Last updated: July 13, 2025
This Information Security Policy (Policy) promotes an effective balance between information security practices and business needs. The Policy helps TreasureHub meet our legal obligations and our users' expectations. From time to time, TreasureHub may implement different levels of security controls for different information assets based on risk and other considerations.
You are expected to read, understand, and follow this Policy. However, no single policy can cover all the possible information security issues you may face. You must seek guidance from your manager or other designated TreasureHub resource before taking any actions that create information security risks or otherwise deviate from this Policy's requirements. TreasureHub may treat any failure to seek and follow such guidance as a violation of this Policy.
This Policy is Confidential Information. Do not share this Policy outside TreasureHub unless authorized by the Information Security Coordinator. You may share this Policy with an approved contractor that has access to TreasureHub's information or systems under a non-disclosure agreement or other agreement that addresses confidentiality (see Section 7, Service Providers: Risks and Governance).
TreasureHub follows these guiding principles when developing and implementing information security controls:
This Policy applies across the entire TreasureHub enterprise. This Policy provides detailed information security guidance that you must follow.
This Policy states TreasureHub's information security policy. In many cases, you are personally responsible for taking or avoiding specific actions as the Policy states. In some situations, the Information Security Coordinator, or another TreasureHub resource takes or avoids the stated actions.
From time to time, TreasureHub may approve and make available more detailed or location or business unit-specific policies, procedures, standards, and processes to address specific information security issues. Those additional policies, procedures, standards, and processes are extensions to this Policy. You must comply with them, where applicable, unless you obtain an approved exception.
No single document can cover all the possible information security issues you may face. Balancing our need to protect TreasureHub's information assets with getting work done can also be challenging. Many effective administrative, physical, and technical safeguards are available. Do not make assumptions about the cost or time required to implement them. Ask for help.
You must seek guidance before taking any actions that create information security risks.
Except where applicable law provides otherwise, you should have no expectation of privacy when using TreasureHub's network, services or systems, including, but not limited to, transmitting and storing files, data, and messages.
To enforce compliance with TreasureHub's policies and protect TreasureHub's interests, TreasureHub reserves the right to monitor any use of its network, services and systems to the extent permitted by applicable law. By using TreasureHub's systems, you agree to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, emails, or other messages or data sent or received and inspecting data stored on individual file directories, devices, or other printed or online media.
Various information security laws, regulations, and industry standards apply to TreasureHub and the data we handle. TreasureHub is committed to complying with applicable laws, regulations, and standards.
TreasureHub and its leadership recognize the need for a strong information security program.
TreasureHub has designated Alex MacDonald to be its Information Security Coordinator and accountable for all aspects of its information security program. References to the Information Security Coordinator throughout this Policy include the Information Security Coordinator and their designates.
TreasureHub has granted the Information Security Coordinator the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes, as they may deem necessary and appropriate.
On at least an annual basis, the Information Security Coordinator will initiate a review of this Policy, engaging stakeholders such as individual business units, Human Resources, Legal, and other TreasureHub organizations, as appropriate.
TreasureHub recognizes that specific business needs and local situations may occasionally call for an exception to this Policy. Exception requests must be made in writing. The Information Security Coordinator must approve in writing, document, and periodically review all exceptions.
To request an exception, contact Alex MacDonald.
Employees and contractors are obligated to comply with all aspects of this Policy that apply to them. This Policy is not intended to restrict communications or actions protected or required by applicable law.
TreasureHub may treat any attempt to bypass or circumvent security controls as a violation of this Policy. For example, sharing access credentials, including passwords or multifactor authentication means, deactivating anti-malware software, removing or modifying secure configurations, or creating unauthorized network connections are prohibited unless the Information Security Coordinator has granted an exception as described in Section 2.4, Exceptions.
Any violation of this Policy may result in disciplinary action or other sanctions. Sanctions may include suspension, access restrictions, work assignment limitations, or more severe penalties up to and including termination, in accordance with applicable law. If TreasureHub suspects illegal activities, it may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved.
All employees and contractors must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire or as otherwise designated by the Information Security Coordinator. Material changes to this Policy may require additional acknowledgment. TreasureHub will retain acknowledgment records.
TreasureHub has established a three-tier classification scheme to protect information according to risk levels. The information classification scheme allows TreasureHub to select appropriate security controls and balance protection needs with costs and business efficiencies.
All TreasureHub information is classified as (from least to most sensitive): (1) Public Information, (2) Confidential Information, or (3) Highly Confidential Information.
