Skip to Content

Privacy Policy

1. Purpose

The purpose of this policy is to establish mandatory standards, processes, and controls for the entire Software Development Lifecycle (SDLC) at SDMNC Software. This ensures that all software applications, systems, and services are developed, maintained, and deployed in a manner that guarantees security, quality, reliability, and compliance with all relevant legal and regulatory requirements.

2. Scope

This policy applies to:

  • All employees, contractors, consultants, and third-party vendors involved in the planning, design, development, testing, deployment, and maintenance of any software used or produced by SDMNC Software.

  • All internally developed software applications, systems, tools, and services.

  • All modifications, upgrades, or integrations of commercial off-the-shelf (COTS) or open-source software.

3. Policy Statements

3.1 Software Development Lifecycle (SDLC)

All software projects must follow a documented, secure, and repeatable SDLC methodology (e.g., Agile, Waterfall, DevOps).

  • Requirements: Security, privacy, and compliance requirements must be defined and documented before the design phase.

  • Design & Architecture: All software architectures must adhere to secure design principles, including Least Privilege, Defense in Depth, and Secure Defaults. Architectural reviews must be conducted and documented.

  • Development: Coding must adhere to documented, language-specific Secure Coding Standards. All code must be stored in an approved Version Control System (VCS) with proper access controls.

3.2 Security & Testing

Security is paramount and must be integrated into every stage of the SDLC (Security by Design).

  • Secure Coding: Developers must implement controls for common vulnerabilities (e.g., input validation, secure data handling, use of parameterized queries).

  • Code Review: All code changes must undergo a mandatory peer review prior to merging, with a specific focus on security flaws and adherence to coding standards.

  • Security Testing: Mandatory testing must include:

    • Static Application Security Testing (SAST): Scanning source code for vulnerabilities.

    • Dynamic Application Security Testing (DAST): Testing the running application for vulnerabilities.

    • Vulnerability Scanning/Penetration Testing: Independent security testing must be conducted on all major releases and critical systems.

3.3 Change and Release Management

No code or configuration change shall be deployed to the production environment without formal review and approval.

  • Approval Workflow: A defined approval workflow must be followed for all changes, including sign-off from development, QA, and business stakeholders (where applicable).

  • Environment Segregation: Development, Testing (QA), Staging, and Production environments must be physically and logically separated, with strict access controls enforced.

  • Deployment: All production deployments must be automated where possible and logged, with documented rollback procedures in case of failure.

3.4 Licensing and Intellectual Property (IP)

SDMNC Software must maintain compliance with all software licenses and protect its own intellectual property.

  • License Compliance: Only legally licensed software is permitted for use in development, testing, and production environments. A central inventory of all software licenses must be maintained.

  • Open Source: The use of open-source components must comply with their respective licenses. All open-source dependencies must be scanned for known vulnerabilities and licenses prior to integration.

  • IP Ownership: All code, designs, documentation, and tools created by employees or contractors while performing work for SDMNC Software are the exclusive property of SDMNC Software.

4. Roles and Responsibilities

  • CTO/Policy Owner: Final approval of the SDM Policy and all major exceptions.

  • Project Manager: Ensuring the project follows the defined SDLC and change management procedures.

  • Development Team: Adhering to secure coding standards and implementing security controls.

  • Quality Assurance (QA): Conducting thorough functional testing and coordinating security testing efforts.

  • Security Team: Performing code reviews, administering security tools (SAST/DAST), and coordinating penetration tests.

5. Training and Awareness

All personnel involved in software development must undergo mandatory, role-specific security training upon hire and on an annual basis. Training must cover secure coding practices, common vulnerabilities, and adherence to this SDM Policy.

6. Policy Exceptions and Enforcement

6.1 Exceptions

Any deviation from this policy must be documented and formally approved by the CTO and the Security Team. Exceptions must detail compensating controls used to mitigate the risk introduced by the deviation.

6.2 Compliance and Consequences

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract, and potential legal action, particularly in cases involving intellectual property or significant security/compliance failures.