Information Security Policies

Chase & Marshal is committed to protecting all information assets under our stewardship — including client data, platform data, and internal operational information — from unauthorised access, disclosure, modification, or destruction.

Scope: This policy applies to all systems, services, and data managed by Chase & Marshal, including the SparkOS platform, the company website, email infrastructure, and any third-party services used to deliver consulting and technology services.

Principles: We apply a risk-based approach to information security. Controls are proportionate to the sensitivity and business criticality of the information concerned. We implement defence-in-depth — relying on multiple overlapping controls rather than any single safeguard.

Review: This policy and supporting controls are reviewed at least annually and following any significant security incident or material change to the platform.

Access to Chase & Marshal systems and services is granted for legitimate business and professional development purposes only. Users must not use the platform in any way that is unlawful, harmful, or contrary to the spirit of these policies.

Permitted use includes:

• Accessing assessments and tools for which the user has a valid licence or invitation
• Submitting genuine assessment responses that represent the user's own work
• Downloading and using purchased resources for personal or internal organisational use

Prohibited use includes:

• Sharing account credentials or assessment access tokens with unauthorised parties
• Attempting to reverse-engineer, scrape, or automated-harvest platform content or scoring logic
• Submitting false, manipulated, or AI-generated responses to scored assessments without disclosure
• Any activity intended to circumvent access controls, rate limits, or security mechanisms
• Using the platform to store, transmit, or process unlawful content

Violations may result in immediate suspension of access and, where appropriate, legal action.

Access to platform features and data is controlled through a four-tier role-based access control (RBAC) model. Each role is granted only the permissions necessary to fulfil its function — no more.

API enforcement: Every API endpoint validates the caller's session role server-side. Unauthenticated requests to protected endpoints return HTTP 401; insufficient-privilege requests return HTTP 403. Client-side route guards are complementary but not relied upon as the sole control.

Session management: Sessions are time-limited and invalidated on logout. Admin sessions require re-authentication after periods of inactivity.

Two-factor authentication: 2FA via TOTP is required for all admin accounts and is available as an opt-in for all registered users.

A security incident is any event — suspected or confirmed — that threatens the confidentiality, integrity, or availability of Chase & Marshal information assets or client data. This includes unauthorised access, data leakage, credential compromise, denial of service, or malware.

Phase 1 — Detection & Triage

Incidents may be identified through automated monitoring, user reports, or third-party notification. On receipt of a potential incident report, the responsible team member immediately assesses severity and escalates to leadership if data exposure or service disruption is involved.

Phase 2 — Containment

The affected system, account, or service is isolated or suspended as quickly as possible to prevent further harm. Where feasible, this is done without destroying forensic evidence. Compromised credentials are rotated immediately.

Phase 3 — Notification

Affected users and clients are notified promptly and without undue delay once the nature and scope of the incident is understood. Where personal data has been involved and notification is required under applicable law (including the New Zealand Privacy Act 2020 and, where relevant, GDPR), we notify the appropriate supervisory authority within the legally mandated timeframe.

Phase 4 — Recovery & Post-Incident Review

Services are restored from a known-good state. A post-incident review is conducted within five business days to document root cause, timeline, and remediation actions. Findings inform updates to controls, policies, or training.

All data held or processed by Chase & Marshal is assigned to one of four classification tiers. The tier determines the handling, storage, access, and disposal requirements that apply.

All material changes to the Chase & Marshal platform — including new features, dependency updates, infrastructure changes, and configuration modifications — follow a structured change process designed to minimise risk and preserve security posture.

Review: Changes are reviewed by a second party before deployment. Security-sensitive changes (authentication, access control, data handling) receive heightened scrutiny and are tested in an isolated environment prior to release.

Testing: Automated end-to-end tests are run against every proposed change. Failures block deployment. Security-relevant logic is subject to additional manual review.

Rollback: Every deployment is reversible. The platform maintains versioned checkpoints enabling rapid rollback if a change introduces instability or a security regression.

Dependencies: Third-party libraries and platform dependencies are reviewed for known vulnerabilities on a regular basis. Critical security patches are applied promptly, prioritised above feature work.

Emergency changes: In the event that an urgent security fix must bypass normal review gates (for example, to contain an active incident), the deviation is documented and a retrospective review is conducted within two business days.