Privacy Policy
EndeavorCX – Integrated Security, Privacy & Resilience Program
Information Security Policy
Version 1.1 – January 5, 2025
1. Executive Summary
EndeavorCX delivers AI infrastructure that ingests, enriches, and analyzes high‑volume customer‑interaction data. The Information Security Policy codifies EndeavorCX’s commitment to confidentiality, integrity, and availability through a zero‑trust, cloud‑native program Continuous improvement, measured by key security KPIs and external attestations, drives the program.
2. Scope
The policy applies to all information assets owned, processed, or controlled by EndeavorCX, including:
SaaS platform infrastructure in AWS,Azure, and GCP.
Corporate and production endpoints.
SaaS productivity and DevOps tooling.
Data—structured and unstructured—belonging to EndeavorCX or clients.
All personnel (employees, contractors, interns) and third parties with logical or physical access to EndeavorCX assets.
3. Authority & Governance
The Board delegates security oversight to the CEO, who appoints the Chief Information Security Officer (CISO) with authority to enforce this policy.
4. Policy Management Lifecycle
Drafting – The CISO owns authorship.
Review – Legal and Engineering.
Approval – CEO signs off.
Publication – Policy lives in the Confluence Security hub; employees acknowledge within 14 days.
Revision – Minimum annual review or upon significant business or regulatory change.
5. Roles & Responsibilities
RoleResponsibilityBoard of ManagersOversight, budget approval, risk tolerance.CEOFinal authority, breach notification.CISOProgram leadership, compliance, risk owner.Security TeamEngineering, monitoring, IR, GRC.EngineeringSecure SDLC, remediation, architecture compliance.All EmployeesAdhere to policy, complete training, report incidents.VendorsContractual adherence to EndeavorCX security requirements.
6. Control Framework Overview
EndeavorCX maps each control family to NIST CSF Functions and SOC 2 Trust Service Criteria (TSC).
CSF FunctionControl FamiliesIdentifyAsset Mgmt, Risk Management, Vendor Risk, Data ClassificationProtectIAM, Data Protection, Secure SDLC, Endpoint Security, Physical Security, Security TrainingDetectLogging & Monitoring, Vulnerability ManagementRespondIncident ResponseRecoverBusiness Continuity & Disaster Recovery
7. Control Families
7.1 Asset Management
Objective – Maintain an accurate inventory of assets and their classification.
Data owners assign sensitivity (Public, Internal, Confidential, Restricted).
Monthly reconciliation
7.2 Identity & Access Management (IAM)
Role‑based least privilege
Automated join / move / leave workflow.
Service accounts rotated every 90 days via AWS Secrets Manager.
7.3 Data Protection & Encryption
AES‑256 at rest (EBS, S3, RDS); TLS 1.3 in transit.
AWS KMS customer‑managed keys with annual rotation.
7.4 Secure Software Development Lifecycle (SSDLC)
Static, dependency, and secret scanning on every PR.
Mandatory security PR approval from AppSec engineer or above.
Quarterly penetration tests by CREST‑certified vendor; critical findings remediated < 15 days.
7.5 Vulnerability & Patch Management
Patch SLA: Critical < 7 days, High < 14 days, Medium < 30 days.
Exceptions documented in tickets and approved by CISO.
7.6 Logging, Monitoring & Detection
Centralized ingestion to AWS OpenSearch via Firehose.
Immutable retention 365 days hot, 2 years cold minimum.
7.7 Incident Response
Zoom #war‑room channel templates.
Annual tabletop + semi‑annual functional exercises.
Breach notification to clients within 24 hours of confirmation.
7.8 Business Continuity & Disaster Recovery
Multi‑AZ design; RPO ≤ 5 minutes, RTO ≤ 60 minutes.
Quarterly DR failover tests.
7.9 Vendor Risk Management
Security questionnaire + SOC 2 / ISO 27001 attestation required before onboarding.
