Privacy policy

Information Security Policy and Procedures

Business Name: Three Pines Roofing LLCBusiness Type: Residential and Commercial Roofing ContractorBusiness Address: Lakewood, COBusiness Size: 2 Employees / PartnersEffective Date: May 18, 2026Version: 5.0Review Cycle: Annually (next review: May 2027)Document Owners: Robert Nieves (Owner) & Erick Alexander (Operator)




Table of Contents

  • Purpose and Scope
  • Definitions
  • Information We Collect and Why
  • Information We Do Not Collect
  • Data Classification and Handling
  • Website Security Policy
  • Lead Privacy Policy
  • Meta Advertising and Lead Data Policy
  • Plaid API and Financial Data Handling Policy
  • Access Control and Authentication
  • Device and Network Security
  • Vulnerability Management and Patch Policy
  • Data Retention and Disposal
  • Third-Party Vendor Management
  • Data Breach Identification, Response, and Notification Procedures
  • Risk Monitoring and Ongoing Security Practices
  • Employee Responsibilities and Training
  • Policy Enforcement and Violations
  • Policy Review and Updates
  • Acknowledgment and Signatures
  • References




1. Purpose and Scope

1.1 Purpose

This Information Security Policy and Procedures document establishes the framework by which Three Pines Roofing LLC identifies, mitigates, and monitors information security risks. It defines the rules and responsibilities for protecting customer data, business records, digital assets, and operational systems from unauthorized access, disclosure, alteration, or destruction.


The roofing industry collects personal contact and property information from homeowners and property managers in the course of generating leads, scheduling estimates, and delivering services. This data, while not classified as highly sensitive financial or medical information, is still subject to applicable federal and state privacy laws and carries a duty of care to the individuals who entrust it to the business. This policy operationalizes that duty of care in a practical, actionable manner appropriate for a small two-person operation.


1.2 Scope

This policy applies to:


  • All owners, employees, subcontractors, and temporary workers who access business data or systems in any capacity.
  • All digital systems used by the business, including but not limited to: the business website, lead management software, email accounts, social media accounts (including Meta Business Manager), smartphones, laptops, tablets, and cloud storage services.
  • All physical records containing customer or business information, including printed estimates, contracts, and notes.
  • All third-party service providers who receive, process, or store data on behalf of the business.




2. Definitions

The following terms are used throughout this document and are defined here for clarity.


Term

Definition

Personal Information (PI)

Any data that can identify a specific individual, including name, phone number, email address, and physical address.

Sensitive Personal Information (SPI)

A subset of PI that carries heightened risk if disclosed, including Social Security Numbers, financial account numbers, government-issued ID numbers, and biometric data.

Lead Data

Personal information submitted by a prospective customer through a website form, Meta lead ad, or other inquiry channel.

Data Breach

Any unauthorized access, acquisition, disclosure, or loss of personal information that compromises its security, confidentiality, or integrity.

Authorized User

An owner or employee who has been granted permission to access specific business systems and data.

Third-Party Vendor

Any external company or individual that provides services to the business and may have access to customer data (e.g., CRM software providers, web hosting companies, advertising platforms).

Encryption

The process of converting data into a coded format that can only be read by authorized parties with the correct decryption key.

Multi-Factor Authentication (MFA)

A security process that requires a user to verify their identity using two or more independent methods before gaining access to a system.



3. Information We Collect and Why

The business collects only the minimum amount of personal information necessary to conduct its roofing operations. This principle — commonly known as data minimization — reduces risk by limiting the amount of data that could be exposed in the event of a security incident.


3.1 Customer and Lead Information Collected

The following table describes the personal information the business is authorized to collect, the purpose for collecting it, and the lawful basis for doing so.


Data Element

Purpose

Lawful Basis

Full Name

To address the customer, create estimates, and execute service agreements.

Legitimate business interest; performance of a contract.

Phone Number

To schedule estimates, confirm appointments, and follow up on leads.

Legitimate business interest; customer consent via form submission.

Email Address

To send estimates, invoices, appointment confirmations, and follow-up communications.

Legitimate business interest; customer consent via form submission.

Property / Service Address

To conduct on-site roof inspections, prepare accurate estimates, and deliver roofing services.

Performance of a contract; legitimate business interest.

Homeowner Status

To confirm the individual has authority to authorize roofing work on the property.

Legitimate business interest; legal compliance.

Description of Roofing Situation

To prepare for the estimate appointment and understand the scope of work needed.

Legitimate business interest; performance of a contract.

Preferred Contact Method and Availability

To communicate with the customer in their preferred manner and at convenient times.

