Information & Security Policy

Last Reviewed: July 31, 2025

1. Purpose

This Information Security Policy outlines the measures taken by Elements Bookkeeping, LLC to ensure the confidentiality, integrity, and availability of sensitive client and business information. Our goal is to protect data against unauthorized access, disclosure, alteration, or destruction.

2. Scope

This policy applies to all employees, contractors, and any third parties with access to our systems or data. It covers all forms of data (digital, paper-based, oral) and all systems used for business operations.

3. Core Security Practices

A. Email, File Storage & Scheduling

  • We use secure, end-to-end encrypted email for all client communications.
  • Client documents are stored in a file system with zero-access encryption to protect sensitive financial data.
  • Our scheduling system ensures data privacy and secure calendar synchronization across all devices.

B. Password Management

  • All credentials are stored in a reputable password manager.
  • Passwords are unique, complex, and rotated regularly.
  • Two-Factor Authorization (2FA) is enabled wherever possible.

C. Network & Device Security

  • All devices are secured with firewalls, antivirus, and encryption
  • Our internal network is protected with strong, regularly updated passwords and WPA3 encryption.
  • When accessing data remotely or over public networks, we use a VPN for secure tunneling.

D. Data Backup & Storage

  • Client and internal data are backed up daily to a locally encrypted NAS (Network-Attached Storage) device.
  • Redundant cloud backups are made to an encrypted cloud service with secure access protocols.
  • Backup systems are monitored for successful completion and tested periodically for recovery reliability.

4. Access Control

  • Access to client and business data is granted on a need-to-know basis only.
  • Devices and systems are locked when unattended and logged out after periods of inactivity.
  • Former employees or contractors have their access revoked immediately upon termination of relationship.

5. Incident Response

  • All staff are required to report suspected security incidents (e.g., phishing, data breaches, unauthorized access) immediately.
  • A designated security lead will investigate, respond, and document any incidents.
  • Clients will be notified in accordance with applicable laws if their data is impacted.

6. Compliance & confidentiality

  • We comply with applicable financial privacy laws (e.g., GLBA, IRS Pub 4557) and data protection standards.
  • All employess and contractors sign a Confidentiality Agreement.
  • Security training is provided upon onboarding and refreshed annually.

7. Policy Review

This policy is reviewed annually or after any major change to technology, processes, or legal regulations. Updates will be documented and communicated to all team members.