Varigence Data Exchange Policy

1. Purpose and Scope

The purpose of this policy is to define the standards and procedures for secure data exchange at Varigence, including both internal and external data transfers. This policy ensures that all Varigence employees, contractors, and partners follow industry-standard encryption and access control measures to protect the confidentiality, integrity, and availability of data.

Key Points:

  • Applies to all data exchanges (e.g., sending, receiving, transmitting, or storing data) within Varigence or with external parties (customers, partners, vendors).
  • Covers customer metadata and any other internal data that Varigence may handle.
  • Aligns with data protection legislation (e.g., GDPR, DPA2018) relevant to Varigence’s customer base.

2. Encryption Standards

  1. Encryption in Transit
  • TLS 1.3 with 2048-bit RSA keys (or equivalent or stronger) must be used whenever data is transferred via web-based protocols (HTTPS, SFTP, email).
  • Screen-sharing tools used for remote support and collaboration must use end-to-end encryption or meeting encryption standards equivalent to TLS 1.3.
  1. Encryption at Rest
  • BitLocker (or equivalent disk encryption) is enabled on all corporate-managed devices and servers that store data.
  • Cloud storage solutions utilized by Varigence must offer at-rest encryption aligned with or surpassing these standards.

3. Acceptable Transfer Mechanisms

Varigence allows the following methods for data exchange, provided they adhere to the encryption standards outlined above:

  1. SFTP (Secure File Transfer Protocol)
  • Used for larger files or structured file transfers.
  • Requires user authentication tied to MFA when feasible.
  1. Cloud-Based File Sharing
  • Services must require Multi-Factor Authentication (MFA), enforce Role-Based Access Control (RBAC), and device compliance checks via Microsoft Intune Mobile Device Management (MDM).
  • Links or shared folders should be time-bound or revoked once the data exchange is complete.
  1. Email Attachments
  • Smaller files may be exchanged via secure email channels that use TLS 1.3.
  • Employees must exercise due diligence: verifying recipients, limiting sensitive attachments, and respecting data minimization principles.
  1. User-Level VPN
  • Employees connecting to Varigence’s internal network from untrusted networks (e.g., home Wi-Fi, public hotspots) must use an approved user-level VPN.
  • The VPN connection must enforce MFA and device compliance checks to ensure only corporate-managed and compliant devices are granted access.

4. Authentication and Access Controls

  1. Multi-Factor Authentication (MFA)
  • All Varigence employees and contractors must use MFA for accessing corporate resources, including VPN connections, cloud storage, and email systems.
  1. Role-Based Access Control (RBAC)
  • Access privileges to data and systems are granted based on job responsibilities and “least privilege” principles.
  • Privileges are reviewed and updated during onboarding, termination, role/project changes, and quarterly audits.
  1. Device Compliance (MDM)
  • All devices accessing or storing Varigence data must pass Microsoft Intune MDM checks (e.g., operating system patches, security software compliance).
  • Non-compliant devices are blocked from connecting to Varigence networks.

5. Handling More Sensitive Data

  • Although Varigence primarily handles customer metadata (non-personal, structural data), any exceptionally shared sensitive data (including personal or proprietary information) must be handled with the highest security measures:
  • Shared only through secure methods (SFTP or cloud with MFA and RBAC).
  • Encrypted at rest with BitLocker or an equivalent, approved encryption tool.
  • Access restricted to essential personnel with explicit approval logs.

6. No Exceptions Policy

  • No exceptions to the security requirements in this policy are granted under any circumstances.
  • “Urgent” requests are not grounds for bypassing security protocols, as this could introduce unmitigated vulnerabilities or social engineering risks.


7. Policy Enforcement and Incident Handling

  1. Security Register
  • Any violation of this policy is recorded in the Varigence security register.
  • Entries detail the nature of the incident, individuals involved, and resolution steps taken.
  1. Security Advisory Board Review
  • The Security Advisory Board reviews all documented violations and determines any corrective or disciplinary action.
  • Repeat violations or severe lapses may result in escalated penalties, up to termination of employment or contract.
  1. Incident Response
  • If a breach or security incident is suspected or confirmed, Varigence follows internal incident response procedures, which include immediate containment, forensic investigation, and notification of relevant stakeholders and authorities (if personal data is involved).


8. Policy Review

  • This policy is reviewed and updated at least annually or whenever significant changes in technology, business processes, or legal requirements occur.
  • Updates are communicated to all Varigence employees and contractors, who are required to acknowledge and abide by the revised policy.

Last Updated: 15 Jan 2025

Success! Thank you for your interest.
Oops! Something went wrong while submitting the form.

Where Data Automation Meets Modern Architecture

Products
PricingBimlFlexBimlStudioBimlExpress
Resources
DocumentationKnowledge BaseBlogIndustriesUse Cases
Company
About UsContact UsSchedule Demo
Legal
Privacy PolicyGDPRData ClassificationData ExchangeDPA 2018