Information Security Policy

Effective Date: January 21, 2026

Entity: Alexander Delegard Consulting LLC (“Company,” “we,” “our,” or “us”)

1. Purpose and Benefits

This policy defines the mandatory minimum information security requirements for Alexander Delegard Consulting LLC. This policy acts as an umbrella document that defines our responsibility to:

Protect and maintain the confidentiality, integrity, and availability of information
Manage the risk of security exposure or compromise
Assure a secure and stable information technology environment
Identify and respond to events involving information asset misuse, loss, or unauthorized disclosure
Monitor systems for anomalies that might indicate compromise
Promote awareness of information security

This policy benefits our organization by defining a framework that ensures appropriate measures are in place to protect the confidentiality, integrity, and availability of data, and ensures understanding of security responsibilities and practices.

2. Scope

This policy encompasses all systems, automated and manual, for which we have administrative responsibility, including systems managed or hosted by third parties on behalf of the entity. It addresses all information, regardless of form or format, which is created or used in support of business activities related to Last Chance.

3. Information Security Statement

3.1 Organizational Security

Information security requires both an information risk management function and an information technology security function. As a small organization, these functions are performed by the owner/operator with consultation from service providers as needed. Security risk decisions are made through evaluation of business needs, technical requirements, and applicable legal and regulatory requirements.

Although technical information security functions may be supported by third-party service providers, we retain overall responsibility for the security of the information that we own.

3.2 Data Integrity, Availability, and Security

We implement measures to ensure the integrity, availability, and security of Personal Data:

Regular Vulnerability Scanning: Regular dependency and security scans are performed to identify and address potential vulnerabilities in our applications and infrastructure. Systems are scanned before production deployment and periodically thereafter.
Endpoint Protection: Development and administrative devices use up-to-date operating systems with built-in security features, automatic updates enabled, and host-based firewalls configured.
Encryption: All data is encrypted in transit using TLS 1.2 or higher. Sensitive data such as email addresses is encrypted at rest in the database using industry-standard encryption.
Secure Development Practices: Code reviews, dependency vulnerability scanning, and secure coding practices are part of our development workflow. All software incorporates secure coding practices to avoid common vulnerabilities.

3.3 Administrative, Technical, and Physical Safeguards

We maintain safeguards appropriate to protect against potential Security Incidents and remediate actual or reasonably suspected Security Incidents, meeting industry best practices and security requirements under Data Protection Laws.

Administrative Safeguards

Access Control: Access to production systems and data is restricted and follows the principle of least privilege. All accounts have unique identifiers and require authentication.
Security Policies: Documented policies govern access control, incident response, and data handling procedures. This policy is part of our written information security program.
Vendor Due Diligence: Third-party vendors and service providers are evaluated for security practices before engagement. We use reputable, established service providers that maintain their own security programs and compliance certifications.
Information Classification: Information is classified based on its confidentiality, integrity, and availability characteristics. Personal identifying information (PII) is subject to high confidentiality controls.

Technical Safeguards

Multi-Factor Authentication (MFA): MFA is enabled on all critical accounts and services, including administrative access to production systems.
Encryption: Data is encrypted in transit (TLS) and sensitive data is encrypted at rest using industry-standard encryption methods.
Patch Management: Dependencies and systems are kept up to date with security patches. Security patches are reviewed, evaluated, and applied in a timely manner. This process is automated where technically possible.
Secure Configuration: Systems are configured according to security best practices. Host-based firewalls are installed and enabled on all workstations and servers.
Malware Protection: Controls are implemented to prevent and detect the introduction of malicious code, including dependency scanning and automated security checks.
Logging and Monitoring: Application and access logs are maintained for security monitoring, troubleshooting, and audit purposes. Logs record security-relevant events and are protected consistent with retention requirements.

Physical Safeguards

Cloud Hosting: Our application is hosted on a reputable, secure cloud platform with managed infrastructure, automatic SSL, isolated environments, and physical security controls provided by the hosting provider.
Database: Production databases are managed services with encryption at rest, automated backups, and physical security provided by the service provider.
Device Security: Administrative devices are physically secured and use device encryption and secure storage practices.

3.4 Data Availability and Resilience

We maintain Personal Data availability and resilience as part of our written information security program:

Secured and Monitored Operational Sites: Our application runs on a secure cloud platform with health checks, monitoring for service issues, and alerting for service degradation or security events.
Event and Auditable Logs: Application and access logs are maintained for security monitoring, troubleshooting, and audit purposes. Logs are protected and retained consistent with legal and regulatory requirements.
Tolerant Infrastructure with Redundancies: Our hosting platform provides automatic failover, scaling capabilities, and redundant infrastructure to maintain service availability and prevent single points of failure.
Backup Procedures: Database backups are performed automatically with point-in-time recovery capabilities. Backup integrity is verified through periodic restoration testing.
Business Continuity Plans: Our use of managed cloud services provides built-in redundancy and recovery capabilities to minimize service disruption. Critical systems have defined recovery time objectives (RTO) and recovery point objectives (RPO).
Disaster Recovery Plans: Automated backups and infrastructure-as-code enable rapid restoration of services in the event of a major incident. Disaster recovery procedures are documented and tested.
Incident Response: Procedures are in place to identify, respond to, and communicate about security incidents promptly. All observed or suspected security incidents are reported and addressed according to documented procedures.
Vendor Due Diligence: We select reputable service providers that maintain their own security programs and compliance certifications. Vendor agreements include security requirements and compliance expectations.

3.5 Vulnerability Management

All systems are scanned for vulnerabilities before being installed in production and periodically thereafter.
Regular dependency scanning and security assessments are performed to identify potential vulnerabilities.
Appropriate action, such as patching or updating systems, is taken to address discovered vulnerabilities in a timely manner.
For any discovered vulnerability, a plan of action is created to document and track remedial actions.

3.6 Operations Security

Systems have documented operating procedures and formal incident management procedures related to information security matters.
System configurations follow approved configuration standards and security best practices.
System capacity is monitored on an ongoing basis to ensure adequate resources are available.
All systems are maintained at vendor-supported levels to ensure accuracy and integrity.
Systems and applications are monitored and analyzed to detect deviations from access control requirements and security policies.
Contingency plans, including business continuity and disaster recovery plans, are established and tested regularly.
Backup copies of information, software, and system configurations are taken regularly in accordance with defined requirements.
Backup restoration procedures are tested regularly to ensure data can be recovered when needed.

3.7 Account Management and Access Control

Access to systems is provided through individually assigned unique identifiers (user IDs).
Each user ID requires authentication using secure authentication tokens (passwords, MFA).
Access privileges are granted in accordance with job responsibilities and limited only to those necessary to accomplish assigned tasks (principle of least privilege).
Authentication tokens are treated as confidential and protected appropriately. Tokens are not stored insecurely unless using approved secure storage methods.
Remote access connections are made through managed points-of-entry with appropriate security controls.

4. Compliance

This policy shall take effect upon publication. Compliance is expected with all policies and standards outlined herein. Our security practices are designed to meet industry best practices and comply with applicable Data Protection Laws, including:

California Consumer Privacy Act (CCPA)
General Data Protection Regulation (GDPR) where applicable
Other applicable data protection and privacy laws

Policies may be amended at any time; compliance with amended policies is expected. We regularly review and update our security practices to maintain compliance with evolving legal and regulatory requirements.

This Information Security Policy should be read in conjunction with our:

Detailed operational procedures, including incident response plans, backup and disaster recovery procedures, and security operations documentation, are maintained internally and are available upon request for compliance and audit purposes.

6. Contact Information

For questions about this Information Security Policy or to report a security concern, please contact:

Alexander Delegard Consulting LLC
Minneapolis, MN, USA
Email: support@yourlastchance.app

7. Policy Updates

This policy is subject to periodic review to ensure relevancy. We may update this policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on our website with the effective date indicated at the top.