7.10 Physical & Environmental Security
AWS and Google Cloud facilities; adherence to ISO 27001, SOC 2 reports reviewed annually.
Chicago HQ: badge access, CCTV, visitor logs retained 12 months.
7.12 Security Awareness & Training
New‑hire training within 7 days; annual refresher (≥ 95 % completion target).
7.13 Compliance & Privacy
HIPAA BAA available.
CCPA opt‑out workflow via trust portal
8. Data Retention & Destruction
Data TypeRetention (minimum)Disposal MethodProduction backups35 daysAWS lifecycle purgePlatform logs13 monthsS3 object lifecycle → Glacier → deleteCustomer dataContractual term + 30 daysCryptographic wipe (KMS key deletion)Endpoint drivesN/ANIST 800‑88‑r1 purge via certified vendor
9. Exceptions & Deviations
Teams submit an Exception Request in Jira with business justification, compensating controls, and expiry (≤ 180 days). CISO approves and SSC reviews at each meeting.
10. Glossary
EDR – Endpoint Detection & Response
JML – Join‑Move‑Leave workflow
KPI – Key Performance Indicator
EndeavorCX - Incident Management and Response Policy
Effective Date: 1/1/2025
EndeavorCX is committed to promptly and effectively managing security incidents to protect its systems, data, and stakeholders. This policy establishes a structured approach to detecting, reporting, investigating, and resolving incidents while minimizing business impact and ensuring compliance with legal and regulatory requirements.
1. Purpose
The purpose of this policy is to:
Define the process for identifying and managing security incidents.
Minimize risks and damage associated with incidents.
Ensure timely communication and resolution of incidents.
Comply with legal, regulatory, and contractual obligations.
2. Scope
This policy applies to:
All EndeavorCX systems, applications, networks, and data.
Employees, contractors, and third parties with access to EndeavorCX’s infrastructure.
Any suspected or confirmed security incidents, including but not limited to:
Unauthorized access or use of systems or data.
Data breaches or leaks.
Malware infections, phishing attacks, or denial-of-service (DoS) attacks.
System or network disruptions.
3. Incident Management Process
A. Identification
Detection: Use automated monitoring tools (e.g., Datadog, AWS CloudWatch) and manual observations to detect potential security incidents.
Indicators: Monitor for signs such as unusual system activity, unauthorized access attempts, or data anomalies.
B. Reporting
Mandatory Reporting: All employees, contractors, or third parties must report suspected incidents immediately to the Security Team at [email protected] or via the incident hotline.
Documentation: Include key details such as:
Date and time of detection.
Systems or data affected.
Observed symptoms or evidence.
C. Triage and Classification
Initial Assessment: The Security Team will assess the scope, severity, and impact of the incident.
Classification Levels:
Critical: Severe impact on operations, data breaches, or regulatory implications.
High: Significant impact but contained within internal systems.
Medium: Moderate impact with low likelihood of escalation.
Low: Minimal impact, routine resolution.
D. Containment
Immediate Actions: Isolate affected systems to prevent further damage.
Short-Term Measures: Apply firewalls, disable accounts, or block malicious IP addresses as necessary.
E. Eradication
Identify and remove the root cause of the incident, such as malware or compromised credentials.
Apply security patches and update configurations to address vulnerabilities.
F. Recovery
Restore affected systems and data from backups, ensuring integrity and functionality.
Monitor restored systems closely to confirm normal operations.
G. Post-Incident Review
Conduct a detailed post-mortem analysis to identify root causes and lessons learned.
Update policies, procedures, and security controls to prevent recurrence.
4. Communication and Escalation
Internal Notifications: The Security Team will notify senior management and affected departments of incident status and actions.
External Notifications: Notify regulatory authorities, customers, or third parties as required by law (e.g., GDPR requires notification within 72 hours).
Media Inquiries: Only authorized personnel may communicate with the media to maintain consistency and protect the company’s reputation.
5. Roles and Responsibilities
Employees: Report suspected incidents immediately and comply with investigation procedures.