Unless it is marked otherwise or clearly intended to be Public Information, treat all TreasureHub and user information as if it is at least Confidential Information, regardless of its source or form, including online, paper, verbal, or other information.
You must apply security controls appropriate for the assigned information classification level to all information you store, transmit, or otherwise handle. Use classification level markings, where feasible.
Public Information is information that TreasureHub has made available to the general public. Information received from another party (including a user) that is covered under a current, signed non-disclosure agreement must not be classified or treated as Public Information.
Public Information Examples. Some Public Information examples include, but are not limited to: press releases, TreasureHub marketing materials; job announcements; and any information that TreasureHub makes available on its publicly accessible website[s].
Confidential Information is information that may cause harm to TreasureHub, its users, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Harms may relate to an individual's privacy, TreasureHub's marketplace position or that of its users, or legal or regulatory liabilities.
Confidential Information Examples. Some Confidential Information examples include, but are not limited to: TreasureHub financial data, user lists, revenue forecasts, program or project plans, and intellectual property; user-provided data, information, and intellectual property (see also, Section 3.3, Highly Confidential Information, regarding personal information); user contracts and contracts with other external parties, including vendors, and other like materials.
Safeguards. You must protect Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks and treat with the utmost care.
Highly Confidential Information is information that may cause serious and potentially irreparable harm to TreasureHub, its users, employees, or other entities or individuals if disclosed or used in an unauthorized manner. Highly Confidential Information is a subset of Confidential Information that requires additional protection.
Highly Confidential Information Examples. Some Highly Confidential Information examples include, but are not limited to: personal information for employees, users, business partners, or others; and sensitive TreasureHub business information, such as budgets, financial results, or strategic plans.
Safeguards. You must protect Highly Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks and as prescribed by applicable laws, regulations, and standards, and handle and treat with the utmost care.
This section describes key safeguards that TreasureHub uses to protect and manage its information technology (IT) environment. You must support their use to the extent that they apply to you.
Install and configure TreasureHub-owned computers and other hardware according to current technical standards and procedures, including anti-malware software, other standard security controls, and approved operating system version and software patches. TreasureHub supports preventive controls to avoid unauthorized activities or access to data, based on risk levels. TreasureHub supports detective controls to timely discover unauthorized activities or access to data, including continuous system monitoring and event management.
Perimeter controls secure TreasureHub's network against external attacks. Use firewalls, configured according to current technical standards and procedures, to separate TreasureHub's trusted network from the internet or internet-facing environments.
TreasureHub may implement additional perimeter controls including intrusion detection and prevention services, data loss prevention software, specific router or other network configurations, or various forms of network monitoring according to risks. Do not create internet connections outside perimeter controls.
TreasureHub may use technical controls, such as firewalls, access control lists, or other mechanisms, to segment some data or areas of its network according to risks. Segment Highly Confidential Information from the rest of TreasureHub's network to the extent technically feasible and reasonable (see Section 3.3, Highly Confidential Information). Do not alter network segmentation plans without approval from the Information Security Coordinator.
TreasureHub uses encryption to protect Confidential and Highly Confidential Information according to risks. TreasureHub may apply encryption to stored data (data-at-rest) and transmitted data (data-in-transit). Encrypting personal information may lower TreasureHub's liability if a data breach occurs.
Only use generally accepted encryption algorithms and products approved by the Information Security Coordinator. Periodically review encryption products and algorithms for any known risks.
Laws may limit exporting some encryption technologies. Seek guidance from Legal prior to exporting or making any encryption technologies available to individuals outside the U.S.
Encryption algorithms use keys to transform and secure data. Because they allow decryption of the protected data, proper key management is crucial. Select encryption keys to maximize protection levels, to the extent feasible and reasonable. Treat them as Highly Confidential Information.
Ensure that keys are available when needed to support data decryption by using secure storage methods and creating and maintaining secure backups. Track access to keys. Keys should never be known or available to only a single individual. Change encryption keys on a periodic basis according to risks.
When TreasureHub retires or otherwise removes computing, network, or office equipment (such as printers, copiers, or fax machines) or other information assets that may contain Confidential or Highly Confidential Information from the business, specific steps must be taken to scrub or otherwise render the media unreadable.
Simply deleting files or reformatting disks is not sufficient to prevent data recovery. Either physically destroy media, according to applicable waste disposal regulations, or scrub it using data wiping software that meets generally accepted data destruction standards. For example, see the National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization.
Alex MacDonald manages IT operations and related activities at TreasureHub, including development of software and other applications.
