top of page

Information Security Policy

Version: 1.0
Date: 9/1/2025
 

1. Overview

Exel Solutions (“Exel”) provides professional services and a ServiceNow-certified application. Exel does not host or store Customer Confidential Information. All customer data resides in the Customer's ServiceNow instance, which is secured under ServiceNow’s SOC 2 / ISO certifications.

This policy defines the minimum safeguards Exel maintains to protect its own systems, code, and personnel used to deliver services.

2. Objectives

  • Protect Exel’s intellectual property (software code, documentation).

  • Safeguard devices and accounts used by Exel personnel.

  • Prevent unauthorized access, disclosure, or alteration of sensitive information.

  • Ensure secure and professional handling of Customer’s data when accessed in their environment.

3. Scope

Applies to all Exel employees, contractors, and moonlighters with access to Exel’s systems or customer environments.

4. Security Practices

4.1 Access Controls

  • Multi-Factor Authentication (MFA) required for all accounts (email, source control, ServiceNow).

  • Role-based access: only personnel assigned to a project are granted access.

  • Access reviewed quarterly and removed immediately upon termination.

4.2 Workstations & Devices

  • Company-issued or approved laptops only.

  • Full-disk encryption enabled.

  • Automatic screen lock after 5 minutes of inactivity.

  • Antivirus and automatic patching enabled.

4.3 Data Handling

  • No Customer Confidential Information stored on Exel devices or systems.

  • All work with Customer data is performed within Customer's ServiceNow instance.

  • Confidential information may not be copied, emailed externally, or entered into AI/third-party tools.

4.4 Development & Code

  • All source code stored in private, access-controlled GitHub repositories.

  • Changes reviewed before deployment.

  • Backups performed daily by GitHub.

4.5 Vendor & Subcontractor Management

  • Subcontractors/contractors subject to the same controls.

  • Background checks performed before granting access to Customer environments.

5. Incident Response

  • Any suspected security incident reported immediately to Managing Partner.

  • Customer notified within 24 hours if incident involves Customer’s environment.

  • Post-incident review conducted; corrective actions tracked.

6. Training & Awareness

  • All personnel trained annually on confidentiality, phishing awareness, and secure handling of customer data.

  • Training includes explicit prohibition against using external AI tools with customer data.

7. Audit & Review

  • This policy reviewed annually by Exel leadership.

  • Updates communicated to all personnel.

8. Contact Information

  • Primary Contact: Jacob Andersen (Managing Partner)

bottom of page