Security Team: Detect, classify, investigate, and resolve incidents. Maintain incident logs and coordinate response efforts.
Management: Ensure resources and support for effective incident management.
Third-Party Vendors: Comply with reporting requirements and assist in resolving incidents involving their systems or services.
6. Monitoring and Continuous Improvement
Incident metrics (e.g., detection time, response time, resolution time) must be tracked and reviewed monthly.
Conduct regular incident response drills to ensure readiness.
Update the Incident Response Plan annually or after significant incidents.
7. Compliance
Non-compliance with this policy may result in disciplinary action, up to and including termination of access or employment. Legal consequences may apply for negligence or willful violations.
8. Policy Review
This policy will be reviewed annually or whenever significant changes occur in the threat landscape, organizational structure, or legal requirements.
9. Contact
For questions or incident reporting, contact:
Email: [email protected]
EndeavorCX - Data Retention and Protection Policy
Effective Date: 1/1/2025
EndeavorCX (“we,” “our,” or “us”) is committed to maintaining the integrity, confidentiality, and availability of all data it collects, processes, and stores. This policy outlines the principles and practices for retaining and protecting data in compliance with applicable laws, regulations, and organizational standards.
1. Purpose
This policy is designed to:
Ensure the secure handling, storage, and disposal of data.
Minimize risks associated with over-retention or premature deletion of data.
Comply with legal, regulatory, and business requirements.
2. Scope
This policy applies to all data handled by EndeavorCX, including:
Data Types: Customer data, employee records, financial data, operational data, and system logs.
Data Formats: Electronic, paper-based, or any other formats.
Data Systems: Applications, databases, file systems, and cloud services.
Employees and Third Parties: All staff, contractors, and vendors with access to EndeavorCX’s data.
3. Data Retention Policy
Retention Periods:
Customer Data: Retained for the duration of the customer relationship and up to 30 days after service termination, unless otherwise required by law.
Employee Data: Retained for 7 years after termination of employment in compliance with labor laws.
Financial Records: Retained for 7 years, as mandated by tax and financial regulations.
System Logs: Retained for 12 months for security and operational auditing purposes.
Archived Data: Moved to secure archival systems once operational use is complete, retained for up to 7 years unless a longer period is required by specific regulations.
Review and Disposal:
Data must be reviewed annually to ensure continued relevance.
Data no longer required will be securely deleted or anonymized using industry-standard practices such as DoD 5220.22-M wiping or cryptographic erasure.
4. Data Protection Policy
Access Control:
Data access is restricted based on the principle of least privilege.
Multi-factor authentication (MFA) is required for accessing sensitive systems.
Regular user access reviews are conducted quarterly to ensure proper permissions.
Encryption:
Data at rest and in transit must be encrypted using AES-256 and TLS 1.3, respectively.
Backup and Recovery:
Regular backups of critical data are performed daily, with weekly full backups and incremental backups every 24 hours.
Backups are stored in secure, geographically distributed locations with at least one off-site copy.
Backup data is tested quarterly to ensure recoverability.
Monitoring and Auditing:
Continuous monitoring of systems is performed using tools like Datadog and AWS CloudTrail for unauthorized access and suspicious activity.
Quarterly audits are conducted to verify compliance with this policy and identify potential gaps.
Third-Party Protection:
Vendors and contractors with access to data must adhere to EndeavorCX security standards and sign data protection agreements.
Regular security evaluations of third-party systems are conducted annually.
5. Breach Response and Incident Handling
Incident Response Plan:
Suspected or confirmed data breaches must be reported to the Security Team within 24 hours.
The Security Team will investigate, contain, and mitigate the incident within 72 hours.
Notifications:
Regulatory authorities will be notified within the legally required timeframe (e.g., 72 hours under GDPR).
Affected parties will be notified promptly, within 30 days, in compliance with applicable data protection laws.
6. Roles and Responsibilities
Data Owners: Ensure data retention and protection requirements are implemented for their respective areas.
