Security at Tasklexa

1. Purpose, Scope, and Organization

This policy defines behavioral, process, technical, and governance controls pertaining to security at Tasklexa that all personnel are required to implement in order to ensure the confidentiality, integrity, and availability of the Tasklexa service and data ("Policy"). All personnel must review and be familiar with the rules and actions set forth below.

1.1 Governance and Evolution

This Policy was created in close collaboration with and approved by Tasklexa executives. At least annually, it is reviewed and modified as needed to ensure clarity, sufficiency of scope, concern for customer and personnel interests, and general responsiveness to the evolving security landscape and industry best practices.

1.2 Security Team

The Tasklexa security team oversees the implementation of this Policy, including procurement, provisioning, maintenance, retirement, and reclamation of corporate computing resources, all aspects of service development and operation related to security, privacy, access, reliability, and survivability, ongoing risk assessment, vulnerability management, incident response, and security-related human resources controls and personnel training.

2. Personnel and Office Environment

Tasklexa is committed to protecting its customers, personnel, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly in the context of its established employment culture of openness, trust, maturity, and integrity.

2.1 Work Behaviors

The first line of defense in data security is the informed behavior of personnel, who play a significant role in ensuring the security of all data, regardless of format.

• Training: All employees and contractors must complete the Tasklexa security awareness and data handling training programs at least annually.
• Clean Desk: Personnel should maintain workspaces clear of sensitive or confidential material.
• Unattended Devices: Unattended devices must be locked. All devices will have an automatic screen lock function.

3. Personnel Identity and Access Management

Each individual having access to any Tasklexa-controlled system does so via a unique user account. User accounts are required to have a unique username, a strong password, and two-factor authentication (2FA).

3.1 Access Management

Tasklexa adheres to the principle of least privilege, and every action attempted by a user account is subject to access control checks.

4. Data Classification and Processing

Tasklexa maintains the following Data Confidentiality Levels:

• Confidential: Information only available to specific roles within the organization. Data must be encrypted at rest and in transit.
• Restricted: Access restricted to specific roles within the organization and authorized third parties.
• Internal: Information is available to all employees and authorized third parties.
• Public: Information is available to the public.

5. Vulnerability and Incident Management

The Tasklexa security team maintains an internal Incident Response Policy which contains steps for preparation, identification, containment, investigation, eradication, recovery, and follow-up/postmortem.

6. Business Continuity and Disaster Recovery

Tasklexa services are configured to withstand long-term outages to individual servers, availability zones, and geographic regions. Infrastructure and data are replicated in multiple geographic regions to ensure high availability.

6.1 Disaster Recovery

Tasklexa targets a Data Recovery Point Objective (RPO) of 5 minutes for at least 3 days, and no longer than is permissible by law. Tasklexa targets a Data Recovery Time Objective (RTO) of no longer than 24 hours.