Last Updated: March 12, 2025
The purpose of this document is to outline the information security policy for GroveCFO AI, Inc. (“we,” “our,” or “us”), an AI-based fractional CFO service. We are committed to safeguarding our confidential and sensitive information, including financial data, and to maintaining the highest standards of security for our clients. This policy describes the measures we have taken to identify, mitigate, and monitor information security risks to ensure the confidentiality, integrity, and availability of our data, while minimizing the risk of unauthorized access, use, disclosure, modification, or destruction.
This policy applies to all employees, contractors, vendors, and third-party service providers who access or handle GroveCFO AI’s information assets. It covers all information assets, including but not limited to:
• Electronic Information: Computer systems, software, databases, networks, and cloud-based hosting.
• Physical Information: Paper documents, photographs, and other tangible media.
• Facilities: Buildings, rooms, and equipment.
• Financial Data: Sensitive financial information related to our clients, including bank accounts and accounting systems.
GroveCFO AI employs a risk-based approach to information security. We conduct regular risk assessments to identify, analyze, and evaluate information security risks. Our risk management process includes:
1. Identify Information Assets: Identifying all critical information assets, including sensitive financial data.
2. Identify Threats: Recognizing potential threats such as unauthorized access, cyberattacks, theft, and human error.
3. Assess Risks: Evaluating the likelihood and impact of each identified threat.
4. Implement Controls: Implementing appropriate security controls to mitigate or eliminate risks.
5. Monitor and Review: Continuously monitoring and reviewing the effectiveness of controls, making adjustments as necessary.
GroveCFO AI has implemented the following controls to ensure the confidentiality, integrity, and availability of information:
1. Access Control: Access to information assets is restricted to authorized personnel. We use strong authentication mechanisms such as passwords, multi-factor authentication (MFA), and biometric verification.
2. Data Encryption: Sensitive data is encrypted both in transit (using SSL/TLS) and at rest (using AES-256 encryption).
3. Physical Security: While GroveCFO AI operates in a cloud-based environment, physical security is maintained through our hosting providers. These include access controls, security cameras, and alarms.
4. Incident Management: We have an incident response plan to handle security incidents, including data breaches and other security threats.
5. Staff Training and Awareness: We provide ongoing security awareness training to ensure employees understand their role in protecting information assets.
6. Regular System Updates and Patches: We apply system updates and patches regularly to address vulnerabilities and threats.
Information security is a shared responsibility across all employees and stakeholders:
• Management: Responsible for setting the security strategy, ensuring resources are available, and approving security policies.
• Security Officer: Responsible for implementing and maintaining the information security program, overseeing risk assessments, and coordinating incident responses.
• Employees: Responsible for maintaining the confidentiality and integrity of information assets, following security policies, and reporting incidents.
• Contractors and Vendors: Must adhere to GroveCFO AI’s security policies and practices.
GroveCFO AI classifies information assets based on sensitivity:
1. Confidential: Highly sensitive data, including financial records, personally identifiable information (PII), and intellectual property.
2. Internal Use Only: Data that is not intended for public disclosure but does not contain sensitive information.
3. Public: Information intended for public release.
Handling of information is based on classification:
• Encryption: Sensitive data is encrypted both at rest and in transit.
• Retention and Disposal: Data is retained according to legal and regulatory requirements and securely destroyed when no longer needed.
GroveCFO AI uses strict access controls to safeguard information:
1. Authentication: All users authenticate through multi-factor authentication (MFA).
2. Authorization: Access is granted based on job responsibilities, with periodic reviews to ensure appropriateness.
3. Monitoring: Access to systems is logged and monitored for suspicious activity. Unauthorized access attempts are investigated promptly.
In the event of a security incident, GroveCFO AI follows a structured incident response plan:
1. Incident Reporting: Employees, contractors, and vendors must report security incidents to the security officer immediately.
2. Incident Response Plan: The plan outlines roles, responsibilities, and communication strategies for addressing security incidents.
3. Investigation and Containment: The security officer investigates incidents, isolates affected systems, and takes corrective actions.
