Security Compliance

Security
Infrastructure
Compliance
Security policies, procedures, and infrastructure compliance for Ethical Capital
Published

September 25, 2025

1 Security Compliance

1.1 Overview

Ethical Capital maintains a comprehensive security posture across all systems and infrastructure, with particular emphasis on SEC Rule 204-2 compliance and data protection.

1.2 Access Control & Authentication

1.2.1 Cloudflare Access Security

Default-deny security configuration protecting all internal resources while maintaining public site accessibility.

Key Features: - Zero Trust architecture - Email-based authentication (@ethicic.com) - Automatic protection for new resources - Comprehensive audit logging

Protected Resources: - Matrix vector search system - Internal documentation - All development and internal subdomains

1.3 Infrastructure Security

1.3.1 Network Security

  • Cloudflare DDoS protection
  • TLS/SSL encryption for all endpoints
  • Secure DNS configuration
  • Geographic access controls where appropriate

1.3.2 Application Security

  • Input validation and sanitization
  • Secure coding practices
  • Regular security updates
  • Vulnerability scanning

1.4 Data Protection

1.4.1 SEC Rule 204-2 Compliance

  • Access controls for all records systems
  • Audit trails for data access
  • Data retention policies
  • Secure data disposal procedures

1.4.2 Encryption

  • Data at rest encryption
  • Data in transit encryption
  • Key management procedures
  • Certificate management

1.5 Monitoring & Incident Response

1.5.1 Security Monitoring

  • Real-time access logging
  • Anomaly detection
  • Failed authentication monitoring
  • Regular security audits

1.5.2 Incident Response

  • Defined response procedures
  • Containment strategies
  • Investigation protocols
  • Recovery processes

1.6 Compliance & Auditing

1.6.1 Regular Audits

  • Weekly: Access log reviews
  • Monthly: Policy testing
  • Quarterly: User access reviews
  • Annually: Security architecture review

1.6.2 Compliance Frameworks

  • SEC Rule 204-2
  • SOC 2 Type II considerations
  • Data privacy regulations
  • Industry best practices

1.7 Security Policies

1.7.1 Access Management

  • User provisioning and deprovisioning
  • Role-based access control
  • Session management
  • Multi-factor authentication policies

1.7.2 Data Handling

  • Data classification schemes
  • Handling procedures by classification
  • Secure transmission requirements
  • Backup and recovery procedures

1.8 Training & Awareness

1.8.1 Security Training

  • New employee security orientation
  • Regular security awareness updates
  • Incident response training
  • Compliance training

1.8.2 Documentation

  • Security procedures documentation
  • Emergency contact information
  • Escalation procedures
  • Vendor security requirements
Owner: Chief Compliance Officer
Last reviewed: 2025-09-25
SLA: ?meta:sla
Controls: ?meta:ops_controls
Commit: 8f0c18729ae96125ef5caf6824600a75c4928c16