top of page

Information Security Policy

Version: 1.0
Date: 9/1/2025
 

1. Overview

Exel Solutions (“Exel”) provides professional services and a ServiceNow-certified application. Exel does not host or store Customer Confidential Information. All customer data resides in the Customer's ServiceNow instance, which is secured under ServiceNow’s SOC 2 / ISO certifications.

This policy defines the minimum safeguards Exel maintains to protect its own systems, code, and personnel used to deliver services.

​

2. Objectives

  • Protect Exel’s intellectual property (software code, documentation).

  • Safeguard devices and accounts used by Exel personnel.

  • Prevent unauthorized access, disclosure, or alteration of sensitive information.

  • Ensure secure and professional handling of Customer’s data when accessed in their environment.

​

3. Scope

Applies to all Exel employees, contractors, and moonlighters with access to Exel’s systems or customer environments.

​

4. Security Practices

​

4.1 Access Controls

  • Multi-Factor Authentication (MFA) required for all accounts (email, source control, ServiceNow).

  • Role-based access: only personnel assigned to a project are granted access.

  • Access reviewed quarterly and removed immediately upon termination.

​

4.2 Workstations & Devices

  • Company-issued or approved laptops only.

  • Full-disk encryption enabled.

  • Automatic screen lock after 5 minutes of inactivity.

  • Antivirus and automatic patching enabled.

​

4.3 Data Handling

  • No Customer Confidential Information stored on Exel devices or systems.

  • All work with Customer data is performed within Customer's ServiceNow instance.

  • Confidential information may not be copied, emailed externally, or entered into AI/third-party tools.

​

4.4 Development & Code

  • All source code stored in private, access-controlled GitHub repositories.

  • Changes reviewed before deployment.

  • Backups performed daily by GitHub.

​

4.5 Vendor & Subcontractor Management

  • Subcontractors/contractors subject to the same controls.

  • Background checks performed before granting access to Customer environments.

​

5. Incident Response

  • Any suspected security incident reported immediately to Managing Partner.

  • Customer notified within 24 hours if incident involves Customer’s environment.

  • Post-incident review conducted; corrective actions tracked.

​

6. Training & Awareness

  • All personnel trained annually on confidentiality, phishing awareness, and secure handling of customer data.

  • Training includes explicit prohibition against using external AI tools with customer data.

​

7. Audit & Review

  • This policy reviewed annually by Exel leadership.

  • Updates communicated to all personnel.

​

8. Contact Information

  • Primary Contact: Jacob Andersen (Managing Partner)

bottom of page