Customer consent.

3.2 How This Information Is Used

Information collected from customers and leads is used exclusively for the following purposes:


  • Responding to roofing inquiries and scheduling free estimates.
  • Preparing and delivering written roofing estimates and proposals.
  • Executing roofing service agreements and managing active projects.
  • Following up with leads who have not yet converted to customers.
  • Sending invoices and processing payments through secure, third-party payment platforms.
  • Complying with applicable legal, regulatory, or insurance requirements.


The business does not use customer data for unsolicited marketing to unrelated third parties, nor does it sell or rent customer information under any circumstances.




4. Information We Do Not Collect

The business explicitly prohibits the collection, storage, or processing of the following categories of sensitive personal information. These data types are unnecessary for roofing operations and their collection would create disproportionate security and legal risk.


4.1 Prohibited Data Categories

Prohibited Data

Reason for Prohibition

Social Security Numbers (SSN)

Not required for roofing services; collection creates significant identity theft risk.

Birth Certificates or Dates of Birth

Not required for roofing services; unnecessary collection of sensitive identity data.

Driver's License or State ID Numbers

Not required; no legal basis for collection in a roofing context.

Passport Numbers or Immigration Documents

Not required; collection would create serious legal and privacy exposure.

Medical or Health Information

Not relevant to roofing services; subject to additional regulatory protections.

Full Credit Card or Bank Account Numbers

Payments are processed exclusively through secure, PCI-compliant third-party gateways; raw financial data is never stored locally.

Biometric Data

Not required; collection without explicit consent is prohibited in many states.

Children's Personal Information

The business does not knowingly collect data from individuals under 13 years of age.

Religious, Political, or Racial Information

Not relevant to roofing services; collection is discriminatory and legally risky.

4.2 Procedure for Inadvertent Receipt of Prohibited Data

If a customer inadvertently provides prohibited data (for example, including their SSN in a written note or email), the following procedure must be followed immediately:


  • Do not record, copy, or store the prohibited data in any system.
  • Notify the customer that this information is not required and will not be retained.
  • Permanently delete or shred any document or message containing the prohibited data.
  • Document the incident in the business's incident log, noting the date, nature of the data received, and the steps taken to dispose of it.




5. Data Classification and Handling

5.1 Data Classification Tiers

All data held by the business is classified into one of three tiers to guide appropriate handling procedures.


Classification

Examples

Handling Requirements

Tier 1 — Confidential

Customer names, addresses, phone numbers, email addresses, lead data, signed contracts, payment records.

Stored in password-protected systems; access restricted to authorized users; encrypted in transit and at rest where possible.

Tier 2 — Internal Use Only

Business financial records, vendor contracts, employee information, insurance documents.

Stored securely; not shared externally without a legitimate business need.

Tier 3 — Public

Business name, service area, phone number listed on the website, social media posts.

No special handling required; intended for public access.

5.2 Physical Data Handling

Physical documents containing Tier 1 or Tier 2 data — such as printed estimates, signed contracts, or handwritten notes with customer contact details — must be stored in a locked filing cabinet or drawer when not in active use. Documents that are no longer needed must be cross-cut shredded before disposal. They must never be placed in a recycling bin or trash can intact.


5.3 Digital Data Handling

Digital records containing Tier 1 data must be stored in password-protected applications or cloud services with access controls. Files must not be stored on unprotected USB drives or shared via unencrypted email attachments when alternatives exist. Cloud services used to store customer data must have a documented privacy policy and must not share data with unauthorized third parties.




6. Website Security Policy

The business website serves as a primary channel for customer inquiries and lead generation. Securing the website protects both the business and the customers who submit their information through it.


6.1 SSL/TLS Encryption

The website must maintain a valid SSL/TLS certificate at all times, ensuring that all data transmitted between the visitor's browser and the website server is encrypted. The website must be accessible only via HTTPS (not HTTP). The web hosting provider is responsible for maintaining the SSL certificate, and the business owner must verify its validity at least quarterly.


6.2 Website Hosting and Platform Security

  • The web hosting provider must be a reputable company with documented security practices, including regular server-side software updates and malware scanning.
  • The website content management system (CMS) or platform (e.g., WordPress, Wix, Squarespace) must be kept up-to-date with all available security patches and updates.
  • Any plugins, themes, or third-party integrations used on the website must be sourced from reputable providers and kept updated. Unused plugins must be deactivated and deleted.
  • Website administrator login credentials must be unique, strong (minimum 12 characters), and protected with MFA.
  • Default administrator usernames (such as "admin") must be changed to a non-obvious username.


