Data Security Procedures

Last Updated: February 12, 2025

Company Information

Operating as Remodelmatch.com
Castlewood Media AB
Business Registration Number: 559419-8458
VAT Number: SE559419845801
Address: Box 160 c/o Conlega, 101 23 Stockholm, Sweden
Email: [email protected]
Website: https://castlewood.io
Operating Brand: https://remodelmatch.com | https://form.remodelmatch.com

Purpose

This document establishes the comprehensive data security procedures of Castlewood Media AB (“the Company”) to safeguard personal and business data collected, processed, and stored in the course of its operations, including lead generation activities under the Remodelmatch.com brand. These procedures ensure compliance with applicable regulations, such as the General Data Protection Regulation (GDPR), and reflect the Company’s commitment to maintaining the confidentiality, integrity, and availability of data.

Scope

These procedures apply to all data handled by the Company, including personal data (e.g., names, email addresses, phone numbers, IP addresses) collected via https://remodelmatch.com and https://form.remodelmatch.com, as well as internal business data. It encompasses digital and physical data across all systems, devices, and third-party relationships.

1. Data Collection

  • Methods: Data is collected through secure online forms, API integrations, and user-initiated submissions on Company websites.
  • Security Protocols: All collection points utilize HTTPS with Transport Layer Security (TLS) 1.3 encryption. Form submissions are protected by CAPTCHA mechanisms to prevent automated abuse.
  • Consent Management: Explicit user consent is obtained and logged via timestamped records, with opt-in mechanisms clearly presented and optional fields distinctly marked.
  • Minimization: Only data necessary for the intended purpose (e.g., lead generation, service delivery) is collected.

2. Data Storage

  • Infrastructure: Data is stored on cloud servers hosted by a GDPR-compliant provider (e.g., Amazon Web Services, located in the EU Frankfurt region), ensuring data residency within the European Economic Area (EEA).
  • Encryption: Data at rest is encrypted using AES-256 standards, with keys managed via a secure key management system (e.g., AWS KMS).
  • Redundancy: Daily encrypted backups are maintained on a separate, isolated server with a 30-day retention period.
  • Retention Policy: Personal data is retained for a maximum of 12 months unless extended by user consent or legal obligation, after which it is securely deleted.

3. Access Control

  • Role-Based Access: Access to data is granted based on job function, with predefined roles (e.g., Administrator, Marketing Specialist) documented in an access control matrix.
  • Authentication: All systems require strong passwords (minimum 12 characters, including symbols) and multi-factor authentication (MFA) via authenticator apps (e.g., Google Authenticator).
  • Session Management: Inactive sessions timeout after 15 minutes, requiring re-authentication.
  • Audit Trails: Access logs are generated and stored for 6 months, reviewed monthly by the IT team for anomalies.

4. Data Protection Measures

  • Network Security: Firewalls (e.g., Cisco ASA) and intrusion detection/prevention systems (e.g., Snort) are deployed to monitor and block unauthorized access attempts.
  • Endpoint Security: Company devices are equipped with antivirus software (e.g., CrowdStrike Falcon) and full-disk encryption (e.g., BitLocker).
  • Patch Management: Operating systems, applications, and firmware are updated within 14 days of critical patch releases, with a documented patching schedule.
  • Vulnerability Scanning: Quarterly scans are conducted using tools like Nessus, with findings remediated within 30 days.
  • Penetration Testing: Annual third-party penetration tests are performed, with reports reviewed by management.

5. Third-Party Vendor Management

  • Selection: Vendors are evaluated for security certifications (e.g., ISO 27001, SOC 2) before engagement.
  • Contracts: Data Processing Agreements (DPAs) are executed with all third parties handling Company data, stipulating GDPR-compliant security obligations.
  • Monitoring: Vendor performance and security practices are reviewed semi-annually, with termination clauses for non-compliance.

6. Physical Security

  • Office Controls: Physical access to the Company’s mailing address (Box 160 c/o Conlega, Stockholm) is managed by a third-party provider with secure entry systems. Any on-site hardware (e.g., laptops) is stored in locked cabinets when not in use.
  • Device Policy: Employees are prohibited from leaving devices unattended in public spaces, and lost devices are remotely wiped within 24 hours.

7. Incident Response

  • Detection: Real-time monitoring tools (e.g., Splunk) alert the IT team to suspicious activity, such as multiple failed login attempts.
  • Incident Classification: Incidents are categorized by severity (Low, Medium, High) within 12 hours of detection.
  • Response Plan:
    • Containment: Immediate isolation of affected systems (e.g., disabling compromised accounts).
    • Notification: The Swedish Authority for Privacy Protection (IMY) is notified within 72 hours of a confirmed breach involving personal data, per GDPR. Affected individuals are informed if there’s a significant risk.
    • Resolution: Root cause analysis is completed within 7 days, with corrective actions implemented.
  • Post-Incident: A lessons-learned report is produced, and procedures are updated as needed.

8. Data Disposal

  • Digital Data: Expired data is overwritten using a secure deletion tool (e.g., DBAN) adhering to NIST 800-88 standards.
  • Physical Records: Paper documents, if any, are shredded using a cross-cut shredder and disposed of via certified waste management services.
  • Verification: Disposal actions are logged and verified by a designated employee.

9. Employee Training and Awareness

  • Onboarding: New hires complete a 2-hour data security training session within their first week.
  • Ongoing Training: Annual 1-hour refreshers cover GDPR, phishing prevention, and secure data handling.
  • Simulations: Quarterly phishing simulations are conducted to test employee vigilance, with additional training for those who fail.
  • Documentation: Training completion is recorded in an internal HR system.

10. Policy Review and Governance

  • Frequency: This policy is reviewed annually in Q1, or sooner if triggered by significant operational changes, legal updates, or incidents.
  • Responsibility: Max Fridell, Managing Director, oversees the review process and approves updates.
  • Version Control: Changes are tracked with version numbers (e.g., v2.0) and archived for 5 years.

Contact

For inquiries or to report security concerns:
Max Fridell
Email: [email protected]
Address: Box 160 c/o Conlega, 101 23 Stockholm, Sweden

Scroll to Top