Only TreasureHub-supplied or approved software, hardware, and information systems, whether procured or developed, may be installed in TreasureHub's IT environment or connected to TreasureHub's network.
Incident Reporting and Response. The Information Security Coordinator maintains a cyber incident reporting and response process that ensures management notifications are made based on the seriousness of the incident. The Information Security Coordinator investigates all reported or detected incidents and documents the outcome, including any mitigation activities or other remediation steps taken.
Immediately notify Alex MacDonald if you discover a cyber incident or suspect a breach in TreasureHub's information security controls. TreasureHub maintains various forms of monitoring and surveillance to detect cyber incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to TreasureHub.
Treat any information regarding cyber incidents as Highly Confidential Information and do not share it, internally or externally, without specific authorization.
Cyber incidents vary widely and include physical and technical issues. Some examples of cyber incidents that you should report include, but are not limited to:
If you become aware of a compromised computer or other device immediately notify Alex MacDonald.
The Information Security Coordinator defines and maintains a cyber incident response plan to manage information security incidents. Report all suspected incidents, as described in this Policy, and then defer to the incident response process. Do not impede the incident response process or conduct your own investigation unless the Information Security Coordinator specifically requests or authorizes it.
Applicable law may require TreasureHub to report cyber incidents that result in the exposure or loss of certain kinds of information or that affect certain services or infrastructure to various authorities or affected individuals or organizations, or both. Breaches of Highly Confidential Information (and especially personal information) are the most likely to carry these obligations (see Section 1.5, Regulatory Compliance). The Information Security Coordinator's incident response plan includes a step to review all incidents for any required notifications. Coordinate all external notifications with Legal and the Information Security Coordinator. Do not act on your own or make any external notifications without prior guidance and authorization.
The Information Security Coordinator maintains a service provider risk governance program to oversee service providers that interact with TreasureHub's systems or Confidential or Highly Confidential Information. The service provider risk governance program includes processes to track service providers, evaluate service provider capabilities, and periodically assess service provider risks and compliance with this Policy.
Obtain approval from the Information Security Coordinator before engaging a service provider to perform functions that involve access to TreasureHub's systems or Confidential or Highly Confidential Information.
Service providers that access TreasureHub's systems or Confidential or Highly Confidential Information must agree by contract to comply with applicable laws and this Policy or equivalent information security measures. TreasureHub may require service providers to demonstrate their compliance with applicable laws and this Policy by submitting to independent audits or other forms of review or certification based on risks.
TreasureHub frequently creates, receives, and manages data on behalf of our users. With guidance from the Information Security Coordinator, TreasureHub develops, implements, and maintains an appropriate process and procedures to manage users data intake and protection.
TreasureHub user data intake and protection processes may vary but must include, at minimum, means for (1) identifying user data and any pertinent requirements prior to data intake or creation; (2) maintaining an inventory of user data created or received; and (3) ensuring TreasureHub implements and maintains appropriate information security measures, including proper data and media disposal when TreasureHub no longer has a business need to retain the user (or is no longer permitted to do so by user agreement).
Identify any pertinent user data requirements before data intake or creation according to TreasureHub's user data intake and protection process. Requirements may be contractual or the result of applicable law or regulations, or both (see Section 1.5, Regulatory Compliance).
TreasureHub data intake processes and procedures must provide for secure data transfer. Maintain an inventory of user data that includes, at a minimum:
Treat any user-provided personal information as Highly Confidential Information (see Section 3.3, Highly Confidential Information). To minimize risks for user and TreasureHub, engage user in an ongoing dialogue to determine whether business objectives can be met without transferring personal information to TreasureHub.
Protect all user data TreasureHub creates or receives in accordance with this Policy and the data's information classification level, whether Confidential or Highly Confidential Information, in addition to any specific client-identified requirements.
Ensure that any User data or media containing user data is securely disposed of when it is no longer required for TreasureHub business purposes, or as required by user agreement (see Data and Media Disposal). Update the applicable business unit user data inventory accordingly.
TreasureHub supports an ongoing risk governance and risk management action cycle to (1) enforce this Policy; (2) identify and appropriately communicate information security risks; (3) develop risk-based procedures, safeguards, and controls; and (4) verify that safeguards and controls are in place and working properly. The Information Security Coordinator oversees, maintains and is responsible for all aspects of these processes.
This Information Security Policy is effective as of July 13th, 2025.
Original publication.
For questions about this Information Security Policy, please contact:
Alex MacDonald
Information Security Coordinator
Email: support@treasurehub.club
Phone: (713) 899-3656