This Security Statement is designed to provide you with insights into the security framework and practices of Fortress Affinity Management LLC, doing business as 1225 United (hereinafter “1225 United”, “we,” or “us”). For additional details on our data handling practices, please refer to our privacy policy.

Information Security Policy
1225 United has established a documented Information Security policy that outlines the responsibilities of employees and the acceptable use of information system resources. Prior to granting authorized access to 1225 United information systems, we obtain signed confirmations from users indicating that they have read, understood, and agreed to adhere to the established conduct rules. This policy undergoes regular reviews and updates as necessary.

Our security policies encompass a broad spectrum of security-related topics, ranging from general standards that all employees must follow, such as account, data, and physical security, to more specialized security standards that pertain to internal applications and information systems.

Organizational Security
1225 United adheres to the NIST Cybersecurity Framework, employing layered security controls to identify, prevent, detect, and respond to security incidents. The information security manager is also tasked with tracking incidents, conducting vulnerability assessments, mitigating threats, and managing risks.

Asset Management
The data and information system assets of 1225 United comprise customer and end-user assets as well as corporate assets. These assets are managed in accordance with our security policies and procedures. Personnel authorized by 1225 United who manage these assets are required to comply with the procedures and guidelines set forth in 1225 United security policies.

Personnel Security
Employees of 1225 United are expected to act in alignment with the company’s guidelines, which include confidentiality, business ethics, appropriate usage, and professional standards. All newly hired employees must sign and acknowledge the 1225 United code of conduct policy. This code outlines the expectation that every employee will conduct business in a lawful, ethical manner, with integrity, and with respect towards one another, as well as the company’s users, partners, and competitors.

Established processes and procedures are in place to manage the onboarding and offboarding of employees. New employees receive security training as part of their orientation. Furthermore, every 1225 United employee is required to read, understand, and complete a training course on the company’s code of conduct.

Physical & Environmental Security
1225 United has implemented policies, procedures, and infrastructure to ensure both the physical security of its data centers and the operational environment of these facilities Standard physical security measures at each data center include electronic card access control systems, fire alarm and suppression systems, interior and exterior surveillance cameras, and security personnel.

Operational Security

Change Management
1225 United has established a change management process to ensure that all modifications to the production environment are executed thoughtfully. Changes to information systems, network devices, and other system components, as well as physical and environmental changes, are monitored and governed through a formal change control process. Each change is reviewed, approved, tested, and monitored post-implementation to ensure that the anticipated changes are functioning as intended.

Auditing and Logging
We maintain audit logs on our systems, documenting which personnel have accessed which systems. Access to our auditing and logging tools is restricted to authorized individuals. Security events are logged, monitored, and managed by trained security team members. Network components, workstations, applications, and monitoring tools are configured to track user activity.
Organizational roles for responding to events are clearly defined. Security events that capture critical system configuration changes prompt alerts to administrators at the time of the change. Retention schedules for various logs are outlined in our security control guidelines.

Antivirus and Malware Protection
Antivirus and malicious code protection measures are centrally managed and configured to retrieve updated signatures and definitions. Policies for malicious code protection ensure that updates are automatically applied to these mechanisms. Antivirus tools are set to conduct scans, detect viruses, monitor real-time file write activity, and update signature files. Protection against viruses extends to laptop and remote users.

System Backups
1225 United has established standards and guidelines, along with associated procedures, for the timely and scheduled backup and restoration of data. Controls are in place to safeguard backed-up data, both onsite and offsite. We also ensure that customer data is securely transferred to and from backup locations. Regular tests are conducted to verify that data can be reliably restored from backup devices.

Network Security
Our infrastructure servers are protected by high-availability firewalls and are monitored for various network security threats. Firewalls are utilized to restrict access to systems from external networks and internally between systems. By default, all access is denied, allowing only explicitly permitted ports and protocols based on business needs.

1225 United maintains distinct development and production environments. Our next-generation firewalls (NGFWs) provide effective network segmentation through the establishment of security zones that regulate network traffic flow. These traffic flows are defined by strict firewall security policies.

Automated tools are implemented within the network to enable near-real-time analysis of events for the detection of system-level attacks. Next-generation firewalls deployed within the data center and remote office locations monitor outbound communications for unusual or unauthorized activities, which may indicate the presence of malware (e.g., malicious code, spyware, adware).

Data Protection
1225 United continually works to develop products that incorporate the latest recommended secure cipher suites and protocols to encrypt traffic during transit. We closely monitor the evolving cryptographic landscape and upgrade our products to address newly identified cryptographic weaknesses while implementing best practices as they develop. For encryption in transit, we also strive to maintain compatibility with older clients.

Vulnerability Management
Security assessments are conducted to identify vulnerabilities and evaluate the effectiveness of the patch management program. Each identified vulnerability is assessed for applicability, ranked by risk, and assigned to the appropriate team for remediation.

Patch Management
1225 United is committed to applying the latest security patches and updates to operating systems, applications, and network infrastructure to minimize exposure to vulnerabilities. Established patch management processes ensure that security updates are promptly implemented upon release by vendors. Patches are thoroughly tested before being deployed in the production environment.

Secure Network Connections
HTTPS encryption is configured for customer web application access, ensuring that user data in transit remains secure and accessible only to intended recipients. The level of encryption is negotiated based on TLS 1.2+ protocols, depending on the capabilities of the web browser.

Access Controls

Role-Based Access
Role-based access controls are implemented to govern access to information systems. Established processes and procedures address situations involving employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are established on a need-to-know/least privilege basis. Access control lists define the permissions of users within our information systems, and security policies limit them to authorized actions.

Authentication and Authorization
We require that authorized users be assigned unique account IDs. Our password policy applies to all relevant information systems, applications, and databases, enforcing the use of complex passwords to protect against unauthorized access.

Software Development Lifecycle
We adhere to a structured methodology for developing secure software, aimed at enhancing the resilience and trustworthiness of our products. Our products are deployed within an iterative, rapid release development lifecycle. Security and security testing are integrated throughout the software development process. Quality Assurance is involved at every phase of the lifecycle, and security best practices are a mandatory aspect of all development activities.

Our secure development lifecycle follows standard security practices, including vulnerability testing, regression testing, penetration testing, and product security assessments.

Incident Management
1225 United has a formal incident response plan (Incident Response Plan) and associated procedures to address information security incidents. The Incident Response Plan outlines the responsibilities of key personnel and specifies processes for notification. Incident response personnel undergo training, and the execution of the incident response plan is tested periodically.
An incident response team is charged with providing an incident handling capability for security incidents, encompassing preparation, detection and analysis, containment, eradication, and recovery.

Data Protection
We adhere to a set of personal data management principles concerning customer data that we may process, handle, and store. We implement appropriate physical, technical, and organizational security measures to safeguard personal data. Any non-public information processed, handled, or stored by 1225 United is encrypted at rest.

We exercise additional diligence regarding sensitive personal data and respect local laws and customs, where applicable.

1225 United processes personal information in a manner that is compatible with and relevant to the purpose for which it was collected or authorized, in accordance with our privacy policy. We take all reasonable measures to protect the information we receive from our users against loss, misuse, unauthorized access, disclosure, alteration, and/or destruction.