6.3 Website Privacy Policy Requirement

The website must display a publicly accessible, clearly written Privacy Policy page. This Privacy Policy must be linked from:


  • The website footer on every page.
  • All lead capture forms and contact forms.
  • The Meta Ads lead form (as required by Meta's Lead Ads Terms).


The Privacy Policy must disclose, at minimum:


  • What personal information is collected.
  • How that information is used.
  • Whether the information is shared with third parties and under what circumstances.
  • How customers can request deletion of their data.
  • How to contact the business with privacy-related questions.


6.4 Cookies and Tracking Technologies

The website automatically collects certain information about user interaction ("Usage Data") using cookies, pixels, and similar technologies. This includes device information, browser information, network connection details, and IP addresses.


  • Purpose: Cookies are used to power and improve the site (e.g., Shopify functionality), run analytics, and tailor advertising.
  • Third Parties: The business may permit third parties (such as Shopify or advertising partners) to use cookies on the site.
  • User Controls: Most browsers accept cookies by default. Users can choose to set their browser to remove or reject cookies, though this may negatively impact site functionality.


6.5 Website Forms and Lead Capture Security

  • All web forms that collect personal information must be protected by HTTPS.
  • Forms must include a clear statement of consent, such as: "By submitting this form, you agree to be contacted by Three Pines Roofing LLC regarding your roofing inquiry. We will not sell or share your information with third parties."
  • CAPTCHA or similar bot-prevention mechanisms should be implemented on all public-facing forms to prevent automated spam submissions.
  • Form submissions must be transmitted to the lead management system via a secure, encrypted connection.


6.6 User Generated Content

If the website enables customers to post product/service reviews or other user-generated content in public areas, the business does not control who will have access to that information. Customers are responsible for the privacy and security of any information they choose to make publicly available.


6.7 Website Monitoring

The business owner must periodically check the website for unauthorized changes, broken links, or unusual behavior. If the web hosting provider offers malware scanning or security monitoring tools, these must be enabled.




7. Lead Privacy Policy

7.1 Lead Data Collection Consent

All lead capture forms — whether on the website or through Meta Ads — must obtain clear, affirmative consent from the individual before collecting their personal information. Consent must be:


  • Informed: The individual must know what data is being collected and why.
  • Freely given: Submission of the form must be voluntary.
  • Specific: Consent must be tied to the specific purpose (e.g., receiving a roofing estimate).
  • Documented: The date, time, and source of each lead submission must be recorded in the lead management system.


(Note regarding financial integrations: The consent requirements in this section apply specifically to consumer data. The business's use of the Plaid API, as detailed in Section 9, accesses the business's own financial data rather than consumer financial data, and therefore does not require consumer consent.)


7.2 Lead Data Use Restrictions

Lead data collected through any channel may only be used for the following purposes:


  • Contacting the individual to schedule a roofing estimate or follow up on their inquiry.
  • Sending relevant roofing-related communications the individual has consented to receive.
  • Maintaining records of customer interactions for business purposes.


Lead data must not be used for:


  • Selling or renting to third-party marketers.
  • Adding individuals to unrelated marketing lists without explicit consent.
  • Any purpose inconsistent with the reason for which the data was originally collected.


7.3 Lead Data Storage and Access

  • Lead data must be stored in the designated lead management system (CRM or equivalent).
  • Access to the lead management system is restricted to authorized business personnel only.
  • Lead records must be protected by strong, unique passwords and MFA where the platform supports it.
  • Lead data must not be exported to personal email accounts, personal cloud storage, or unsecured spreadsheets.


7.4 Customer Rights and Choices

Depending on the customer's state of residence, they have the following rights regarding their personal information:


  • Right to Access/Know: The right to request details on what personal information the business holds about them and how it is used or shared.
  • Right to Delete: The right to request the deletion of personal information, provided there is no overriding legal obligation to retain it (e.g., signed contracts, outstanding invoices). Deletion requests must be fulfilled within 30 days of receipt.
  • Right to Correct: The right to request correction of inaccurate personal information.
  • Right of Portability: The right to receive a copy of their personal information in a transferable format.


Customers may exercise these rights or submit privacy-related complaints by contacting the business at threepinesroofing@gmail.com.


7.5 SMS/Text Messaging (Mobile Terms)

The business utilizes SMS/text messaging to communicate with customers regarding service updates, appointment reminders, and promotional offers.


  • Consent: By providing a mobile number, customers consent to receive recurring text messages from the business, which may be sent via an automatic telephone dialing system. Consent is not a condition of purchase.
  • Opt-Out: Customers may opt out of SMS communications at any time by replying STOP to any message. A one-time confirmation message will be sent, and no further messages will be sent unless initiated by the customer.
  • Support: Customers can reply HELP for assistance or email threepinesroofing@gmail.com.
  • Data Rates: Message and data rates may apply. The business does not charge for the SMS service, but customers are responsible for any fees imposed by their wireless carrier.




8. Meta Advertising and Lead Data Policy

8.1 Meta Lead Ads Requirements

When running lead generation campaigns on Facebook or Instagram through Meta Ads, the business is required by Meta's Lead Ads Terms to comply with the following:


  • A valid, publicly accessible Privacy Policy URL must be linked from every lead ad instant form. This is a mandatory requirement; ads without a compliant privacy policy link will not be approved by Meta.
  • The privacy policy must accurately describe how the collected lead data will be used.
  • Lead data collected through Meta must be used only in accordance with Meta's Data Policy and the business's own stated privacy policy.


8.2 Accessing and Handling Meta Lead Data

  • Lead data collected through Meta lead ads must be downloaded or synced to the business's lead management system promptly. Meta retains lead data for a limited period; failure to retrieve it in a timely manner may result in data loss.
  • Once downloaded, Meta lead data is subject to the same handling, storage, and security requirements as all other Tier 1 customer data described in this policy.
  • Meta lead data must not be stored in Meta's platform indefinitely as a primary record. The business must maintain its own secure copy.


8.3 Meta Business Manager Account Security

  • The Meta Business Manager account must be secured with a strong, unique password and MFA.
  • Only authorized business personnel may have admin access to the Meta Business Manager account.
  • Access permissions for any contractors or agencies managing Meta ads on behalf of the business must be reviewed regularly and revoked immediately upon the end of the business relationship.
  • The business must regularly review the list of people with access to the Meta Business Manager account and remove any unrecognized or inactive users.


8.4 Meta Ad Targeting and Privacy

  • The business will not use Meta's custom audience features to upload customer data without first confirming that doing so is consistent with the consent provided by those customers.
  • The business will not use Meta's targeting tools to discriminate against protected classes in advertising for housing-related services, in compliance with the Fair Housing Act and Meta's Special Ad Category requirements for housing advertisers.




9. Plaid API and Financial Data Handling Policy

As part of its operations, the business utilizes the Plaid API to integrate its own financial accounts with its internal accounting software. While this integration accesses the business's own financial data rather than consumer financial data, the information retrieved (including account balances, transaction histories, and routing numbers) is highly sensitive and requires strict security controls to prevent financial fraud or operational disruption.


9.1 Data Encryption at Rest

  • All financial data retrieved via the Plaid API and stored locally (within the accounting software database or file system) must be encrypted at rest using AES-256 encryption or a mathematically equivalent standard.
  • Encryption keys must be stored securely and managed separately from the encrypted data, utilizing a secure key management system or environment variable vault.


9.2 Data Minimization

  • The business will request and retain only the specific Plaid data fields necessary to perform the required accounting functions.
  • Raw financial data that is no longer actively needed for accounting or reconciliation purposes must be purged from local storage.


9.3 Plaid Developer Agreement Compliance

The business commits to handling all API-returned data in strict compliance with Plaid's developer agreement and data protection obligations. This includes:


  • Application Privacy Policy: The accounting application where Plaid Link is deployed must display or link to a publicly accessible Privacy Policy. This policy must explicitly disclose the use of Plaid, describe the nature of the financial data accessed, and explain how that data is used and protected.
  • Storing Plaid API access tokens in an encrypted format.
  • Rotating API keys and tokens in accordance with Plaid's recommended security practices.
  • Never exposing Plaid API keys in client-side code, public repositories, or unencrypted communications.


9.4 Compliance Alignment (PCI-DSS / SOC 2)

While the business does not process consumer credit cards through Plaid, the handling of its own financial data will be aligned with the security principles of PCI-DSS and SOC 2 where applicable. This includes:


  • Maintaining strict logical access controls (least privilege) over the accounting software and decrypted financial data.
  • Ensuring that all data transmitted between the Plaid API, the accounting software, and the business's servers is encrypted in transit using TLS 1.2 or higher.
  • Logging all access to the accounting software and monitoring for unauthorized or anomalous activity.




10. Access Control and Authentication

9.1 Password Policy

All passwords used to access business systems must meet the following minimum requirements:


  • Minimum length: 12 characters.
  • Complexity: Must include a combination of uppercase letters, lowercase letters, numbers, and special characters, or alternatively be a long passphrase of four or more random words.
  • Uniqueness: Each account must have a unique password. Passwords must never be reused across different accounts.
  • Confidentiality: Passwords must never be shared verbally, in text messages, or via email. Passwords must not be written on sticky notes or stored in unencrypted documents.


A password manager (such as Bitwarden, 1Password, or a similar reputable service) is strongly recommended to generate and securely store unique passwords for all business accounts.


9.2 Multi-Factor Authentication (MFA)

MFA must be enabled on the following systems at a minimum:


System

MFA Requirement

Business email account(s)

Required

Meta Business Manager

Required

Website administrator account

Required

Lead management / CRM platform

Required where supported

Cloud storage (Google Drive, Dropbox, etc.)

Required

Business banking or payment platforms

Required

MFA should use an authenticator app (such as Google Authenticator or Authy) rather than SMS-based codes where possible, as SMS-based MFA is more vulnerable to interception.


9.3 Principle of Least Privilege

Access to business systems and data must be granted on a need-to-know basis. No individual should have access to systems or data beyond what is required for their specific role. If a subcontractor or temporary worker requires access to any business system, access must be:


  • Granted only for the duration of the engagement.
  • Limited to the specific systems and data needed.
  • Revoked immediately upon the end of the engagement.




11. Device and Network Security

10.1 Mobile Device Security

Both business owners' smartphones and any other mobile devices used for business purposes must be secured as follows:


  • A PIN, password, or biometric lock (fingerprint or face recognition) must be enabled.
  • Automatic screen lock must be set to activate after no more than 5 minutes of inactivity.
  • The operating system and all business-related apps must be kept updated to the latest version.
  • The device must have the ability to be remotely wiped if lost or stolen. Both iOS (Find My iPhone) and Android (Find My Device) offer this capability and it must be enabled.
  • Business data must not be stored in personal photo libraries or unprotected local folders on mobile devices.


10.2 Computer and Laptop Security

  • All computers used for business must require a password to log in.
  • Automatic screen lock must be enabled.
  • Operating systems, browsers, and security software must be kept up-to-date.
  • A reputable antivirus/anti-malware program must be installed and kept active.
  • Business data must be backed up regularly to a secure cloud service or an encrypted external hard drive.


10.3 Wi-Fi and Network Security

  • The business's primary Wi-Fi network must be secured with WPA2 or WPA3 encryption.
  • The router's default administrator username and password must be changed to unique, strong credentials.
  • Remote management features on the router must be disabled unless actively needed.
  • Business devices must not connect to public, unsecured Wi-Fi networks (such as those at coffee shops or hotels) for accessing sensitive business systems. If remote access is necessary from a public network, a Virtual Private Network (VPN) must be used.


10.4 Data Backup

Critical business data — including customer records, contracts, and financial records — must be backed up regularly using the 3-2-1 backup rule:


  • 3 copies of the data.
  • 2 stored on different types of media (e.g., cloud storage and an external hard drive).
  • 1 stored off-site or in the cloud.


Backups must be tested periodically to confirm that data can be successfully restored.




12. Vulnerability Management and Patch Policy

To proactively identify and mitigate security risks, the business maintains a vulnerability management program for all employee machines, contractor devices, and production assets.


12.1 Vulnerability Scanning

  • Endpoint Scanning: All employee and contractor laptops/computers must utilize built-in or centrally managed vulnerability and threat detection tools (e.g., Microsoft Defender Vulnerability Management, macOS Gatekeeper/XProtect) configured to run automated, recurring scans.
  • Production Assets: Production servers, cloud instances, and the business website must undergo regular vulnerability scanning provided by the hosting platform or a third-party security service.
  • Scan Frequency: Automated scans on endpoints and production assets must run at least weekly.


12.2 Patch Management and Remediation

When vulnerabilities are identified via scanning or vendor notifications, they must be remediated according to the following timeline:


  • Critical Severity: Patched or mitigated within 72 hours of discovery.
  • High Severity: Patched or mitigated within 14 days.
  • Medium/Low Severity: Patched within 30 days or during the next standard maintenance window.


All operating systems, web browsers, CRM applications, and website CMS platforms must have automatic updates enabled wherever technically feasible to ensure timely remediation.




13. Data Retention and Disposal

13.1 Retention Schedule

The business retains customer and business data only for as long as it is necessary for the purpose for which it was collected, or as required by law.


Data Type

Retention Period

Rationale

Lead data (unconverted)

12 months from initial contact

Allows for follow-up within a reasonable sales cycle.