4. Incident Mitigation and Reporting: The security officer mitigates the impact, restores systems, and reports incidents to management and stakeholders.
While GroveCFO AI operates in a cloud-based environment, physical security measures are implemented through our hosting providers:
• Remote Access: Employees must use secure VPN connections and follow MFA procedures when accessing systems remotely.
• Company Laptops: All company laptops must be configured with screen locks, encrypted storage, and regular software updates to protect sensitive data.
GroveCFO AI uses the following network security measures to protect our data:
1. Firewall: We use firewalls to restrict unauthorized access and prevent malicious traffic.
2. Encryption: SSL/TLS encryption is used for secure web communications, and data in transit is encrypted.
3. Access Control: Network access is limited to authorized personnel through strong authentication mechanisms.
4. Intrusion Detection and Prevention: We use systems to detect and prevent unauthorized access and suspicious activities.
5. Vulnerability Management: Regular vulnerability scans and penetration tests are conducted to identify and mitigate risks.
GroveCFO AI has established a business continuity and disaster recovery plan to ensure the availability of our services in the event of a disruption:
• Cloud-Based Infrastructure: We leverage redundant cloud services to minimize service disruptions.
• Data Backups: Regular backups of critical data are maintained and stored securely to facilitate recovery in case of a disaster.
GroveCFO AI is committed to complying with all applicable laws and regulations, including GDPR, CCPA, and industry standards:
1. Compliance: We regularly review and update our security policies to ensure compliance with laws and regulations.
2. Auditing: Internal and external audits are conducted regularly to verify compliance with security controls and identify areas for improvement.
As part of our services, GroveCFO AI integrates with financial technology platforms to facilitate secure access to financial data for our clients. We are committed to complying with all applicable KYC (Know Your Customer) regulations, including those required by Plaid and others, and to ensuring the secure handling of sensitive financial data.
KYC Requirements
In compliance with KYC requirements, GroveCFO AI undertakes the following measures:
1. Identity Verification: GroveCFO AI will work with Plaid and other financial technology platforms to verify the identity of clients and their representatives as required by applicable laws and regulations. This may include collecting personal and business information such as names, addresses, tax identification numbers (TIN), and other details necessary to confirm the identity of the individuals or entities using our services.
2. Data Collection and Retention: We will collect only the necessary financial and personal data required for KYC compliance. This data will be retained only for as long as necessary to meet regulatory requirements and will be securely disposed of when no longer needed. We ensure that all collected data is stored in compliance with applicable data retention and privacy laws.
3. Data Security: We employ strong encryption and other security measures to protect KYC-related data. All sensitive data, including financial and personal information, is encrypted both in transit and at rest. Access to this data is restricted to authorized personnel only and is subject to strict access control policies.
4. Monitoring and Reporting: GroveCFO AI will monitor and review all KYC-related activities to ensure compliance with applicable laws and regulations. In the event of suspicious activities or transactions, we will take appropriate action, including reporting to relevant authorities, as required by law.
5. Third-Party Vendors: Any third-party vendors or contractors that assist in KYC compliance will be required to comply with our security policies and meet the necessary regulatory standards. This includes ensuring that third parties handle KYC data in accordance with applicable data protection laws and typical financial technology platform requirements.
6. Employee Training: Employees involved in handling KYC data will receive specialized training to understand the regulatory requirements and best practices for data protection and compliance.
Compliance with Regulatory Standards
GroveCFO AI is committed to complying with relevant KYC regulations, including but not limited to:
• The Bank Secrecy Act (BSA)
• Anti-Money Laundering (AML) regulations
• Know Your Customer (KYC) regulations
• The General Data Protection Regulation (GDPR)
• The California Consumer Privacy Act (CCPA)
We regularly review and update our policies and procedures to ensure ongoing compliance with all applicable KYC, AML, and data protection regulations.
We provide continuous security training to our employees:
1. Security Awareness Training: Regular training on best practices, including password management, phishing, and social engineering.
2. Role-Specific Training: Specialized training for employees with access to sensitive data or who are responsible for maintaining our security controls.