• Redundant backups shall be created on a daily basis and maintained across multiple geographic storage locations, selected in accordance with the Physical Security Policy;
• All data access events must be logged and logs must be retained for a minimum of 90 days for security review and audit purposes;
• Any unauthorized access or data anomaly detected must be reported to ExhibitPower management immediately and no later than 24 hours after discovery.

5. Physical Security Policy

ExhibitPower data from all applications and systems shall reside only in approved locations:

1. On ExhibitPower servers, where it shall be appropriately replicated for the purposes of data restoration or recovery;
2. On backup servers contracted by ExhibitPower;
3. On approved cloud storage (currently: Microsoft Azure and Google Drive).

No ExhibitPower data — including user information — shall be copied to or stored on any other physical medium, except in the course of and to the extent necessary to successfully complete development, deployment, or end-user support activities, in accordance with all other policies herein.

In the event that any data is transferred or copied to a computing device as described above, that device must be capable of remote disabling in the event of physical loss or theft.

ExhibitPower source code shall reside solely on computing devices and servers necessary for development, deployment, maintenance, and support of ExhibitPower applications. Access to any such server or device, including version control platforms such as Azure DevOps, shall be administered in accordance with all policies contained in this Information Security Policy.

6. Data Transmission Policy

All user and customer data transmitted between the ExhibitPower web and mobile applications and any server — including web servers, database servers, and notification or email servers — shall use TLS 1.2 or higher (minimum 256-bit encryption).

• Transfers of customer data to or from any third-party resource (such as Google Drive or Microsoft Azure) shall also be made using TLS 1.2 or higher;
• The ExhibitPower system will at all times maintain multiple firewalls controlling access at the point of initiation of communication between a client application and ExhibitPower servers, and between web servers and databases or database servers;
• All APIs exposing ExhibitPower data must require authenticated, encrypted connections and must not expose data over unencrypted channels.

7. Incident Response Policy New

ExhibitPower maintains an incident response process to address potential or actual security breaches in a timely and structured manner.

7.1 Reporting Requirements

• All suspected or confirmed security incidents must be reported to ExhibitPower management immediately and no later than 24 hours after discovery;
• Incidents include but are not limited to: unauthorized access, data exfiltration, ransomware, credential compromise, or any event that may affect the confidentiality, integrity, or availability of ExhibitPower systems or data.

7.2 Response Steps

1. Contain: Immediately isolate affected systems to prevent further damage;
2. Assess: Determine the scope, nature, and impact of the incident;
3. Notify: Inform ExhibitPower management and, where required by law, affected parties and regulators;
4. Remediate: Address the root cause and restore secure operations;
5. Document: Record the incident, response actions taken, and outcomes for future reference and compliance.

7.3 Breach Notification

In the event of a data breach affecting personal information, ExhibitPower will comply with applicable state and federal breach notification laws, including the Texas Identity Theft Enforcement and Protection Act and other applicable regulations, notifying affected individuals and authorities within legally required timeframes.

8. AI and Third-Party Tool Usage Policy New

As ExhibitPower increasingly uses AI-assisted development tools and third-party integrations, the following security standards apply:

• No confidential customer data, production credentials, or personally identifiable information (PII) may be submitted to external AI tools, chatbots, or cloud-based development assistants without explicit written approval from ExhibitPower management;
• All third-party integrations must be reviewed and approved before connecting to ExhibitPower systems or data;
• API keys and access tokens for third-party services must be stored in approved secrets management systems, never in source code repositories;
• Developers must use only approved repositories (currently: Azure DevOps) for source code management. No ExhibitPower source code may be committed to personal or public repositories.

9. Policy Compliance and Enforcement

ExhibitPower management is responsible for ensuring compliance with this policy. All personnel are required to:

• Acknowledge receipt and understanding of this policy upon engagement and upon each material update;
• Complete any security awareness training required by ExhibitPower management;
• Report any known or suspected violations of this policy immediately.

This policy will be reviewed at least annually and updated as necessary to reflect changes in technology, law, and best practices.

10. Contacting Us

Questions regarding this Information Security Policy or to report a security concern should be directed to ExhibitPower management: