Security and Compliance Policy

Loam Agency is committed to protecting the confidentiality, integrity, and availability of all data and information systems under our control. This policy establishes the framework for our security and compliance practices to safeguard against risks, meet regulatory requirements, and build trust with clients and partners.

Scope

This policy applies to all employees, contractors, third-party vendors, and systems that access, process, store, or transmit data on behalf of Loam Agency or our clients. It covers all IT infrastructure, software applications, data assets, and business operations.

Information Security Principles

Confidentiality

We ensure that sensitive information is accessible only to authorized individuals. Access controls, encryption, and secure communication channels are employed to prevent unauthorized disclosure.

Integrity

We maintain the accuracy and completeness of data throughout its lifecycle. Validation, audit logs, version control, and secure development practices help prevent unauthorized modification.

Availability

We ensure that authorized users have reliable access to information and systems when needed. Redundancy, backups, disaster recovery planning, and monitoring support continuous availability.

Security Controls and Practices

• Access Management: Role-based access control (RBAC), multi-factor authentication (MFA), and regular access reviews
• Data Protection: Encryption in transit and at rest, data minimization, and secure disposal
• Network Security: Firewalls, intrusion detection/prevention systems, VPNs, and network segmentation
• Endpoint Security: Antivirus, anti-malware, device encryption, and mobile device management
• Application Security: Secure coding standards, penetration testing, vulnerability assessments, and patch management
• Incident Response: Documented procedures for detecting, reporting, and responding to security incidents
• Backup and Recovery: Regular backups, testing of restoration processes, and business continuity planning

Compliance and Regulatory Adherence

Loam Agency adheres to applicable legal, regulatory, and contractual requirements, including but not limited to:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Health Insurance Portability and Accountability Act (HIPAA) where applicable
• Payment Card Industry Data Security Standard (PCI DSS) where applicable
• Industry-specific compliance frameworks relevant to client sectors

We conduct regular compliance audits and assessments to verify adherence and address gaps.

Employee Responsibilities

All personnel are required to:

• Complete security awareness training upon onboarding and annually thereafter
• Follow secure password practices and protect authentication credentials
• Report suspected security incidents or policy violations immediately
• Handle sensitive data in accordance with classification and handling guidelines
• Comply with acceptable use policies for company resources and systems

Third-Party and Vendor Management

We assess the security posture of third-party vendors and service providers before engagement and periodically thereafter. Contracts include security and compliance requirements, data protection clauses, and audit rights.

Monitoring and Continuous Improvement

Security and compliance are ongoing commitments. We monitor systems for anomalies, conduct regular risk assessments, perform security testing, and update policies and controls to address emerging threats and changing regulations.

Policy Violations

Violations of this policy may result in disciplinary action up to and including termination of employment or contracts, and may be subject to civil or criminal penalties as applicable.

Contact

For security-related questions or to report a security concern, contact team@loamagency.com.

Review and Updates

This policy is reviewed annually or as needed to reflect changes in technology, business operations, and regulatory requirements. Last updated March 2, 2026.