Customer contracts and project records

7 years from project completion

Compliance with general business record-keeping and potential warranty claims.

Invoices and payment records

7 years

IRS and state tax record-keeping requirements.

Email correspondence with customers

3 years from last interaction

Reference for dispute resolution and business continuity.

Website form submissions

12 months if not converted to a customer record

Consistent with lead data retention.

13.2 Secure Disposal

When data has reached the end of its retention period or is otherwise no longer needed:


  • Paper records: Must be cross-cut shredded. Documents must never be placed in trash or recycling intact.
  • Digital files: Must be permanently deleted using secure deletion methods. Simply moving a file to the Recycle Bin and emptying it is not sufficient for sensitive data; secure deletion software should be used, or the storage device should be factory-reset or physically destroyed.
  • Old devices: Before disposing of, selling, or donating any device (phone, laptop, tablet), all data must be securely wiped using a factory reset or data-wiping software. This applies even if the device appears to be broken.




14. Third-Party Vendor Management

The business relies on third-party vendors for critical services, including web hosting, lead management, email, and advertising. These vendors may have access to customer data, and the business remains responsible for ensuring that data is handled appropriately.


14.1 Vendor Data Sharing and Disclosures

The business does not sell, trade, or otherwise transfer personal information to third parties for commission. However, personal information may be disclosed to third parties for legitimate business purposes, including:


  • Service Providers: IT management, payment processing, data analytics, customer support, and fulfillment partners (e.g., Shopify).
  • Business and Marketing Partners: Platforms such as Meta and Shopify to provide services and advertise to customers, subject to their respective privacy notices.
  • Legal Obligations: When required to comply with subpoenas, search warrants, or similar legal requests, or to protect the rights and safety of the business and its users.


14.2 Vendor Selection Criteria

Before engaging any vendor that will have access to customer data, the business must confirm that the vendor:


  • Has a publicly available, clearly written Privacy Policy.
  • Uses industry-standard security practices, including encryption of data in transit and at rest.
  • Does not sell customer data to unauthorized third parties.
  • Complies with applicable data protection laws.


14.3 Key Vendor Categories and Responsibilities

Vendor Category

Examples

Business Responsibility

Web Hosting Provider

Hostinger

Ensure SSL is active; keep CMS and plugins updated; use strong admin credentials with MFA.

Lead Management / CRM

Privately Owned App

Restrict access; use strong passwords and MFA; review data sharing settings.

Email Provider

info@threepinesroofing.com host

Enable MFA; use business domain email; configure SPF, DKIM, and DMARC records.

Advertising Platform

Meta (Facebook/Instagram)

Comply with Lead Ads Terms; link Privacy Policy; secure Business Manager account.

Payment Processor

Chase Payment Solutions

Use PCI-compliant processors only; never store raw card data locally.

Cloud Storage

Internal/Cloud Provider

Enable MFA; restrict sharing settings; do not store sensitive data in publicly accessible folders.

14.4 Vendor Breach Notification

If a third-party vendor notifies the business of a data breach that may have affected customer data held by that vendor, the business must treat the incident as a potential data breach and follow the procedures outlined in Section 15 of this policy.




15. Data Breach Identification, Response, and Notification Procedures

A data breach is one of the most serious security incidents a business can face. This section provides a clear, step-by-step procedure for identifying, containing, assessing, and reporting a data breach in a manner consistent with applicable federal and state laws.


15.1 What Constitutes a Data Breach

A data breach may include, but is not limited to:


  • Unauthorized access to the business's email account, CRM, or website.
  • Loss or theft of a device (phone, laptop) containing unencrypted customer data.
  • Accidental disclosure of customer data to an unauthorized party (e.g., sending an email to the wrong recipient).
  • A third-party vendor reporting that customer data held on their systems has been compromised.
  • Discovery of malware or ransomware on a business device.
  • Unauthorized changes to the business website that may have exposed form submission data.


15.2 Breach Response Procedure

The following steps must be executed in order upon discovery or suspicion of a data breach.


Step 1 — Identify and Contain (Within 24 Hours)


  • Identify the source and nature of the breach as quickly as possible.
  • Immediately disconnect any compromised device from the internet and business network.
  • Change passwords for all accounts that may have been compromised, starting with email and the CRM.
  • Disable any compromised accounts or access tokens if possible.
  • Preserve evidence: do not delete logs, emails, or files that may help determine the scope of the breach.


