Information Security Policy

Last updated: 11 December 2024

Introduction

Aspose Pty Ltd (Aspose) is a market-leading software development company that offers award-winning APIs for creating, editing, converting, and rendering various file formats such as Office, OpenOffice, PDF, Images, ZIP, CAD, XPS, EPS, and PSD. Our APIs support multiple platforms, including .NET, Java, C++, Python, PHP, Xamarin, and Android, along with reporting solutions for Microsoft SharePoint and rendering extensions for SQL Server Reporting Services and JasperReports.

Aspose is committed to maintaining the highest standards of information security to protect our intellectual property, customer data, and the integrity of our software products. As a leading provider of APIs for file format manipulation, we recognize the critical importance of safeguarding sensitive information, ensuring the reliability and security of our solutions, and complying with industry regulations.

1. Purpose

The purpose of this Information Security Policy is to establish a comprehensive framework for protecting Aspose’s information assets, proprietary software, customer data, and intellectual property. By implementing consistent and robust security measures, Aspose seeks to maintain the confidentiality, integrity, and availability of its digital resources, ensure compliance with applicable laws and regulations, and uphold customer trust in its products.

2. Scope

This policy applies to all employees and partners who access, use, or manage Aspose’s information systems, software, or data. It covers all aspects of information security related to the company’s operations, including but not limited to secure software development, remote work protocols, data protection, and incident management. The policy applies to all devices, networks, systems, and platforms, including personal and corporate-issued devices, regardless of their physical location.

3. Roles and Responsibilities

Aspose assigns specific roles and responsibilities to ensure the effective implementation and enforcement of its Information Security Policy. These roles are critical in maintaining the confidentiality, integrity, and availability of Aspose’s information assets.

3.1. Executive Management

Approve and oversee the implementation of the Information Security Policy.
Allocate resources to support security initiatives, training, and technology upgrades.
Promote a culture of security awareness and accountability across the organization.

3.2. IT Infrastructure and Security Team

Develop, implement, and monitor security measures to protect the company’s systems and data.
Manage network security, endpoint protection, and multi-factor authentication (MFA).
Perform regular security audits, vulnerability scans, and penetration testing.
Maintain and test backup systems and disaster recovery plans.
Respond to and manage security incidents, ensuring swift resolution and reporting to stakeholders.

3.3. Product Development Team

Integrate secure coding practices into all stages of the Secure Software Development Lifecycle (SDLC).
Conduct regular code reviews and adhere to OWASP standards.
Address vulnerabilities identified during development and testing cycles.
Maintain compliance with security protocols when using third-party libraries and tools.

3.4. Sales Team and Technical Support Team

Address security-related customer inquiries and escalate issues when necessary.
Maintain awareness of customer security requirements and uphold contractual obligations.
Ensure secure communication channels when interacting with customers.

3.5. Human Resources (HR) Team

Conduct background checks and onboarding processes to ensure employee trustworthiness.
Provide employees with initial and ongoing security training.
Enforce security policies through employment agreements and disciplinary measures.

3.6. Employees

Comply with security policies and report any suspicious activities.
Use company systems and information assets responsibly and securely.
Report security incidents, suspicious activities, or policy violations promptly.
Participate in mandatory security training and awareness programs.

4. Access Control and Authentication

Aspose enforces strict access control and authentication measures to safeguard its information assets and systems. These controls are designed to ensure that only authorized individuals have access to sensitive data and resources, in alignment with the principle of least privilege.

4.1. Access Control

Access to systems, data, and applications is granted based on role-specific requirements and business needs.
Privileged access is restricted to authorized personnel and reviewed regularly to prevent unauthorized use.
Internal systems and resources are segmented to limit exposure in case of a security breach.

4.2. Authentication

Multi-Factor Authentication (MFA) is mandatory for accessing all critical systems and sensitive data.
Password policies require strong, unique passwords with regular updates and expiration periods.
Secure Single Sign-On (SSO) mechanisms are used to enhance user convenience and system security.