Security Team: Monitor compliance, enforce encryption and access controls, and respond to incidents.
All Employees: Comply with retention schedules, secure data handling practices, and report suspected breaches.
7. Compliance
Non-compliance with this policy may result in disciplinary action, up to and including termination of access or employment, and may subject the individual to legal consequences.
8. Policy Review
This policy will be reviewed annually or upon significant changes to regulatory requirements, organizational practices, or technology.
9. Contact
For questions about this policy, contact:
Email: [email protected]
Vulnerability Management Policy
Policy Statement
EndeavorCX is committed to protecting its systems, applications, and data by proactively identifying, assessing, and remediating vulnerabilities. This policy establishes a structured approach to vulnerability management, ensuring consistent processes and accountability across the organization.
Purpose
The purpose of this policy is to:
Minimize the risk of exploitation by addressing vulnerabilities in a timely and effective manner.
Establish clear guidelines for identifying, prioritizing, and remediating vulnerabilities.
Ensure compliance with industry standards, regulatory requirements, and organizational security objectives.
Scope
This policy applies to all EndeavorCX systems, applications, networks, and third-party integrations, including production, staging, and development environments. It covers:
Servers, endpoints, and databases.
Cloud services, APIs, and external dependencies.
Third-party software and libraries.
Policy Requirements
Vulnerability Identification
Regular vulnerability scans must be conducted using automated tools (e.g., Tenable, Nessus).
Third-party application penetration tests must be performed annually and after major system updates.
Real-time monitoring systems (e.g., Datadog) must alert on suspicious activity or known vulnerabilities.
Vulnerability Assessment
Vulnerabilities must be categorized and scored using the Common Vulnerability Scoring System (CVSS) to determine risk levels:
Critical (9.0–10.0): Immediate threat requiring urgent remediation.
High (7.0–8.9): Significant risk requiring remediation within 7 days.
Medium (4.0–6.9): Moderate risk requiring remediation within 30 days.
Low (0.1–3.9): Low risk; address during routine updates.
The assessment must consider exploitability, impact, and environmental factors.
Remediation
Critical and high-risk vulnerabilities must be resolved within the designated timelines.
Affected systems may be temporarily isolated to prevent exploitation during remediation.
For third-party vulnerabilities, coordinate with vendors or apply available patches promptly.
Exception Management
Vulnerabilities that cannot be remediated within policy timelines must be documented with a formal risk acceptance process approved by senior management.
Compensating controls (e.g., firewall rules, access restrictions) must be implemented where feasible.
Verification and Validation
Post-remediation scans must confirm the effectiveness of applied fixes.
Conduct periodic audits to ensure compliance with this policy.
Roles and Responsibilities
Security Team:
Conduct scans, prioritize vulnerabilities, and track remediation progress.
Provide guidance and tools for vulnerability management.
System Owners:
Apply patches and fixes to assigned systems.
Report vulnerabilities and implement compensating controls if necessary.
Third-Party Vendors:
Ensure timely patching of vulnerabilities in their products and services.
Monitoring and Reporting
Vulnerability management activities must be tracked and reported monthly to leadership.
Critical vulnerabilities must be escalated immediately to the executive team.
Metrics such as “mean time to remediation (MTTR)” must be monitored to evaluate program effectiveness.
Policy Review
This policy will be reviewed and updated annually or following significant changes to the technology stack, threat landscape, or organizational requirements.
Compliance
Non-compliance with this policy may result in disciplinary action, up to and including suspension of system access.
Third-Party Application Penetration Testing Policy
Policy Statement
EndeavorCX is committed to ensuring the security and resilience of its applications against evolving threats. To uphold this standard, the application undergoes regular third-party penetration testing to identify, assess, and remediate vulnerabilities that could compromise data integrity, confidentiality, or availability.
Policy Requirements
Frequency of Testing
Third-party penetration testing must be conducted annually.
