Security Policy

This security policy outlines how RevBlack, LLC ("RevBlack") protects client data, systems, and
confidential information while providing CRM and Revenue Operations (RevOps) consulting
services. Our goal is to ensure the confidentiality, integrity, and availability of client data,
particularly when accessing platforms like Salesforce and HubSpot, while meeting contractual
obligations and industry best practices.

Scope

This policy applies to all RevBlack employees, contractors, and subcontractors who handle
client data or access client systems. It covers all data provided by clients, generated during
service delivery, or stored on RevBlack systems, including Company Data as defined in client
agreements.

1. Data Protection

1.1 Client Data Ownership

  • Clients retain full ownership of their data, including all information in Salesforce,
    HubSpot, or other platforms, as outlined in Section 4.2 of the RevBlack Services
    Agreement.
  • RevBlack uses client data only to perform contracted services and does not transfer or
    claim ownership of client accounts or data.

1.2 Data Access and Usage

  • Access to client systems (e.g., Salesforce, HubSpot) is limited to personnel directly
    involved in delivering Professional Services.
  • RevBlack personnel use client-provided credentials or secure, role-based access
    controls to perform tasks.
  • Client data is used solely for the purposes outlined in the Statement of Work (SOW) and
    is not shared with third parties unless explicitly authorized by the client or required by
    law.
  • De-identified client data may be used for benchmarking, service improvement, or
    marketing, as permitted in Section 5 of the Services Agreement. Clients can request
    deletion of their data, which RevBlack will honor promptly, subject to contractual terms.

1.3 Data Storage and Transmission

  • Client data is stored only on secure, encrypted systems (e.g., cloud platforms with
    AES-256 encryption) and is not retained on personal devices.
  • Data transmission occurs over secure protocols (e.g., HTTPS, SFTP) to prevent
    interception.
  • RevBlack maintains a data inventory to track where client data is stored and ensures it is
    deleted or archived securely when no longer needed, per client requests or at the end of
    the engagement.

2. Access Control

2.1 User Authentication

  • All RevBlack personnel use unique, strong passwords (minimum 12 characters,
    including letters, numbers, and symbols) for accessing internal and client systems.
  • Multi-factor authentication (MFA) is enforced for all accounts accessing client platforms
    or RevBlack’s internal tools.
  • Passwords are stored in a secure password manager and never shared via email or
    unencrypted channels.

2.2 Role-Based Access

  • Access to client systems is granted on a least-privilege basis, ensuring personnel only
    have permissions necessary for their tasks.
  • Temporary access is revoked immediately after task completion or personnel departure.
  • RevBlack reviews access permissions quarterly to ensure compliance with client
    agreements.

2.3 Subcontractor Access

  • Subcontractors are bound by the same security and confidentiality obligations as
    RevBlack employees, as per Section 2 of the Services Agreement.
  • Subcontractors are granted access only with client approval and are monitored to ensure
    compliance with this policy.

3. Confidentiality

  • All client information, including Company Data and Confidential Information (as defined
    in Exhibit A of the Services Agreement), is treated as strictly confidential.
  • RevBlack personnel sign non-disclosure agreements (NDAs) prohibiting unauthorized
    disclosure or use of client information.
  • Confidential Information is shared only with personnel who need it to perform services
    and is not disclosed to third parties without client consent, except as required by law (per
    Section 5 of the Services Agreement).
  • RevBlack notifies clients promptly of any legally compelled disclosures, where permitted
    by law, to allow clients to seek protective measures.

4. System Security

4.1 Endpoint Protection

  • All devices used by RevBlack personnel are equipped with up-to-date antivirus software
    and firewalls.
  • Devices are encrypted (e.g., BitLocker for Windows, FileVault for macOS) to protect data
    in case of loss or theft.
  • Remote wipe capabilities are enabled for lost or stolen devices.

4.2 Network Security

  • RevBlack uses secure, private networks (e.g., VPNs) when accessing client systems
    remotely.
  • Public Wi-Fi is avoided unless secured with a VPN.
  • Network traffic is monitored for suspicious activity using intrusion detection tools.

4.3 Software and Patch Management

  • All software used by RevBlack, including tools for accessing Salesforce and HubSpot, is
    kept up to date with the latest security patches.
  • Only licensed, reputable software is used to minimize vulnerabilities.

5. Incident Response

  • RevBlack maintains an incident response plan to address potential security breaches or
    data exposures.
  • In the event of a suspected breach, RevBlack will:

    • Immediately investigate and contain the issue.
    • Notify affected clients within 72 hours of confirming a breach, unless prohibited
      by law.
    • Provide a detailed report of the incident, including root cause, impact, and
      remediation steps.
  • RevBlack carries cyber liability insurance to cover potential losses from security
    incidents.

6. Employee Training

  • All RevBlack personnel undergo annual security awareness training covering data
    protection, phishing prevention, and secure system access.
  • New hires complete security onboarding before accessing client data or systems.
  • Training includes specific guidance on handling Salesforce and HubSpot data securely.

7. Compliance and Audits

  • RevBlack complies with applicable data protection laws (e.g., GDPR, CCPA) when
    handling client data, as required by the client’s jurisdiction.
  • Internal security audits are conducted annually to assess compliance with this policy and
    client agreements.
  • Upon client request, RevBlack will provide a summary of security practices or participate
    in reasonable audits, subject to confidentiality protections.

8. Third-Party Platforms

  • RevBlack relies on the security measures of third-party platforms like Salesforce and
    HubSpot, which are responsible for their own infrastructure security.
  • RevBlack ensures all interactions with these platforms follow vendor-recommended
    security practices (e.g., secure API integrations, encrypted sessions).
  • Clients are responsible for maintaining the security of their own accounts (e.g., strong
    passwords, MFA) and promptly notifying RevBlack of any account changes.

9. Termination and Data Handling

  • Upon termination of a client engagement, RevBlack will:

    • Return or destroy client Confidential Information, as requested, per Section 8 of
      the Services Agreement.
    • Securely delete client data from RevBlack systems, unless retained for archival
      purposes or as permitted by the agreement.
  • Clients may request data deletion at any time, though this may impact service deliveryduring the engagement (per Section 5 of the Services Agreement).‍

10. Force Majeure

  • RevBlack is not liable for security incidents caused by events beyond its reasonable
    control (e.g., natural disasters, third-party platform outages), as outlined in Section 9.5 of
    the Services Agreement.
  • RevBlack will take commercially reasonable steps to mitigate such incidents and notify
    clients promptly.

11. Policy Updates

  • This policy is reviewed and updated annually or as needed to reflect changes in
    technology, regulations, or client requirements.
  • Clients will be notified of material changes to this policy that affect their data or services.

Contact

For questions or concerns about this security policy, contact: