Goodwood Cybersecurity Policy

Purpose

Goodwood Consulting ("Goodwood", "we", "our" or "us") is committed to protecting the confidentiality, integrity and availability of client information and the systems we operate. This public Cybersecurity Policy summarizes our security posture, the controls we maintain, and our approach to incident response and vendor management. For more detail on how we collect and use personal information, see our Client Privacy Policy.

Scope

This public policy describes Goodwood's approach to cybersecurity for Goodwood-managed systems and services and for third parties that process client information on our behalf. It is intended for clients, partners and the public. Internal procedures and contractual language provide further operational and legal detail.

Key Definitions

• Client Information: Non-public information about a Goodwood client or its customers that we collect, receive, store, process, transmit or otherwise access in connection with the services we provide.
• Security Incident: Any unauthorized access, acquisition, use, disclosure, modification or destruction of Client Information or Goodwood systems, or any event reasonably likely to compromise confidentiality, integrity or availability.
• Vendor / Third Party: Any external entity or subcontractor that stores, processes or transmits client information on Goodwood's behalf.

Governance and Accountability

Goodwood maintains an information security governance framework. The Compliance Lead is the executive owner of the Cybersecurity Policy and is responsible for policy maintenance and regulatory coordination. Operational responsibility is delegated to IT and security staff.

Primary contacts

• Email: security@goodwood-consulting.com
• Compliance POC: Ryan David Thibodeaux, Principal / Compliance Lead — ryan@goodwood-consulting.com — (225) 475-3175

Security Controls and Practices

Access control and identity

• We enforce least-privilege, role-based access controls and monitor privileged activity.
• Multi-factor authentication (MFA) is required for remote access, administrative consoles and all systems that store client data.
• We require unique, strong credentials. We recommend the use of a company-approved password manager and long, passphrase-style passwords. Secrets and keys are stored in approved secret managers and rotated on a defined schedule or after suspected exposure.

Encryption and data protection

• Data in transit is protected with TLS 1.2+ (or successor). Sensitive data at rest is encrypted using strong cryptography.
• Access to confidential or sensitive data is logged and reviewed for anomalous activity.

Endpoint, network and cloud security

• Endpoints are managed (MDM/EPP), encrypted and kept current with security patches and controls.
• Cloud environments follow secure baseline configurations, IAM least-privilege, centralized logging and monitoring.
• Network defenses and segmentation are applied according to service risk and data sensitivity.

Monitoring, logging and detection

• Goodwood maintains centralized logging and detection capabilities. Logs for security-relevant systems are retained for at least 12 months, or longer if required by law.
• Anomaly detection and alerting feed our incident management processes.

Vulnerability management, testing and audits

• We operate a vulnerability program including periodic scans, dependency management and timely patching.
• Independent penetration testing and third-party security assessments are performed regularly and after material changes.
• Goodwood may obtain SOC reports or other third-party attestations from vendors as part of due diligence.

Secure development and change management

• Changes to production systems are subject to a documented change management process with security review, testing and rollback capabilities.
• Developers follow secure coding practices and dependency scanning procedures.

Incident Response and Client Notification

Goodwood maintains a formal Incident Response Plan that covers detection, reporting, containment, investigation, remediation, evidence preservation and post-incident review. The plan defines roles, escalation paths and communications protocols for internal stakeholders, clients and regulators.

Notification commitments

If an incident impacts a client’s information, Goodwood will:

• Provide a preliminary notification within 24 hours of discovery with initial facts and our point of contact; and
• Deliver a full incident report within 72 hours of discovery (or sooner as facts permit), with follow-up updates as investigations proceed.

Notifications will include the nature and scope of the event (to the extent known), affected data categories, containment and remediation steps, and the Goodwood incident contact. Goodwood will cooperate with clients and regulators, including providing logs and investigation results as appropriate.

Third-Party Risk and Vendor Expectations

Goodwood performs security due diligence for vendors that store or process client data. Contracts with third parties include data protection and incident notification requirements. Publicly, we require vendors to notify Goodwood promptly of incidents affecting client data and to cooperate in investigations and remediation.

For contractual clarity, vendors are required to provide a preliminary notification within 24 hours of discovery and a full incident report within 72 hours, plus ongoing cooperation. Goodwood reserves the right to request audit reports and to require remediation or termination where vendor controls are insufficient.

Employee Responsibilities and Training

• All personnel must follow Goodwood's security policies and report suspected incidents immediately to security@goodwood-consulting.com.
• Security and privacy training is required at hire and annually thereafter. Additional role-based training is provided for privileged users and developers.
• Employees must follow device and email safety practices, protect credentials and avoid the use of unauthorized or untrusted devices to access Goodwood systems.

Remote Work

Remote employees must follow the same controls as on-site staff, including use of encrypted devices, MFA, company VPN or other secure access methods, and adherence to Goodwood's standards for data protection and device hygiene.

HubSpot, Single Sign-On and Third-Party Logins

Goodwood enforces Single Sign-On (SSO) for employee access to HubSpot and other enterprise cloud applications. Our SSO uses SAML integrated with Google Workspace as our identity provider. This reduces password reuse and centralizes identity controls. Where native logins are available, we require the use of MFA and strong passwords.

Disciplinary Action

Failure to comply with this policy may result in disciplinary action up to and including termination, and may include contractual remedies or legal action where appropriate. Minor, unintentional violations will generally be handled through training and remediation; intentional or repeated violations will result in more severe action.

Continuous Improvement

Goodwood maintains a continuous program of evaluation and improvement. We review and update this policy at least annually or sooner when operational or regulatory changes require it. We also incorporate lessons learned from incidents, audits and penetration tests.

How to Report a Security Incident

To report a suspected security incident, phishing attempt or other concern, contact us immediately:

• Email: security@goodwood-consulting.com
• Compliance POC: Ryan David Thibodeaux, Principal / Compliance Lead — ryan@goodwood-consulting.com — (225) 475-3175