Additional tests are required following major application updates, including significant feature releases, architecture changes, or integration of new third-party services.
Scope of Testing
The testing must encompass the full application stack, including:
Frontend: User interfaces and client-side logic.
Backend: APIs, servers, and business logic.
Database: Data storage and query mechanisms.
Third-Party Integrations: APIs, external services (e.g., payment gateways, cloud storage).
High-risk areas such as authentication, authorization, data handling, and API security must be prioritized.
Third-Party Provider Standards
Testing must be conducted by an independent and certified security firm with expertise in application security.
Firms must employ certified professionals (e.g., OSCP, CISSP) and adhere to industry-standard methodologies such as OWASP and NIST 800-115.
Tools and Techniques
Providers must use a combination of manual and automated testing techniques.
Recognized tools such as Burp Suite, Metasploit, and Nmap should be utilized to ensure comprehensive coverage.
Process
Preparation
Define scope and objectives in collaboration with the testing firm.
Provide relevant documentation, such as architecture diagrams and API specifications.
Establish rules of engagement to protect production systems during testing.
Execution
Simulate real-world attack scenarios across the application stack.
Identify vulnerabilities, including injection flaws, authentication weaknesses, and insecure APIs.
Reporting and Remediation
Receive a detailed report outlining vulnerabilities, risk levels, and remediation recommendations.
Vulnerabilities must be remediated according to their severity, with critical issues addressed immediately.
Conduct follow-up testing to validate remediation efforts.
Compliance and Accountability
The Security Team is responsible for coordinating testing and ensuring remediation efforts are tracked to completion.
Testing records and remediation plans must be retained for audit purposes.
Non-compliance with this policy may result in escalated reviews and corrective action.
Policy Review
This policy will be reviewed annually to ensure alignment with industry standards, emerging threats, and organizational requirements.
EndeavorCX Secure Software Development Lifecycle (SSDLC)
At EndeavorCX, security is embedded into every phase of software development. This framework ensures that all applications are designed, built, and maintained with the highest security standards, minimizing risks and supporting our commitment to protecting data and systems.
1. Requirements
Security Objectives: Clearly define measurable security goals tailored to the software's purpose, such as ensuring data confidentiality, integrity, and availability.
Regulatory & Compliance: Identify all applicable regulations (e.g., GDPR, PCI-DSS, HIPAA) and incorporate these requirements into project planning.
Baseline Controls: Establish mandatory security controls, such as encryption, user authentication, and logging standards.
2. Architecture & Design
Threat Modeling: Perform a structured review of potential threats and vulnerabilities, mapping data flows and attack vectors.
Secure Design Patterns: Implement principles like least privilege, defense-in-depth, and secure failover mechanisms in system design.
Dependency Analysis: Review third-party libraries and frameworks for known vulnerabilities and assess their suitability for the project.
3. Implementation
Secure Coding Standards: Enforce guidelines aligned with OWASP and EndeavorCX’s internal best practices to avoid common coding errors.
Code Reviews: Conduct peer and automated reviews to identify security flaws early in development.
Secrets Management: Ensure all sensitive data, such as API keys and credentials, is stored securely using vaults and not hard-coded.
Automation: Integrate Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools into the CI/CD pipeline.
4. Testing & Verification
Dynamic Application Security Testing (DAST): Evaluate the running application for vulnerabilities, such as cross-site scripting (XSS) or SQL injection.
Penetration Testing: Use internal teams or third-party experts to identify complex security flaws and validate defenses.
API Security Audits: Verify proper authentication, authorization, and rate-limiting mechanisms for all API endpoints.
Remediation Verification: Ensure all identified vulnerabilities have been fixed and retested before moving to production.
5. Deployment
Pre-Deployment Security Gate: Enforce a final review and approval process to ensure no critical vulnerabilities remain unresolved.
Infrastructure Hardening: Apply security configurations to servers, containers, and networks, following industry benchmarks (e.g., CIS).