Step 2 — Assess the Scope (Within 48 Hours)


  • Determine what data was accessed, disclosed, or lost. Document the specific data elements involved (e.g., names, phone numbers, addresses).
  • Determine how many individuals are affected.
  • Determine the likely cause of the breach (e.g., phishing, weak password, lost device).
  • Assess whether the breach is likely to result in harm to affected individuals (e.g., identity theft, financial fraud, harassment).


Step 3 — Notify Affected Individuals (As Required by Law)


All 50 U.S. states, including Colorado, have data breach notification laws requiring businesses to notify affected individuals when their personal information has been compromised. Under the Colorado Privacy Act (CPA) and related state notification laws, obligations generally require:


  • Notification to affected individuals without unreasonable delay (most states require notification within 30–90 days of discovery).
  • Notification must be provided via written letter, email, or telephone, depending on the contact information available and the state's requirements.
  • The notification must include: a description of what happened, the type of information involved, the steps the business is taking in response, and contact information for the business.


Notification Template (to be adapted as needed):


*Dear [Customer Name],**We are writing to inform you of a security incident that may have affected your personal information. On or around [Date], we discovered that [brief description of what happened]. The information that may have been involved includes [list of data types, e.g., your name, phone number, and address].**We have taken the following steps to address this incident: [list of actions taken]. We take the security of your information seriously and sincerely apologize for any concern this may cause.**If you have any questions, please contact us at 303-748-5954 or info@threepinesroofing.com.**Sincerely,Robert Nieves or Erick AlexanderThree Pines Roofing LLC*


Step 4 — Notify Regulatory Authorities (If Required)


Depending on the state in which the business operates (primarily Colorado) and the nature of the breach, notification to the state Attorney General or another regulatory body may be required. In Colorado, if a breach affects 500 or more Colorado residents, the business must notify the Colorado Attorney General within 30 days of determining that a security breach occurred. The FTC's Data Breach Response Guide provides additional state-by-state guidance and should be consulted if out-of-state customers are affected.


Step 5 — Recover and Remediate


  • Restore affected systems from clean backups if necessary.
  • Implement additional security controls to address the root cause of the breach (e.g., enable MFA on a previously unprotected account, replace a lost device, update compromised passwords).
  • Conduct a post-incident review to document lessons learned.


Step 6 — Document the Incident


All data breaches, regardless of severity, must be documented in the business's Incident Log. The log entry must include:


  • Date and time of discovery.
  • Description of the incident.
  • Data types and number of individuals affected.
  • Steps taken to contain and remediate the breach.
  • Notifications sent (to individuals and/or authorities), including dates.
  • Lessons learned and corrective actions implemented.


15.3 Incident Log Template

Field

Details

Incident Date


Discovery Date


Reported By


Description of Incident


Systems / Data Affected


Number of Individuals Affected


Containment Actions Taken


Notifications Sent


Regulatory Reporting Required?

Yes / No

Root Cause


Corrective Actions Implemented


Date Incident Closed




16. Risk Monitoring and Ongoing Security Practices

Security is not a one-time event but an ongoing operational discipline. The following monitoring and review activities must be performed on a regular schedule.


16.1 Regular Security Review Schedule

Activity

Frequency

Responsible Party

Review and update passwords for all critical accounts

Every 6 months

Both owners

Verify MFA is active on all critical accounts

Quarterly

Both owners

Check website SSL certificate validity

Quarterly

Business owner / web host

Review website for unauthorized changes or malware

Monthly

Business owner

Review Meta Business Manager for unauthorized access

Monthly

Business owner

Review CRM/lead management system access logs

Monthly

Business owner

Back up critical business data

Weekly

Both owners

Test data restoration from backup

Every 6 months

Both owners

Review and update this policy

Annually

Both owners

Review vendor security practices

Annually

Business owner

Check for software/app updates on all business devices

Weekly

Both owners

16.2 Phishing and Social Engineering Awareness

Phishing emails and phone scams are among the most common attack vectors targeting small businesses. Both business owners must be able to recognize the following warning signs:


  • Emails requesting urgent action, such as clicking a link to "verify your account" or "prevent account suspension."
  • Emails from addresses that appear similar to, but are not exactly, a known sender's address (e.g., support@g00gle.com instead of support@google.com).
  • Unexpected invoices or payment requests, especially those requesting payment via wire transfer, gift cards, or cryptocurrency.
  • Phone calls from individuals claiming to be from the IRS, Social Security Administration, or a technology company requesting remote access to a device.


If a suspicious email is received, it must not be clicked. It should be reported to the email provider as phishing and deleted.


