Security Policy

Mello employs strict security standards and measures throughout the entire organization. Every team member is trained and kept up to date on the latest security protocols. We regularly undergo testing, training, and auditing of our practices and policies.

1. Purpose, Scope, and Organization

This policy defines behavioral, process, technical, and governance controls pertaining to security at Mello that all personnel are required to implement in order to ensure the confidentiality, integrity, and availability of the Mello service and data ("Policy"). All personnel must review and be familiar with the rules and actions set forth below.

This Policy defines security requirements for:

All Mello employees, contractors, consultants and any other third parties providing services to Mello ("personnel")
Management of systems, both hardware and software regardless of location, used to create, maintain, store, access, process or transmit information on behalf of Mello, including all systems owned by Mello, connected to any network controlled by Mello, or used in service of Mello's business, including systems owned by third-party service providers
Circumstances in which Mello has a legal, contractual, or fiduciary duty to protect data or resources in its custody

In the event of a conflict, the more restrictive measures apply.

1.1 Governance and Evolution

This Policy was created in close collaboration with and approved by Mello executives. At least annually, it is reviewed and modified as needed to ensure clarity, sufficiency of scope, concern for customer and personnel interests, and general responsiveness to the evolving security landscape and industry best practices.

1.2 Security Team

The Mello security team oversees the implementation of this Policy, including:

Procurement, provisioning, maintenance, retirement, and reclamation of corporate computing resources
All aspects of service development and operation related to security, privacy, access, reliability, and survivability
Ongoing risk assessment, vulnerability management, incident response
Security-related human resources controls and personnel training

1.3 Risk Management Framework

The security team maintains a Risk Management Framework derived from NIST SP 800-39 - "Managing Information Security Risk: Organization, Mission, and System View" and NIST SP 800-30 - "Guide for Conducting Risk Assessments". Risk assessment exercises inform prioritization for ongoing improvements to Mello's security posture, which may include changes to this Policy itself.

Our Risk Management Framework incorporates the following:

Identification of relevant, potential threats
A scheme for assessing the strength of implemented controls
A scheme for assessing current risks and evaluating their severity
A scheme for responding to risks

2. Personnel and Office Environment

Mello is committed to protecting its customers, personnel, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly, in the context of its established employment culture of openness, trust, maturity, and integrity.

This section outlines expected personnel behaviors affecting security and the acceptable use of computer systems at Mello. These rules are in place to protect our personnel and Mello itself, as inappropriate use may expose customers and partners to risks including malware, viruses, compromise of networked systems and services, and legal issues.

2.1 Work Behaviors

The first line of defense in data security is the informed behavior of personnel, who play a significant role in ensuring the security of all data, regardless of format. Such behaviors include those listed in this section as well as any additional requirements specified in the employee handbook, specific security processes, and other applicable codes of conduct.

Training

All employees and contractors must complete the Mello security awareness and data handling training programs at least annually.

Unrecognized Persons and Visitors

It is the responsibility of all personnel to take positive action to maintain physical security. Challenge any unrecognized person present in a restricted office location. Any challenged person who does not respond appropriately should be immediately reported to supervisory staff and the security team. All visitors to Mello offices must be registered as such or accompanied by a Mello employee.

Clean Desk

Personnel should maintain workspaces clear of sensitive or confidential material and take care to clear workspaces of such material at the end of each workday.

Unattended Devices

Unattended devices must be locked. All devices will have an automatic screen lock function set to automatically activate upon no more than fifteen minutes of inactivity.

Use of Corporate Assets

Systems are to be used for business purposes in serving the interests of the company, and of our clients and partners in the course of normal business operations. Personnel are responsible for exercising good judgment regarding the reasonableness of personal use of systems. Only Mello-managed hardware and software is permitted to be connected to or installed on corporate equipment or networks and used to access Mello data.

3. Data Security and Protection

3.1 Data Classification

Mello classifies data into the following categories:

Public: Information intended for public disclosure
Internal: Information for use within Mello
Confidential: Sensitive business information requiring protection
Restricted: Highly sensitive information with strict access controls

3.2 Data Encryption

All sensitive data must be encrypted both at rest and in transit using industry-standard encryption protocols. We utilize:

TLS 1.2 or higher for data in transit
AES-256 encryption for data at rest

3.3 Data Retention and Destruction

Mello maintains a data retention schedule that defines how long different types of data should be kept before secure deletion. When data reaches the end of its retention period, it is securely destroyed using methods that prevent recovery.

4. Access Management and Control

4.1 User Access Controls

Access to Mello systems and data is granted following the principle of least privilege. Users receive only the access permissions necessary to perform their job functions.

4.2 Authentication Requirements

All system access requires:

Strong password policies (minimum 12 characters, complexity requirements)
Multi-factor authentication (MFA) for all administrative access
Regular credential rotation

4.3 Access Reviews

Access privileges are reviewed quarterly to ensure they remain appropriate.

5. Network Security

5.1 Network Defenses

Mello implements multiple layers of network security including:

Enterprise-grade firewalls
Intrusion detection and prevention systems
Regular security scanning and monitoring

Security Policy

1. Purpose, Scope, and Organization

1.1 Governance and Evolution

1.2 Security Team

1.3 Risk Management Framework

2. Personnel and Office Environment

2.1 Work Behaviors

Training

Unrecognized Persons and Visitors

Clean Desk

Unattended Devices

Use of Corporate Assets

3. Data Security and Protection

3.1 Data Classification

3.2 Data Encryption

3.3 Data Retention and Destruction

4. Access Management and Control

4.1 User Access Controls

4.2 Authentication Requirements

4.3 Access Reviews

5. Network Security

5.1 Network Defenses

5.2 Secure Network Architecture

6. Incident Response

6.1 Security Incident Procedures

6.2 Breach Notification

7. Business Continuity and Disaster Recovery

7.1 Backup Procedures

7.2 Recovery Testing

8. Vendor Management

8.1 Third-Party Risk Assessment

8.2 Contractual Requirements

9. Compliance and Auditing

9.1 Regulatory Compliance

9.2 Security Audits

10. Policy Enforcement

10.1 Violations and Consequences

10.2 Policy Exceptions

11. Contact Information