Monitoring Setup: Implement real-time logging and anomaly detection for immediate alerting of potential security issues.
6. Maintenance
Continuous Monitoring: Track logs, events, and system behavior to identify and respond to security incidents quickly.
Vulnerability Management: Regularly scan for new vulnerabilities in the application and infrastructure and prioritize patching.
Incident Response: Maintain a documented, tested incident response plan to address breaches and reduce impact.
Periodic Security Reviews: Schedule reviews to evaluate evolving risks, system changes, and emerging threats.
7. Retirement
Secure Data Handling: Archive or securely erase sensitive data following EndeavorCX’s retention policies and applicable regulations.
System Decommissioning: Properly retire old systems, ensuring all components are securely removed to prevent exposure.
Post-Mortem Reviews: Document lessons learned during decommissioning and integrate them into future projects.
Conclusion
The EndeavorCX SSDLC reflects our commitment to security by ensuring that robust practices are integrated into every step of software development. This proactive approach reduces risks, protects our customers, and maintains trust in our systems and services.
Business Continuity Program (BCP)
EndeavorCX, Inc.
Effective Date: December 21, 2022 • Revision Date: January 5, 2025
1. Executive Summary
This Business Continuity Program (BCP) is established to ensure that all delegated functions—including call operations, IT systems, communications, and support processes—can continue during and after an outage or disaster. It provides a structured approach to maintain or rapidly recover critical business operations while protecting personnel, assets, and data integrity. The program incorporates elements of a Disaster Recovery Plan (DRP), Continuity of Operations Plan (COOP), Crisis Communications Plan, and Occupant Emergency Plan (OEP).
2. Program Objectives & Scope
Objectives:
Ensure uninterrupted support for key delegated functions during disruptions.
Minimize the effect of outages on the organization and its clients.
Provide clear operational procedures for varying lengths and severities of service interruption.
Deliver timely internal and external communication to manage expectations and mitigate misinformation.
Protect the well-being of employees and safeguard company property in physical emergencies.
Restore IT functions and data processing at alternate locations as needed.
Promptly identify and correct any issues to ensure swift recovery and service restoration.
Scope:
This program covers all critical operations for our call center outsourcing business, including:
Telecommunication Systems: Inbound/outbound call handling, interactive voice response (IVR), and call routing systems.
IT Infrastructure & Data Systems: CRM, network operations, backup/data recovery, and integration with client systems.
Operational Functions: Workforce management, quality assurance monitoring, and customer support processes.
Support Services: Crisis management, safety protocols, and compliance oversight.
3. Business Continuity Plan (BCP) – Systems and Processes
3.1 Critical Systems & Process Identification (i)
Telephony Systems: Ensure voice services, call routing, and IVR remain operational.
IT Systems: Maintain CRM, databases, data centers, and cloud services to handle customer data and analytics.
Operational Platforms: Workforce management software, reporting systems, and quality assurance tools.
Data Communications: Secure channels for client data transmission and internal communications.
Impact Analysis:
A detailed risk assessment is conducted quarterly to determine the impact of system outages. Factors include service downtime, revenue loss, reputational damage, and customer satisfaction levels.
4. Continuity of Operations Plan (COOP) (ii)
4.1 Plan Overview
The COOP outlines procedures to continue operations during short-term and extended disruptions. It includes:
Activation Criteria: Identification of triggers such as prolonged service outages, natural disasters, or cyber incidents.
Essential Operations: Prioritization of call-handling, customer support, and IT operations.
Resource Allocation: Pre-designated teams and roles assigned to maintain critical functions.
Alternate Facilities: Utilization of backup sites and remote working options for staff and IT operations if primary sites are inaccessible.
4.2 Execution
Staff Deployment: Cross-trained teams will assume critical roles if primary personnel become unavailable.
Process Redundancy: Establish redundant communication and IT systems to minimize single points of failure.
Performance Monitoring: Real-time metrics and dashboards to ensure minimal disruption to service levels.