4.3. Monitoring and Review

Access logs are monitored regularly to detect and respond to unauthorized access attempts.
User access rights are reviewed periodically to ensure alignment with current job responsibilities.
Departing employees are promptly deactivated from all systems and access points.

5. Data Security and Privacy

Aspose is committed to maintaining the highest standards of data security and privacy for all information it handles, ensuring compliance with applicable regulations and safeguarding customer trust.

5.1. Types of Data Managed

Sales Data: Includes product and license details, purchase dates, subscription links, and customer contact information (name, email address, business address, and phone number).
Intellectual Property and Financial Records: Includes proprietary business information and company financial data.
Customer Support Data: Technical information provided by customers via support forums, primarily related to troubleshooting and usage guidance.
Aspose does not store code, documentation or other sensitive data on behalf of its customers.

5.2. Data Access and Protection

Sales and internal data are stored securely on company-managed systems with encrypted backups, including off-site backups, to ensure data integrity and availability.
Access to data is strictly limited to authorized personnel and protected using Multi-Factor Authentication (MFA) and a secure Virtual Private Network (VPN).
Customer support threads are accessible only by the respective customer and the Aspose Support Team unless explicitly made public by the customer.

Internal data is shared securely via dedicated virtual machines, encrypted emails, or internal platforms.
Support customers are encouraged to upload anonymized data during troubleshooting and can request deletion of threads or uploaded data after a case is resolved.
Aspose does not share or sell customer data to third parties under any circumstances.

5.4. Data Retention and Disposal

Sales data is retained only as required for business purposes or legal obligations.
Support data is retained on forums until the customer requests deletion or manually removes the data if permitted by the platform.
When data is no longer required, it is securely deleted following Aspose’s data disposal policies.

5.5. Compliance with Privacy Regulations

Aspose complies with GDPR and CCPA regulations, ensuring the secure handling of all personally identifiable information (PII) and providing customers with control over their data. Privacy impact assessments are conducted for any new processes or changes involving personal data to maintain compliance.

6. Product Security and Secure Development Lifecycle (SDLC)

Aspose integrates robust security practices throughout its Secure Development Lifecycle (SDLC) to ensure its products meet the highest standards of security, performance, and reliability. These practices protect Aspose’s intellectual property and provide secure solutions for its customers.

6.1. Secure Development Practices

Aspose adheres to industry-standard security frameworks, including OWASP guidelines, to minimize vulnerabilities during the development process.
All code undergoes regular reviews by qualified developers to identify and address potential security issues.
Automated tools such as SonarQube are used during each release cycle to detect and mitigate vulnerabilities in new and existing code.

6.2. Development Phases and Security Integration

Requirements Phase: Security requirements are identified and integrated into the project plan.
Design Phase: Secure architecture principles are applied, and potential risks are assessed.
Implementation Phase: Secure coding practices are enforced, and dependencies are evaluated for vulnerabilities.
Testing Phase: Comprehensive testing, including penetration testing and vulnerability assessments, ensures the product’s security integrity.
Deployment Phase: Secure methods are used to deliver products, including trusted package managers like NuGet, PyPI, and NPM, or direct downloads from Aspose’s website.
Maintenance Phase: Post-deployment, Aspose actively monitors products for vulnerabilities through automated tools and user feedback.

6.3. Third-Party Components

Aspose products use select third-party libraries, primarily ports of native C++ libraries to C#, ensuring compatibility and performance.
Third-party components are regularly assessed for vulnerabilities, and identified issues are promptly fixed or mitigated.
Aspose’s Third Party Risk Management Policy (TPRM) details our approach to managing risks associated with dealing with third-parties.

6.4. Customer Support for Security

Aspose offers free and paid support plans to assist customers in resolving security-related issues.
Customers can access public forums, paid support helpdesk systems and consulting services to ensure the secure integration of Aspose products into their environments.

7. Network and Infrastructure Security

Aspose implements robust network and infrastructure security measures to protect its systems, data, and intellectual property. These controls ensure the confidentiality, integrity, and availability of company resources in a fully remote working environment.

7.1. Network Security

A Virtual Private Network (VPN) is required for all employee access to company systems, providing secure communication over public and private networks.
Firewalls and Intrusion Detection Systems (IDS) monitor and protect the network from unauthorized access and potential threats.
Network segmentation is enforced to limit access and reduce the impact of potential security breaches.

7.2. Access Management

Multi-Factor Authentication (MFA) is mandatory for accessing all internal systems, ensuring that only authorized users gain entry.
Access permissions are assigned based on role-specific requirements and are regularly reviewed to ensure compliance with the principle of least privilege.
Departing employees or contractors have their access promptly deactivated to prevent unauthorized use.

7.3. Remote Work Security

All employees work remotely and use company-approved tools and secure devices for accessing systems and data.
Security policies for remote work include mandatory updates to operating systems, endpoint protection software, and secure configuration standards.
Data access is restricted to dedicated virtual machines, minimizing the risk of unauthorized data storage or transfer.
Devices must undergo periodic compliance checks to ensure adherence to security policies. Non-compliant devices are blocked from accessing company systems until remediated.
Employees must report any device loss, theft, or suspected compromise immediately to ensure timely response and risk mitigation.

7.4. Infrastructure Security

Servers and critical infrastructure are monitored and maintained by a designated administrator with exclusive physical access.
Regular vulnerability assessments and system updates are conducted to mitigate potential security risks.
Backup systems are maintained with weekly and incremental backups to ensure business continuity in the event of an incident.

8. Incident Response and Crisis Management

Aspose has established comprehensive procedures to detect, respond to, and mitigate security incidents to minimize their impact on operations, protect company and customer data, and ensure business continuity. Aspose’s Business Continuity Policy (BCP) details our approach to ensuring the continued availability and reliable operation of Aspose’s self-hosted API solutions during any disruptions.

8.1. Incident Detection and Reporting

Monitoring: Aspose continuously monitors its systems using tools and processes designed to detect unauthorized access, data breaches, malware, and other threats.
Reporting Channels: Employees are required to report potential security incidents immediately through established channels, ensuring prompt evaluation and action.

8.2. Incident Response Procedures

Identification and classification: The security team assesses and classifies reported incidents to determine their nature, scope, and severity.
Containment: Immediate steps are taken to contain the incident and prevent further damage, such as isolating affected systems or disabling compromised accounts.
Eradication: The root cause of the incident is identified and eliminated, including the removal of malicious software or unauthorized access points.
Recovery: Systems are restored to normal operation, ensuring all vulnerabilities are addressed to prevent recurrence.

8.3. Communication Plan

Internal Communication: Relevant teams are informed about the incident, response actions, and any changes to procedures or systems.
Customer Notification: If an incident involves customer data, affected customers are promptly notified in accordance with GDPR, CCPA, and other applicable regulations.

8.4. Post-Incident Review

Analysis: All incidents are thoroughly analyzed to identify lessons learned and improve response strategies.
Documentation: Detailed incident reports are maintained, outlining the cause, response actions, and preventive measures.
Policy Updates: Findings from incident reviews are used to update security policies, training programs, and system configurations.

9. Business Continuity and Disaster Recovery (BCDR)

Aspose is committed to ensuring the continued availability of its services and protecting its data assets in the event of a disruption or disaster. The company maintains a comprehensive Business Continuity and Disaster Recovery (BCDR) plan that is designed to mitigate risks, enable quick recovery, and minimize the impact of disruptions on both internal operations and customer services.

9.1. Business Continuity Strategy

Risk Assessment and Planning: Aspose regularly conducts risk assessments to identify critical business functions and potential threats, such as cyberattacks, natural disasters, or hardware failures. Based on these assessments, the company develops and updates contingency plans to ensure continuity in the event of an incident.
Key Business Functions: Core business operations, including product development, customer support, and sales, are prioritized for continuity, with redundancy measures in place to support these functions in case of failure.
Employee Preparedness: All employees are trained on their roles and responsibilities in the event of a business continuity event. Remote work protocols are established to ensure that employees can work securely and effectively during disruptions.

