Innovation Minds Trust Center
We’re SOC-2 Type-2 Certified!
Innovation Minds recognizes that the confidentiality, integrity and availability of information and data created, maintained and hosted by us are vital to the success of the business and privacy of our partners. As a service provider/product, we understand the importance in providing clear information about our security practices, tools, resources and responsibilities within Innovation Minds so that our customers can feel confident in choosing us as a trusted provider. This Security Posture highlights high-level details about our steps to identify and mitigate risks, implement best practices, and continuously develop ways to improve.
Here are the controls implemented at Innovation Minds to ensure compliance, as a part of our security program!
Data Security
- Multi-Factor Authentication: All staff members with access to critical systems are protected using secure login mechanisms such as multi-factor authentication.
- Data Backups: User and system data are backed up regularly to meet recovery time and recovery point objectives. Backup integrity is verified.
- Testing for Reliability and Integrity: Backup information is tested periodically to verify media reliability and data integrity.
Network Security
- Impact Analysis: Systems generate information that is reviewed to determine impacts on internal controls.
- Limit Network Connections: Production database and SSH access are protected from public internet exposure.
- External System Connections: All production hosts are protected by firewalls with deny-by-default rules enforced by the cloud provider.
- Transmission Confidentiality: Standard encryption methods such as HTTPS with TLS are used to protect data in transit.
- Anomalous Behavior Detection: Audit events are reviewed and analyzed to detect suspicious or anomalous activity.
- Capacity & Performance Management: Critical assets are continuously monitored to ensure performance, capacity planning, and protection against denial-of-service attacks.
- Centralized Security Event Logging: Audit events related to security are generated and centrally collected for all critical systems.
Application Security
- Conspicuous Link to Privacy Notice: The website displays current information about services and privacy practices accessible to customers.
- Secure System Modification: Procedures are in place to govern changes to the operating environment.
- Approval of Changes: Formal approval procedures are followed before implementing changes.
Endpoint Security
- Malicious Code Protection: Endpoints accessing critical systems are protected by malware-protection software where applicable.
- Full Device or Container Encryption: Endpoints accessing critical data are encrypted to prevent unauthorized access.
- Endpoint Security Validation: Security and compliance checks are performed on device software versions and patches before internal access is granted.
Corporate Security
- Code of Business Conduct: Documented policies define acceptable business behavior.
- Competency Screening: Security-related roles are staffed by qualified individuals.
- Personnel Screening: Security risk screening is performed prior to granting access.
- Security & Privacy Awareness: Employees receive role-appropriate security and privacy training.
- Performance Reviews: Periodic evaluations are conducted for key operational roles.
- Automated Reporting: Employees are informed how to report security incidents and concerns.
- Incident Reporting Assistance: Customers are provided guidance on reporting incidents.
- Third-Party Criticality Assessments: Annual vendor risk assessments identify critical vendors.
- Assigned Security Responsibilities: Senior Management assigns an Information Security Officer.
- Internal Audit Using Sprinto: Continuous monitoring tracks the health of the security program.
- Program Review & Updates: The security program is reviewed and approved at planned intervals.
- Org Chart Review: Senior Management reviews and approves the organizational chart annually.
- Risk Review: Annual review and approval of the Risk Assessment Report.
- Third-Party Risk Review: Annual review of the Vendor Risk Assessment Report.
- Subservice Organization Evaluation: Subservice organizations are periodically reviewed.
- Testing: Regular tests assess contingency plan readiness.
- Asset Ownership Assignment: Asset ownership and protection responsibilities are defined.
- Updates During Installations & Removals: System inventories are updated during changes.