5. Continuity Maintenance Procedures for Various Durations (iii)
5.1 Short-Term Disruptions (Minutes to Hours)
Immediate Response: Switch to backup systems, initiate pre-defined escalation procedures.
Interim Communication: Use temporary internal communication channels to inform teams.
5.2 Medium-Term Disruptions (Hours to Days)
Process Adaptation: Reassign critical tasks to remote workforces and operate from secondary sites.
Resource Scaling: Activate alternate IT resources and increase staffing flexibility to cover operational gaps.
5.3 Long-Term Disruptions (Days to Weeks)
Strategic Reallocation: Consider extended relocation of key operations and implement recovery of legacy systems.
Vendor and Sub-delegate Coordination: Engage third-party services as needed, monitored by our oversight team per sub-delegation agreements.
Continuous Review: Daily operational status updates until full restoration is achieved.
6. Crisis Communications Plan (iv)
6.1 Communication Procedures
Internal Communications:
Notification: Immediate alert to the Business Continuity Management (BCM) team, management, and affected departments via SMS, email, and secure messaging.
Updates: Regular briefings using a secure internal portal or conference calls.
Leadership Role: A dedicated Communications Manager coordinates messaging and disseminates updates.
External Communications:
Client Notifications: Pre-prepared templates for immediate notification on service status and expected resolution times.
Media Protocol: Clear guidelines on how to manage public inquiries and rumors.
Social Media and Web Updates: Monitor and update channels to prevent misinformation and control crisis narratives.
7. Occupant Emergency Plan (OEP) (v)
7.1 Safety Procedures
Immediate Action: Initiate evacuation or shelter-in-place protocols based on the nature of the threat (e.g., fire, severe weather, or security incidents).
Emergency Contacts: Maintain an updated contact list of emergency services and designated company safety liaisons.
Evacuation Routes: Clear signage and regularly practiced evacuation drills within all primary facilities.
Assembly Points: Pre-determined safe zones or meeting areas outside of the building for headcounts and further instructions.
Employee Training: Regular safety and emergency preparedness exercises to reduce response time and injury risk.
8. Disaster Recovery Plan (DRP) for IT Functions (vi)
8.1 IT Impact Identification
Critical IT Functions: Identify systems essential for operations (e.g., CRM, telephony, data storage) and map dependencies.
Damage Assessment: Rapid evaluation of the disaster’s impact on data, network integrity, and system functionalities.
8.2 Relocation & Recovery Procedures
Alternate Sites: Pre-arranged secondary data centers and remote access capabilities.
Data Backup: Daily backups stored both offsite and in secure cloud storage.
Restoration Process: Prioritized restoration protocols to re-establish IT operations within established Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Vendor Coordination: Liaise with IT service providers and cloud vendors for expedited support and resource allocation during emergencies.
9. Prompt Problem Detection and Corrective Action Procedures (vii)
9.1 Incident Detection & Reporting
Monitoring Tools: 24/7 monitoring systems for all critical IT and operational functions, with automated alerts for anomalies.
Reporting Mechanisms: Immediate reporting protocols via our incident management system, ensuring issues are escalated appropriately.
9.2 Corrective Actions
Root Cause Analysis: Initiate detailed analysis for any detected problems to identify underlying issues.
Action Plans: Develop and deploy corrective action plans with defined timelines and responsibilities.
Feedback Loop: Post-incident reviews to update procedures and strengthen future prevention efforts.
Documentation: Maintain detailed incident logs and corrective action reports accessible for compliance audits and third-party assessments.
10. Roles and Responsibilities
10.1 Business Continuity Management Team (BCMT)
Program Leader: Oversees overall continuity planning, activation of the BCP, and coordination of recovery efforts.
IT Recovery Manager: Manages IT-related recovery and alternate site activation.
Communications Manager: Coordinates both internal and external crisis communications.
Safety Coordinator: Responsible for executing the OEP, including evacuations and emergency response procedures.