9.2. Disaster Recovery (DR) Procedures

Backup and Recovery: Aspose implements regular backup schedules for critical systems, including both on-site and off-site backups, to ensure that data can be restored in case of a disaster.
Backups are performed at least weekly, with some systems receiving more frequent incremental backups.
Off-site backups are stored in a secure location to safeguard against physical site damage.
Recovery Time Objective (RTO) and Recovery Point Objective (RPO): Aspose has defined recovery objectives for its critical systems to minimize downtime and data loss.
RTO (Recovery Time Objective): The targeted duration for recovery and resumption of operations after an incident.
RPO (Recovery Point Objective): The maximum allowable period in which data can be lost, determined based on backup frequency.
Disaster Recovery Testing: Periodic tests of the disaster recovery plan are conducted to ensure that recovery processes are effective and that teams are prepared to act swiftly during an actual event.

9.3. External Vendor and Partner Dependencies

Although Aspose operates without third-party critical suppliers, it ensures that any external services it uses, such as cloud providers or hosting infrastructure, also have their own BCDR plans in place to support the company’s recovery efforts. Aspose’s Third Party Risk Management Policy (TPRM) details our approach to managing risks associated with dealing with third-parties.

10. Legal and Regulatory Compliance

Aspose is committed to complying with all applicable legal, regulatory, and industry requirements related to this policy. Where specific regulations or standards apply, Aspose will ensure alignment to protect customer data, meet business obligations, and maintain operational integrity.

10.1. Compliance Principles

Adherence: Aspose follows all relevant legal and regulatory requirements applicable to its operations and systems.
Alignment with Standards: While Aspose may not hold formal certifications, it aligns its practices with recognized industry frameworks and best practices to ensure compliance.

10.2. Ongoing Compliance Monitoring

Aspose regularly reviews its internal processes, policies, and product offerings to ensure ongoing compliance with relevant laws and industry standards.

Compliance audits and reviews are conducted periodically to ensure the effectiveness of security and privacy controls.

11. Employee Training and Security Awareness

Aspose places a strong emphasis on ensuring that all employees are well-equipped to understand, recognize, and mitigate potential security threats. The company fosters a security-conscious culture through continuous training and awareness programs, empowering employees to actively contribute to the organization’s overall information security posture.

11.1. Security Training Programs

Onboarding Training: All new employees undergo comprehensive security training as part of the onboarding process. This training covers fundamental security concepts, including data protection, secure communication, and best practices for safeguarding company and customer information.
Ongoing Security Awareness: Regular security awareness sessions are conducted to keep employees informed about emerging threats, new security policies, and updates to existing security procedures.

11.2. Security Role-Specific Training

Certain employees, particularly those in IT, product development, and customer support, receive specialized training tailored to their roles. This includes:

Secure Coding Practices: Developers receive training on secure coding standards, such as OWASP guidelines, to mitigate vulnerabilities and ensure the security of the company’s products.
Incident Response: Employees involved in incident detection and response are trained in best practices for identifying, reporting, and mitigating security incidents. They are also familiar with the company’s incident response plans and procedures.
Data Privacy and Protection: Employees working with sensitive customer data or handling customer support inquiries are trained in the requirements of GDPR, CCPA, and other relevant privacy regulations.

11.3. Internal Security Culture

Aspose fosters a security-first mindset among all employees, ensuring that security is prioritized in everyday work processes. This is achieved through:

Regular security communications from senior management, reinforcing the importance of security across all levels of the organization.
A commitment from leadership to uphold security standards and lead by example in implementing best practices.
Encouraging employees to report potential security issues or incidents through clear, confidential reporting channels.
Regular security updates or briefings to keep employees updated on the latest threats, internal security initiatives, and regulatory requirements.

11.4. Continuous Improvement

Feedback from employees regarding security training and awareness programs is actively encouraged to ensure the programs remain relevant and effective.

