Security Policy

This page was last updated on 29th January 2024

General

  • We strongly believe in protecting the digital assets of our clients, their members/customers and the general public.
  • While every client or partner is different in their security setup (which may constrain the specifics), we always aim to be an advocate for better security.

What we do for security

  • We manage inbound and outbound payments through an accounting system. Any changes to bank details will be confirmed both verbally and in writing with clients.
  • We use a password manager for all our work-related passwords (and similar assets).
  • We require all team members and contractors to use this password manager and to have a secure password for it.
  • For our suppliers who need access to just 1 or 2 items, we may occasionally share passwords directly and change them when the work is completed.
  • If a team member or contractor leaves Tactic Lab, we do an access audit of all relevant assets.
  • We strongly encourage all clients (and their suppliers) to use a password manager.
  • If sharing passwords with clients, we do not share the login and password in a single email but split it up and use an alternative method for the password (eg. Whatsapp, 1ty.me etc). We strongly encourage clients and their suppliers to do the same.
  • We add 2 factor authentication to all accounts where this is practical/reasonable, stored in the password manager.
  • For online documents, we limit the internal and external users who have access to the document.
  • When a client, team member, or supplier requests access to a document, we check with the client to make sure if the request is from a non-work email address or if we’re not expecting a particular person to have access to it.
  • We keep open access (eg. documents accessible by URL without sign in) to a minimum, for cases where it’s truly needed, and advise clients of this.
  • Where documents contain personal data (eg. client customer/member data), we will delete them after the particular project is completed.
  • We will not enter any confidential client data into any public online tool. If we need to use a tool, we will first make any data generic.