Security Policy

Last updated: December 11, 2025

Our Commitment to Security

At Globalesm, security is at the core of everything we do. We understand the critical importance of protecting your data, especially in healthcare and enterprise environments. This Security Policy outlines our comprehensive approach to safeguarding your information and maintaining the highest security standards.

Security Framework

Compliance & Certifications

We maintain compliance with industry-leading security standards and regulations:

  • HIPAA Compliance: Full compliance with Health Insurance Portability and Accountability Act requirements for handling protected health information (PHI)
  • SOC 2 Type II: Certified for security, availability, processing integrity, confidentiality, and privacy
  • GDPR: Compliant with General Data Protection Regulation for EU data protection
  • ISO 27001: Information security management system standards

Data Encryption

We employ multiple layers of encryption to protect your data:

  • Data in Transit: All data transmitted between your systems and ours is encrypted using TLS 1.3 with 256-bit encryption
  • Data at Rest: All stored data is encrypted using AES-256 encryption standards
  • Database Encryption: Database-level encryption for all sensitive information
  • Backup Encryption: All backups are encrypted and stored in secure, geographically distributed locations

Infrastructure Security

Cloud Security

Our infrastructure is built on enterprise-grade cloud platforms with multiple security layers:

  • AWS infrastructure with dedicated VPCs and security groups
  • Multi-region redundancy for high availability
  • DDoS protection and web application firewalls
  • Automated security patching and updates
  • Intrusion detection and prevention systems

Network Security

  • Firewalls and network segmentation
  • Virtual Private Networks (VPNs) for secure remote access
  • Regular penetration testing and vulnerability assessments
  • 24/7 network monitoring and threat detection
  • IP whitelisting and access control lists

Access Control

Authentication & Authorization

We implement strict access controls to ensure only authorized personnel can access systems and data:

  • Multi-Factor Authentication (MFA): Required for all system access
  • Role-Based Access Control (RBAC): Principle of least privilege for all users
  • Single Sign-On (SSO): Integration with enterprise identity providers
  • Session Management: Automatic timeout and secure session handling
  • Access Logging: Comprehensive audit trails of all access attempts

Employee Access

  • Background checks for all employees with data access
  • Mandatory security training and awareness programs
  • Regular access reviews and recertification
  • Immediate access revocation upon termination
  • Confidentiality and non-disclosure agreements

Application Security

Secure Development Lifecycle

Security is integrated into every phase of our development process:

  • Security requirements analysis and threat modeling
  • Secure coding practices and code reviews
  • Static and dynamic application security testing (SAST/DAST)
  • Dependency scanning for vulnerable libraries
  • Security testing before production deployment

API Security

  • OAuth 2.0 and JWT token-based authentication
  • API rate limiting and throttling
  • Input validation and sanitization
  • API versioning and deprecation policies
  • Comprehensive API documentation and security guidelines

Data Protection

Data Classification

We classify data based on sensitivity and apply appropriate security controls:

  • Public: Information intended for public consumption
  • Internal: Business information for internal use only
  • Confidential: Sensitive business or customer information
  • Restricted: Highly sensitive data (PHI, PII) with strict access controls

Data Handling

  • Data minimization - collect only necessary information
  • Secure data disposal and sanitization procedures
  • Data loss prevention (DLP) systems
  • Regular data backup and disaster recovery testing
  • Secure file transfer protocols

Incident Response

Security Incident Management

We maintain a comprehensive incident response plan:

  • 24/7 security operations center (SOC) monitoring
  • Defined incident response procedures and escalation paths
  • Rapid incident detection and containment
  • Forensic analysis and root cause investigation
  • Timely notification to affected parties as required by law
  • Post-incident review and remediation

Breach Notification

In the unlikely event of a security breach affecting your data, we will:

  • Notify affected parties within 72 hours of discovery
  • Provide detailed information about the incident
  • Outline steps taken to mitigate the breach
  • Offer guidance on protective measures
  • Comply with all applicable breach notification laws

Business Continuity

Disaster Recovery

  • Comprehensive business continuity and disaster recovery plans
  • Regular backup of all critical systems and data
  • Geographically distributed backup locations
  • Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Annual disaster recovery testing and drills

High Availability

  • 99.9% uptime SLA
  • Load balancing and auto-scaling
  • Multi-region failover capabilities
  • Real-time system monitoring and alerting
  • Redundant infrastructure components

Third-Party Security

Vendor Management

We carefully vet all third-party vendors and service providers:

  • Security assessments before vendor engagement
  • Contractual security requirements and SLAs
  • Regular vendor security audits and reviews
  • Data processing agreements (DPAs) for data processors
  • Vendor access monitoring and logging

Security Monitoring & Testing

Continuous Monitoring

  • Real-time security information and event management (SIEM)
  • Automated vulnerability scanning
  • Log aggregation and analysis
  • Anomaly detection and behavioral analysis
  • Security metrics and KPI tracking

Security Testing

  • Annual third-party penetration testing
  • Quarterly vulnerability assessments
  • Regular security audits and compliance reviews
  • Bug bounty program for responsible disclosure
  • Red team exercises

Your Responsibilities

Security is a shared responsibility. We ask that you:

  • Keep your login credentials confidential
  • Use strong, unique passwords
  • Enable multi-factor authentication when available
  • Report any suspicious activity immediately
  • Keep your systems and software up to date
  • Follow security best practices in your organization

Security Updates

We continuously improve our security posture and update this policy as needed. We will notify you of any material changes to our security practices.

Contact Us

If you have questions about our security practices or wish to report a security concern:

  • Security Team: security@globalesm.com
  • Phone: +1 (305) 204-9635
  • Address: 1110 Brickell Avenue, Suite 431, Miami, FL 33131

For responsible disclosure of security vulnerabilities, please email security@globalesm.com with details. We appreciate the security research community's efforts in helping us maintain a secure environment.