Post-Incident Debriefing: After a security incident, relevant teams participate in a debriefing session to review what occurred, how the situation was handled, and how security awareness or training can be improved moving forward.

12. Policy Compliance and Enforcement

Aspose’s Information Security Policy outlines the company’s commitment to protecting its information assets and ensuring the confidentiality, integrity, and availability of its systems and data. To maintain the highest standards of security and privacy, compliance with this policy is mandatory for all employees and other stakeholders. This section outlines the procedures for ensuring adherence to the policy, monitoring compliance, and enforcing security requirements.

12.1. Information Security Policy Compliance

Mandatory Adherence: All employees, contractors, and third-party partners are required to understand and comply with Aspose’s Information Security Policy, including all related procedures and guidelines. This ensures that everyone within the organization plays a role in maintaining a secure environment.

Policy Acknowledgment: Employees must formally acknowledge their understanding and commitment to following the policy during onboarding and whenever significant updates to the policy are made.

Periodic Reviews and Updates: Aspose’s Information Security Policy will be reviewed regularly to ensure its relevance and alignment with evolving industry standards, legal requirements, and business needs. All stakeholders will be informed of any updates, and necessary re-training will be provided.

12.2. Monitoring and Auditing

Internal Audits: Periodic audits are conducted to assess compliance with the Information Security Policy. These audits may include reviews of access controls, system configurations, and employee adherence to security protocols.

Automated Monitoring: Continuous monitoring tools are employed to detect and respond to security incidents and non-compliance in real-time. These tools help identify vulnerabilities, unauthorized access, and other security risks that may arise.

Self-Assessments: Employees and teams are encouraged to perform self-assessments to verify their adherence to security policies and practices. This self-monitoring helps identify gaps in security controls and provides an opportunity for proactive remediation.

12.3. Non-Compliance Consequences

Violation of Policy: Any employee, contractor, or third-party partner who violates the Information Security Policy or fails to comply with established security procedures may be subject to disciplinary action, including but not limited to:

Corrective Actions: This may include retraining, a formal warning, or a review of the incident to understand its root cause.
Access Restrictions: In cases where violations involve unauthorized access or misuse of company systems or data, the individual’s access to systems or data may be revoked or limited.
Termination: Serious or repeated violations of the policy could lead to termination of employment or the discontinuation of business relationships with third parties.
Legal Action: In cases of gross negligence or intentional misconduct that results in data breaches or other severe consequences, Aspose reserves the right to pursue legal action, including reporting violations to relevant authorities.

12.4. Accountability and Enforcement

Security Incident Management: Any violations or security incidents related to the Information Security Policy will be handled according to the company’s incident response procedures. Employees involved in or witnessing violations must report the incident to the security team promptly. Unintentional violations due to lack of understanding will prioritize retraining over disciplinary action.

Disciplinary Process: The enforcement process is overseen by the Human Resources (HR) and IT Security teams, who will conduct investigations and determine appropriate disciplinary actions in accordance with company policies.

Escalation Procedures: Serious non-compliance or incidents may be escalated to senior management or external authorities, depending on the severity and impact of the breach.

12.5. Continuous Improvement

Feedback Loop: Aspose encourages feedback from employees and other stakeholders to continuously improve the Information Security Policy and its enforcement mechanisms. This includes regular reviews of security practices and the identification of potential policy gaps.

Training and Awareness: Non-compliance due to a lack of understanding or awareness will be addressed through enhanced training programs and updated communication channels to ensure all employees are fully aware of their responsibilities under the policy.

13. Periodic Review and Policy Updates

Periodic Review: This Information Security Policy will be reviewed periodically or as required to adapt to new security standards, emerging threats, and Aspose’s evolving business needs.

Policy Updates: Any updates to the policy will be communicated to all employees and relevant stakeholders to ensure continuous alignment with best practices in information security.

14. Approval

This Information Security Policy was approved by the Board of Directors of Aspose Pty Ltd on 2024.12.01.