Information Security Policy

1. Purpose

• To protect the confidentiality, integrity, and availability of organizational information and

systems.

• To ensure compliance with applicable laws, regulations, and contractual obligations.

• To establish clear responsibilities for safeguarding information assets.

2. Scope

• Applies to all employees, contractors, volunteers, and third parties who access organizational

data or systems.

• Covers all information assets: electronic files, paper records, email, cloud services, and physical

devices.

• Applies to both on-site and remote work environments.

3. Roles and Responsibilities

• Employees: Follow security practices, report incidents, protect passwords, and handle data

responsibly.

• Managers: Enforce policy, ensure staff training, and approve access requests.

• IT/Security Team: Maintain systems, monitor threats, respond to incidents, and review

compliance.

• Third Parties: Must comply with contractual security requirements and this policy.

4. Access Control

• Access is granted based on least privilege (only what’s necessary for job duties).

• Strong authentication (complex passwords, MFA where possible) is required.

• Accounts are reviewed regularly and terminated promptly upon role changes or separation.

5. Data Collection

• PII and sensitive data: i2i Workforce provides outsourced HR and recruiting services. Our

software vendor is Quiz Maker. This involves collecting employee identifiers (name, email,

company name).

Quiz Maker (Training Platform Partner) Statement on Data Collection

Quiz Maker operates on the premise of highly accurate data, as such security forms a core part of their

business. To that end we employ several strategies and policies which aim to ensure our code and back-

end application does no harm to your website and provides highly accurate and secure data.

Trusted by Thousands Every Day: Our backend infrastructure and code snippets are deployed on

literally thousands of sites every day. For this reason, security sits as our top priority during every update

release and monthly review.Security Basics: Each embedded code snippet is unique to your account and survey/quiz. The snippet is

only updated when your project is saved. We use JavaScript and CSS to create embedded

surveys/quizzes. The code snippet is fetched over http or https depending upon your sites settings. At

no point does our code snippet collect information regarding your website visitors or modify your

existing code.

Authentication: We require authentication for all management and data access features. Pages

intended to be public are served over an SSL encrypted connection but do not require account

authentication. All management and reporting features must be trusted by a validated account which is

authenticated over an SSL encrypted connection. We do not enforce password complexity requirements

but recommend the following: Passwords should be a minimum of 8 characters and include a mix of

uppercase, lowercase and symbols and numbers. We also permit account access via Facebook and

Google+ verification. Passwords are hashed and stored in a secure SQL database. No plain text

passwords are stored. Multiple invalid login attempts are monitored and will result in account lockout.

Account access may be restored with email verification. We encourage users to periodically update

passwords and never use a password shared with another website.

Session Management and Tracking: Each time a user visits our site a unique session identifier is created

which allows us to collect anonymous website tracking statistics. We utilize Google analytics for

tracking. Examples of information collected include:

• Date and Time of Visit

• IP Address

• Browser and Operating System

• Screen Resolution and Device Type

• Interactions with Content

• IP Geolocation

• Encrypted Communication

All direct survey/quiz results are posted using 256bit Rapid SSL encryption updated to use the strongest

cipher suites available.

User Permissions: Each user is assigned access to only a single authenticated account. No users

including our staff may access multiple user accounts under a single login. Standard and premium

accounts provide only a single type of user account. This account provides full reporting and edit

permissions to the authenticated account. Enterprise accounts are split into Administrator and Report

roles. Administrators have full edit and reporting permissions and may access account and billing

information. Report roles are limited to reporting features.Audit Logging: We maintain extensive logs in order to review and improve security as well as

performance. We record digital fingerprint, IP, browser tag and other related meta fields in our logs. At

no time will these logs be made public.

Information Collection: The following describes the types of information collect during various

interactions with our services.

Account Information: We collect personally identifying information such as IP address, First, Last name,

company name, and company email.

Respondent Information: We collect information such as IP, location, timing and website visitor metrics

in order to provide both security and reporting features to quiz creators. We also use engagement

metrics in order to deliver the most popular content to our website visitors.

Security Development Cycle: The Quiz Maker development cycle incorporates security as a primary and

ongoing focus. The following provides a brief overview of the development cycle.

1. Initial security requirements defined

2. Function development

3. Threat model analysis, security risks and vulnerabilities analyzed

4. Peer code review

5. Security testing and vulnerability assessment

6. Feedback based review and refinement

Security Reviews

We utilize automated code vulnerability assessments to find common bugs. Each new feature and

update undergoes rigorous testing and review on our dedicated testing platform prior to publishing.

Manual code reviews are undertaken by peers. We periodically conduct third party security assessments

utilizing various vendors

Bug Feedback Policy: We encourage our users to conduct security assessments, but ask to be notified

beforehand. We proactively pursue and monitor attacks daily. We consider user feedback integral to the

development of our platform and will work with site visitors and customers to ensure the security of our

platform and your data. Information Access: Access to customer information is restricted within our business to the bare

minimum of staff required. Access is granted only when it is required in order to support or perform

core duties. We rely upon this information in order to evaluate usage trends and form plans for the

development of new features. Sensitive information is never shared with anyone outside our business

including third party contractors. We will never share or sell or otherwise disclose any data collected for

any purpose. Employees are subject to disciplinary action, including but not limited to termination if

found to have breached allocated access.

Back End Infrastructure: We utilize the services of Liquid Web to maintain co-location dedicated servers

in Michigan and Arizona. Our data center facilities include:

1. 24/7/365 hardware support

2. Military grade redundant power grid

3. 24/7/365 dedicated onsite security officer

4. Motion-detecting cameras

5. 22 ton up flow cooling

6. Tier-1 6 way redundant 1Gbps bandwidth

We operate a cloud-based infrastructure based on Cloudflare and AWS. Daily backups of code and data

are stored offsite. Servers are patched automatically and reviewed regularly.

Incident Response and Uptime Record: Our security staff receive SMS notifications of outages and

security related issues. Third party checks for service availability are performed every 15s. Average

response time to outages is less than 5 minutes. We have maintained 100% uptime for a period of 18

months.