16.3 Email Security Configuration

The business email domain must be configured with the following email authentication records to prevent spoofing and phishing attacks that impersonate the business:


  • SPF (Sender Policy Framework): Specifies which mail servers are authorized to send email on behalf of the business domain.
  • DKIM (DomainKeys Identified Mail): Adds a digital signature to outgoing emails to verify their authenticity.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Instructs receiving mail servers on how to handle emails that fail SPF or DKIM checks.


These records are configured through the business's domain registrar or DNS provider and should be set up with the assistance of the email hosting provider.




17. Employee Responsibilities and Training

17.1 Owner and Employee Responsibilities

Both business owners are jointly responsible for implementing and maintaining this policy. Each owner is responsible for:


  • Reading and understanding this policy in its entirety.
  • Adhering to all security practices described herein in their daily work.
  • Immediately reporting any suspected security incident to the other owner.
  • Ensuring that any subcontractors or temporary workers who access business systems are briefed on the relevant security requirements.
  • Participating in the annual policy review.


17.2 Subcontractor and Temporary Worker Requirements

Any subcontractor or temporary worker who is granted access to business systems or customer data must:


  • Be informed of the relevant sections of this policy before access is granted.
  • Sign a confidentiality agreement acknowledging their obligation to protect customer data.
  • Have their access promptly revoked at the end of their engagement.


17.3 Annual Security Awareness Review

Both owners must conduct an annual review of current cybersecurity threats and best practices. Free resources for this purpose include:


  • The FTC's Cybersecurity for Small Business resource center at ftc.gov/smallbusiness.
  • The Cybersecurity and Infrastructure Security Agency (CISA) Small Business resources at cisa.gov/cyber-guidance-small-businesses.
  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework Small Business Quick Start Guide.




18. Policy Enforcement and Violations

18.1 Consequences of Policy Violations

Failure to comply with this policy may result in:


  • Increased risk of data breach, financial loss, and reputational damage to the business.
  • Legal liability under applicable state and federal data protection laws.
  • Regulatory fines or penalties.
  • Loss of customer trust.


Both business owners are expected to hold each other accountable for compliance with this policy. If a violation is identified, it must be documented, corrected immediately, and the policy must be reviewed to determine whether updates are needed to prevent recurrence.


18.2 Subcontractor Violations

If a subcontractor or temporary worker is found to have violated this policy — including unauthorized access to customer data, failure to secure devices, or disclosure of confidential information — the business must:


  • Immediately revoke the individual's access to all business systems.
  • Assess whether a data breach has occurred and follow the procedures in Section 13 if applicable.
  • Consult with a legal advisor regarding potential liability and remedies.




19. Policy Review and Updates

This policy must be reviewed at least annually, or more frequently in the following circumstances:


  • A data breach or significant security incident occurs.
  • The business adopts new technology, software, or platforms that affect data handling.
  • Applicable laws or regulations change.
  • The business's operations, size, or data collection practices change materially.


Updates to this policy must be documented with a new version number and effective date. Both owners must sign the updated policy to acknowledge their understanding and commitment to compliance.




20. Acknowledgment and Signatures

By signing below, the undersigned acknowledge that they have read, understood, and agree to comply with this Information Security Policy and Procedures document.




Owner / Partner 1


Name: Robert Nieves


Signature: RN_________________________


Date: 05/18/2026___________________




Owner / Partner 2


Name: Erick Alexander


Signature: EN_______________________


Date: 05/18/2026___________




This policy should be reviewed annually. Next scheduled review: May 2027.




21. References

[1]: https://www.ftc.gov/business-guidance/small-businesses/cybersecurity "Federal Trade Commission. "Cybersecurity for Small Business." FTC.gov."


[2]: https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business "Federal Trade Commission. "Data Breach Response: A Guide for Business." FTC.gov."


[3]: https://www.facebook.com/business/help/1247534515288168 "Meta Business Help Center. "About Privacy Policies for Lead Ads." Facebook.com."


[4]: https://www.facebook.com/business/help/829597887147190 "Meta Business Help Center. "About Lead Ads Terms and Security." Facebook.com."


[5]: https://www.cisa.gov/cyber-guidance-small-businesses "Cybersecurity and Infrastructure Security Agency. "Cyber Guidance for Small Businesses." CISA.gov."


[6]: https://www.nist.gov/cyberframework "National Institute of Standards and Technology. "Cybersecurity Framework 2.0 Small Business Quick Start Guide." NIST.gov."


[7]: https://www.insureon.com/small-business-insurance/cyber-liability/data-breach-laws "Insureon. "State Data Breach Notification Laws and Requirements." Insureon.com."


[8]: https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses "Federal Communications Commission. "Cybersecurity for Small Businesses." FCC.gov."