| Policy | Description | Request? |
|---|---|---|
| Acceptable Usage Policy | Acceptable Usage Policy outlines proper use of company systems, tools, equipment and data to protect critical information. | Request |
| Access Control Policy | Ensures access to company assets is controlled based on business and security requirements. | Request |
| Access Control Procedure | Framework for managing and controlling user access to systems and assets inside and outside the organization. | Request |
| Asset Management Policy | Guidelines for classification, protection, and handling of company assets across their lifecycle. | Request |
| Asset Management Procedure | Systematic approach for maintaining, handling, and protecting information assets. | Request |
| Business Continuity & Disaster Recovery Policy | Guidelines to ensure continuity of operations and recovery during disasters. | Request |
| Business Continuity Plan | Procedures to ensure resilience during extended service outages. | Request |
| Code of Business Conduct Policy | Defines expected behavior of staff members and promotes a respectful workplace. | Request |
| Communications & Network Security Policy | Ensures secure management of networks and protection from threats. | Request |
| Compliance Policy | Ensures adherence to statutory, regulatory, and contractual obligations. | Request |
| Compliance Procedure | Methods for managing regulatory and legal compliance within ISMS. | Request |
| Data Breach Notification Policy | Procedures for notifying individuals and authorities in case of a data breach. | Request |
| Data Classification Policy | Framework for categorizing data based on sensitivity and value. | Request |
| Data Retention Policy | Procedures for managing organizational data and business information. | Request |
| Encryption Policy | Guidelines for encrypting data at rest and in transit. | Request |
| Endpoint Security Policy | Measures to protect production systems and critical data. | Request |
| HR Security Policy | Safeguards company information throughout employee lifecycle. | Request |
| HR Security Procedure | Secure handling of employee information and company assets. | Request |
| Incident Management Policy | Measures for identifying and responding to security incidents. | Request |
| Incident Management Procedure | Framework for handling internal and external security incidents. | Request |
| Information Security Policy | Guidelines for safeguarding information system assets. | Request |
| Media Disposal Policy | Secure disposal of electronic and physical media. | Request |
| Network Security Procedure | Safeguards networks and cloud integrations from unauthorized access. | Request |
| Operation Security Policy | Ensures secure operation of production infrastructure. | Request |
| Operations Security Procedure | Guidelines for maintaining operational security. | Request |
| Organization of Information Security Policy | Defines governance framework for information security roles. | Request |
| Personal Data Breach Notification Procedure | Ensures GDPR-compliant breach notification. | Request |
| PHI Data Breach Notification Procedure | Ensures HIPAA-compliant notification for PHI breaches. | Request |
| Physical & Environmental Security Policy | Guidelines for managing physical and environmental threats. | Request |
| Physical and Environmental Security Procedure | Safeguards physical spaces and sensitive assets. | Request |
| Privacy By Design Policy | Integrates privacy into product and service lifecycle. | Request |
| Risk Assessment & Management Policy | Approach to identifying, prioritizing, and managing risks. | Request |
| SDLC Procedure | Defines software development lifecycle and engineering responsibilities. | Request |
| System Acquisition and Development Lifecycle Policy | Ensures security considerations throughout software acquisition and development. | Request |
| System Description | Imported from Sprinto. | Request |
| Vendor Management Policy | Guidelines for managing vendor relationships and data security. | Request |
| Vendor Management Procedure | Process for assessing and managing third-party vendor risks. | Request |
Note: Policy documents are shared upon request only and subject to verification, access control, and compliance requirements.
| Document | Description | Request? |
|---|---|---|
| ISMS Information Security Roles & Responsibilities | At Innovation Minds, safeguarding data is a shared responsibility. Our Information Security Management System (ISMS) outlines clear roles and responsibilities to ensure the confidentiality, integrity, and availability of information. Defined security duties across leadership and staff help maintain compliance, minimize risk, and respond swiftly to potential threats. Each role is supported with the necessary training, authority, and accountability. | Request |
| ISMS Manual | This manual outlines Innovation Minds’ Information Security Management System (ISMS), providing a comprehensive framework to safeguard the confidentiality, integrity, and availability of information assets. It defines policies, procedures, and controls aligned with ISO/IEC 27001 standards to manage risks, ensure compliance, and promote continuous improvement. | Request |
| Term Of Service | Innovation Minds Terms of Use define guidelines for using the platform, including user responsibilities, content ownership, privacy, and compliance with corporate agreements. By accessing the services, users agree to policies covering content usage, data protection, and fair engagement, ensuring a secure and collaborative experience. | Request |
| Master Services Agreement | Innovation Minds Master Services Agreement (MSA) and Statement of Work (SoW) templates define the commercial, legal, and operational terms governing customer engagements. | Request |
| Privacy Policy | Innovation Minds Privacy Policy explains how personal information is collected, used, and protected when using the platform. The policy emphasizes transparency, data security, and user control, ensuring compliance with applicable global privacy standards. | Request |
| Vulnerability Assessment Report | This report documents the findings and recommendations from Vulnerability Assessment and Penetration Testing (VAPT) conducted on the Innovation Minds platform. It covers testing methodologies, identified vulnerabilities (if any), risk ratings, and remediation actions to strengthen the overall security posture. | Request |
| Network Diagram | Innovation Minds operates on a scalable, secure, cloud-native AWS architecture using a modular microservices design. The platform supports high availability and fault tolerance, with VPC segmentation, load balancing, auto-scaling, and encrypted data flows using HTTPS and TLS 1.2+. Security controls include RBAC, MFA, and identity management via AWS Cognito and Okta. | Request |
| Innovation Minds SOC 2 Type 2 Report - 2024–2025 | Innovation Minds successfully completed its SOC 2 Type 2 examination for the 2024–2025 period. This independent audit validates that security, availability, and confidentiality controls are designed and operating effectively to protect client data and maintain trust. | Request |
Note: SaaS and security documents are shared upon request only and subject to verification, access control,
and contractual or regulatory obligations.
Schedule a Demo
Submit your request now, and we'll quickly reach out to schedule your demo, available as a 25 or 55-minute session based on your needs. We guarantee your privacy and security, never sharing your info.