All new employees receive onboarding and systems training. This training is completed annually by employees and training compliance is monitored.

The main topics covered in security training are:

• Social engineering – primarily phishing and how to detect and report attacks.
• Passwords – background in how passwords are cracked, why strong passwords are important, and storage recommendations for passwords.
• Physical Security – guidelines for maintaining the physical security of offices and equipment.
• Data Handling – understanding data classification and how to properly handle such data.
• Compliance – its importance and how it affects operations.

Intrro has a comprehensive set of risk management principles, policies and procedures in place to identify new business and technical risks, and put plans in place to mitigate those risks.

Risk principles

Intrro believes that effective risk management involves:

• A commitment to the security, availability, and confidentiality of Intrro infrastructure and services from senior management.
• The involvement, cooperation and insight of all Intrro staff.
• A commitment to initiating risk assessments, starting with discovery and identification of risks.
• A commitment to the thorough analysis of identified risks.
• A commitment to a strategy for treatment of identified risks.
• A commitment to communicate all identified risks to the company.
• A commitment to encourage the reporting of risks and threat vectors from all Intrro staff.

Intrro maintains a comprehensive set of organizational security policies that must be agreed to by all employees annually.

All policies are reviewed and approved by management annually. Employees who violate any policies may face disciplinary consequences in proportion to their violation.

Policies are maintained on the following topics:

• Acceptable Use Policy
• Asset Management Policy
• Backup Policy
• Business Continuity Plan
• Change Management Policy
• Code of Conduct
• Cryptography Policy
• Data Classification Policy
• Data Deletion Policy
• Data Protection Policy
• Disaster Recovery Plan
• Incident Response Plan
• Information Security Policy
• Password Policy
• Physical Security Policy
• Responsible Disclosure Policy
• Risk Assessment Program
• System Access Control Policy
• Vendor Management Policy
• Vulnerability Management Policy

A copy of these policies can be made available to Intrro Enterprise customers on request.

Intrro relies on vendors to perform a variety of services, some of which are critical for operations. Intrro aims to manage its relationship with vendors and manage the risk associated with engaging third parties to perform services.

Risk assessments

Intrro conducts due diligence on an individual vendor's security, business practices, and legal commitments. Intrro's vendor management policy provides a framework for managing the lifecycle of vendor relationships.

Data subprocessors

Intrro utilizes some vendors as data subprocessors to provide the Intrro services. Intrro takes a risk-based approach to selecting data subprocessors based on the security and business practices of these vendors. To minimize our risk and the risk to our customers, we aim to utilize as few data subprocessors as possible to provide the Intrro services.

Intrro's data subprocessors are listed at Data subprocessors.

All employee and contractor agreements include a confidentiality agreement.

All employees agree during and after employment that they will:

• refrain from disclosing confidential information
• not use confidential information for purposes other than their employment
• keep confidential information secure and not disclose or publish information except when authorized or as required by law

On termination of employment, all employees must return all confidential information and must permanently erase all confidential stored on any device.

Intrro has an asset management policy in place to protect data that is stored and accessible via endpoints, such as company workstations and laptops.

Fleet management

All corporate endpoints are protected against internal threats and local vulnerabilities AWS Systems Manager and Vanta. All devices are continuously monitored for the following checks:

• Full-disk encryption
• Screen lock enabled
• Latest security updates
• Malware detection and anti-virus
• Personal firewall enabled
• Unencrypted SSH keys
• Password management software

All corporate devices are also enrolled in mobile device management (MDM) enabling Intrro to remotely manage assets to ensure compliance with configuration standards and enabling remote lock and erase in the event of a lost or stolen device.

Network security

All corporate wireless networks, including both corporate and guest networks, encrypt data in transit using WPA2-AES encryption. Guest network traffic and access is separated from corporate network traffic and access.

Corporate networks are protected with Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) to block malicious traffic and actors attempting to access Dovetail's corporate network.

Removable media and offline backups

Intrro prohibits use of removable media and offline backups to mitigate both the risk of data loss as well as the risk of malware being introduced.