Operations Liaison: Monitors operational continuity, ensuring that critical business functions persist.
11. Training, Testing, and Maintenance
11.1 Training
Employee Awareness: Regular training programs to ensure every team member understands their role during a disruption.
Drills & Simulations: Scheduled drills (both announced and surprise) for evacuation, IT recovery, and crisis communications.
11.2 Testing & Review
Annual Exercises: Comprehensive testing of the entire BCP, including COOP, DRP, and OEP.
Periodic Reviews: Quarterly assessments and after-action reviews following tests or real incidents to refine procedures.
Documentation Updates: Ongoing revision of policies, procedures, and contact information to reflect changes in operations or organizational structure.
12. Conclusion
This Business Continuity Program is a living document designed to adapt to changing risks and business needs. Through continuous testing, regular updates, and a commitment to proactive planning, EndeavorCX ensures that all critical functions will remain resilient in the face of disruptions—securing the operational integrity and safety of our employees and maintaining exceptional service for our clients.
EndeavorCX Privacy Policy
Effective Date: 1/1/2025
EndeavorCX (“we,” “our,” or “us”) respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you interact with our services. By using our services, you agree to the terms of this Privacy Policy.
1. Information We Collect
We collect information to provide and improve our services, and the types of information we collect include:
A. Information You Provide
Personal Information: Name, email address, phone number, and other identifiers you provide when you interact with us.
Account Information: Login credentials, preferences, and settings associated with your account.
Payment Information: Credit card details and billing information for processing transactions.
B. Automatically Collected Information
Usage Data: Information about how you interact with our services, such as IP address, browser type, device information, and activity logs.
Cookies and Tracking Technologies: Data collected through cookies, beacons, or other technologies to enhance user experience and analyze usage trends.
C. Information from Third Parties
We may receive information from trusted third parties, such as payment processors or analytics providers, to enhance our services.
2. How We Use Your Information
We use the information we collect for legitimate business purposes, including:
To Provide Services: To fulfill requests, process payments, and deliver services you have requested.
To Improve Our Services: Analyze usage, develop new features, and optimize performance.
To Communicate with You: Respond to inquiries, send updates, and provide information about our products.
To Ensure Security: Detect and prevent fraud, unauthorized access, or malicious activity.
To Comply with Legal Obligations: Meet legal requirements, enforce agreements, and resolve disputes.
3. Information Sharing and Disclosure
We do not sell your personal information. However, we may share your information under the following circumstances:
Service Providers: With trusted vendors who assist in providing our services, such as payment processors, hosting providers, and analytics platforms.
Legal Compliance: When required to comply with applicable laws, regulations, or legal processes.
Business Transfers: In connection with mergers, acquisitions, or sales of assets, where your information may be transferred as part of the transaction.
With Your Consent: When you explicitly consent to sharing your information for specific purposes.
4. Data Retention
We retain personal information only as long as necessary to fulfill the purposes outlined in this policy or comply with legal obligations. When no longer required, we securely delete or anonymize the information.
5. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
Access: Request access to the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information, subject to applicable laws.
Opt-Out: Opt out of marketing communications or certain data processing activities.
To exercise these rights, contact us at chris@endeavorcx.com. We will respond within the timeframes required by law.
6. Data Security
We implement administrative, technical, and physical safeguards to protect your information from unauthorized access, disclosure, or misuse. However, no security measure is completely foolproof, and we cannot guarantee absolute security.
7. International Data Transfers
If you are accessing our services from outside the United States, your information may be transferred to, stored, and processed in the United States or other jurisdictions with different data protection laws.
8. Updates to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. The updated policy will be posted with the "Effective Date" at the top. Continued use of our services indicates your acceptance of the updated terms.
9. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, contact us at:
Email: [email protected]
Address: 1309 COFFEEN AVE STE 1200 SHERIDAN, WY 82801
Legal Notice
This Privacy Policy does not create any contractual rights or obligations beyond those required by applicable laws.
