top of page

Security Policy

​

Effective Date: 11/4/2026
Last Updated: 11/4/2026


Applies To: https://www.s9trace-weaver.com and all associated systems, infrastructure, and services (collectively, the “Platform”)

​

1. Purpose

This Security Policy establishes the administrative, technical, and physical safeguards implemented by s9trace-weaver.com (“we”, “us”, “our”) to protect the confidentiality, integrity, and availability of our Platform and associated data.

This policy is designed to align with recognized industry frameworks, including the SOC 2 Trust Services Criteria (Security, Availability, and Confidentiality).

​

2. Security Program Overview

We maintain a risk-based information security program that includes, but is not limited to:

  • Continuous identification, assessment, and management of security risks

  • Implementation of layered security controls (“defense-in-depth”)

  • Ongoing monitoring, logging, and alerting of system activity

  • Periodic review and enhancement of security controls and procedures

Security controls are reviewed and updated based on evolving threats, business requirements, and regulatory expectations.

​

3. Access Control

Access to systems and data is restricted based on business need and governed by the principle of least privilege.

Controls include:

  • Role-based access control (RBAC)

  • Strong authentication mechanisms (including multi-factor authentication where applicable)

  • Centralized identity and access management

  • Periodic access reviews and revocation of unnecessary privileges

  • Secure credential storage and handling practices

  • ​

4. Data Protection

We implement appropriate safeguards to protect data throughout its lifecycle:

  • Data in Transit: Encrypted using industry-standard protocols (e.g., TLS 1.2 or higher)

  • Data at Rest: Protected using secure storage mechanisms and encryption where appropriate

  • Data Minimization: Collection limited to what is necessary for service delivery

  • Data Retention: Retained only as long as required for legitimate business or legal purposes

  • ​

5. Infrastructure and Application Security

We employ secure development and infrastructure practices, including:

  • Secure software development lifecycle (SDLC) practices

  • Code review and change management processes

  • Vulnerability scanning and remediation

  • Timely application of security patches and updates

  • Network segmentation and perimeter protections where applicable

  • ​

6. Monitoring and Incident Detection

We maintain logging and monitoring systems designed to detect and respond to anomalous or unauthorized activity.

This includes:

  • Centralized logging of security-relevant events

  • Automated alerting for suspicious activities

  • Regular review of logs and alerts

  • Retention of logs in accordance with internal policies

  • ​

7. Incident Response

We maintain an incident response process to address security events in a timely and effective manner.

This includes:

  • Identification and classification of security incidents

  • Containment, eradication, and recovery procedures

  • Post-incident analysis and remediation

  • Communication protocols where required by law or contractual obligations

  • ​

8. Vulnerability Management and Responsible Disclosure

We maintain a vulnerability management program to identify, assess, and remediate security weaknesses.

We support responsible disclosure and request that security researchers report vulnerabilities in accordance with the following:

Contact: security@s9trace-weaver.com

Reports should include:

  • Description of the vulnerability

  • Steps to reproduce

  • Potential impact assessment

  • Supporting materials (e.g., screenshots, proof-of-concept)

We will:

  • Acknowledge receipt within a reasonable time frame

  • Investigate and validate reported issues

  • Remediate confirmed vulnerabilities based on severity

  • ​

9. Acceptable Testing and Safe Harbor

We support good-faith security research conducted in compliance with this policy.

Under this Safe Harbor provision, we will not initiate legal action against individuals who:

  • Engage in testing that is limited in scope and non-destructive

  • Avoid accessing or modifying data belonging to others

  • Do not disrupt service availability or degrade system performance

  • Comply with all applicable laws and regulations

Activities explicitly prohibited include, but are not limited to:

  • Denial-of-service (DoS/DDoS) attacks

  • Social engineering or phishing of employees or users

  • Unauthorized access to user data

  • Physical security testing

  • ​

10. Third-Party Risk Management

We may rely on third-party service providers to support our operations. Where applicable:

  • Vendors are evaluated based on security and compliance posture

  • Access is limited to necessary functions

  • Data sharing is governed by contractual and confidentiality obligations

We are not responsible for the security practices of third-party services not under our control.

​

11. Business Continuity and Availability

We implement measures designed to support system availability and resilience, including:

  • Backup and recovery procedures

  • Redundancy and fault tolerance where applicable

  • Monitoring of system performance and uptime

  • ​

12. Policy Governance

This policy is reviewed periodically and updated as necessary to reflect changes in:

  • Regulatory requirements

  • Industry standards

  • Business operations

  • Threat landscape

  • ​

13. Limitation of Liability

While we employ commercially reasonable security measures, no system can be guaranteed to be completely secure. To the fullest extent permitted by law, s9trace-weaver.com disclaims liability for unauthorized access, data breaches, or other security incidents except where required by applicable law.

​

14. Contact Information

For security-related inquiries or to report vulnerabilities:

Email: security@s9trace-weaver.com

bottom of page