Feraston

FER / INFORMATION SECURITY / CANONICAL

LAST UPDATED · 2026-02-24

01 / STATEMENT

Information Security Policy

Feraston maintains a controlled information security posture governing the issuance, classification, distribution, and protection of its Records and the limited data it holds.

LAST UPDATED
2026-02-24
STATUS
FINALIZED

02 / CLAUSES

01

Scope

This Policy describes the information security posture under which Feraston issues, classifies, distributes, and protects its Records, together with the limited data it holds in the course of its operations.

It applies to issued Records, to recipient and inquiry information, and to the systems used to operate the firm. This Policy operates alongside the Feraston Privacy Policy and Terms of Service.

02

Security Governance

Information security is governed at the firm level under a controlled operating model. Access to Records, and to the systems that hold them, is granted on a need-to-know basis and only to authorized personnel.

Authorized personnel are bound by confidentiality obligations consistent with the protection of the Material they handle.

03

Classification-Based Handling

Records, and the data Feraston holds, are handled according to their assigned classification. Classification determines how information is accessed, stored, and distributed within the firm.

The Access Classifications applied to issued Records are defined under the Feraston Schema Reference and Data License Agreement.

04

Access Control

Access to Records is role-bound, non-transferable, and limited to authorized personnel and authorized recipients. Access is granted, maintained, and withdrawn under Feraston's control and only while authorization subsists.

05

Record Integrity and Authenticity

Feraston maintains controls intended to preserve the integrity and authenticity of issued Records.

  • ·each Record is assigned a record signature at issuance;
  • ·Records are maintained in an append-only state following finalization and are not altered thereafter; corrections are issued as new versions;
  • ·Records are chained to their preceding record, establishing a verifiable issuance sequence;
  • ·only finalized Records are eligible for distribution; superseded Records are retained and excluded from active reference sets.

06

Distribution Security

Records are distributed through controlled channels by direct, non-public distribution. Feraston does not expose Records through a public endpoint.

Feraston applies reasonable technical and organizational measures to protect Records and associated data, including encryption in transit where supported. No method of transmission or storage is entirely secure.

07

Data Minimization and Retention

Feraston collects only the limited information necessary to operate its records, evaluation, access, and correspondence functions.

Recipient and inquiry information is retained only as long as necessary for the purposes for which it was collected. Issued Records are retained permanently under append-only governance.

08

Incident Response and Reporting

In the event of a security incident affecting the Material, Feraston will take reasonable steps to assess, contain, and address the incident, and to notify affected parties where appropriate.

Suspected vulnerabilities or security concerns may be reported through official Feraston channels.

09

Limitations

Feraston applies reasonable measures to protect information but does not warrant that its measures are infallible. Matters of representation, warranty, and liability are governed by the Feraston Terms of Service.