Security & Compliance

Last updated: March 2025 | Version 2.0

Security-First Approach: At 4J Holdings LLC, we protect client data with enterprise-grade security controls, comprehensive encryption, and continuous monitoring. Our security practices align with SOC 2 Type II standards and ISO 27001 frameworks.

1. Our Security Commitment

Information security is fundamental to our business and the trust our clients place in us. 4J Holdings LLC is committed to:

  • Confidentiality: Protecting client data from unauthorized access and disclosure
  • Integrity: Maintaining the accuracy and completeness of information throughout its lifecycle
  • Availability: Ensuring authorized access to information when needed
  • Accountability: Tracking and auditing access to sensitive resources
  • Privacy: Respecting individual privacy rights and compliance obligations

This commitment extends across all aspects of our operations, from how we design our services to how we train our employees and select our technology partners.

2. Compliance Standards

Our security program is designed to align with industry-recognized standards and frameworks:

2.1 SOC 2 Type II Alignment

Our security controls are designed and operated in alignment with SOC 2 Type II requirements for Security (Common Criteria), Availability, and Confidentiality Trust Services Criteria.

2.2 ISO 27001 Readiness

Our Information Security Management System (ISMS) is structured according to ISO 27001 principles. We have implemented controls across the ISO 27001:2022 control set.

2.3 NIST Cybersecurity Framework

Our security architecture follows the NIST Cybersecurity Framework (CSF 2.0) covering Identify, Protect, Detect, Respond, and Recover functions.

2.4 GDPR and Privacy Compliance

Our security measures support compliance with data protection regulations including GDPR, CCPA, and other privacy laws.

3. Infrastructure Security

We leverage enterprise-grade cloud infrastructure providers with robust security certifications and practices:

3.1 Cloud Security

  • Hosting on major cloud platforms with SOC 2, ISO 27001, and PCI DSS compliance
  • Geographic redundancy and high-availability architecture
  • DDoS protection and traffic filtering
  • Network segmentation and isolated environments

3.2 Physical Security

Our physical office and data centers implement 24/7 security personnel and surveillance, biometric and badge access controls, environmental controls, and secure disposal procedures.

3.3 Network Security

  • Enterprise-grade firewalls with intrusion detection/prevention systems (IDS/IPS)
  • Virtual Private Networks (VPN) for remote access
  • Network monitoring and anomaly detection
  • Regular penetration testing and vulnerability scanning

4. Encryption Standards

We employ strong encryption to protect data throughout its lifecycle:

4.1 Encryption in Transit

  • TLS 1.3: All data transmitted between clients and our services uses Transport Layer Security (TLS) version 1.3
  • HSTS: HTTP Strict Transport Security enforced to prevent downgrade attacks
  • Secure Email: TLS encryption for all email communications containing sensitive information

4.2 Encryption at Rest

  • AES-256: Advanced Encryption Standard with 256-bit keys for stored data
  • Database Encryption: Transparent Data Encryption (TDE) for database files
  • File-Level Encryption: Encrypted storage for documents and attachments
  • Backup Encryption: All backups encrypted before transmission to storage

4.3 Key Management

  • Hardware Security Modules (HSM) for key protection
  • Regular key rotation according to industry best practices
  • Segregation of duties between key custodians
  • Secure key generation and distribution procedures

5. Access Controls

We implement comprehensive access control measures to ensure only authorized personnel can access sensitive data:

5.1 Identity and Access Management

  • Principle of Least Privilege: Users receive only the minimum access necessary for their role
  • Role-Based Access Control (RBAC): Access permissions based on job functions
  • Regular Access Reviews: Quarterly reviews of user access rights
  • Automated Provisioning/Deprovisioning: Immediate access revocation upon termination

5.2 Authentication

  • Multi-Factor Authentication (MFA): Required for all internal systems
  • Strong Password Policy: Minimum complexity requirements
  • Single Sign-On (SSO): Centralized authentication

5.3 Audit Logging

  • Comprehensive logging of access to sensitive systems and data
  • Immutable audit trails with centralized collection
  • Real-time alerting for anomalous access patterns

6. Security Monitoring

We maintain 24/7 security monitoring to detect and respond to potential threats:

6.1 Security Operations

  • Security Information and Event Management (SIEM) platform
  • Automated threat detection and correlation rules
  • User and Entity Behavior Analytics (UEBA) for anomaly detection
  • Integration with threat intelligence feeds

6.2 Continuous Monitoring

  • Real-time monitoring of critical systems and networks
  • File integrity monitoring (FIM) for critical configuration files
  • Endpoint Detection and Response (EDR) on all corporate devices

7. Vulnerability Management

We maintain a proactive vulnerability management program:

7.1 Vulnerability Scanning

  • Automated vulnerability scanning of all systems and applications
  • Continuous scanning of internet-facing assets
  • Monthly internal network vulnerability assessments

7.2 Penetration Testing

  • Annual third-party penetration testing by qualified security firms
  • Scope includes web applications, APIs, networks, and social engineering
  • Remediation of critical and high findings within defined timeframes

7.3 Patch Management

  • Automated patch deployment for critical security updates
  • Critical vulnerabilities: 48 hours
  • High vulnerabilities: 7 days
  • Medium/Low vulnerabilities: 30 days

8. Backup and Recovery

We maintain comprehensive data protection and business continuity capabilities:

8.1 Data Backup

  • Automated daily backups of all critical data and systems
  • Geographic redundancy with copies stored in multiple locations
  • Immutable backups protected from ransomware and deletion
  • Encryption of all backup data at rest and in transit

8.2 Disaster Recovery

  • Documented Disaster Recovery (DR) plans with defined RTO and RPO
  • Regular DR plan testing and tabletop exercises
  • Hot standby capabilities for critical services

9. Incident Response

We maintain a comprehensive Incident Response program:

  • Preparation: Training, tools, and procedures for incident handling
  • Identification: Detection and initial assessment of security events
  • Containment: Short-term and long-term containment strategies
  • Eradication: Removal of threats and root cause analysis
  • Recovery: Restoration of systems and verification of security
  • Lessons Learned: Post-incident review and improvement

10. Third-Party Security

We carefully evaluate and monitor the security practices of our vendors and service providers:

  • Security questionnaires and due diligence before vendor onboarding
  • Review of vendor security certifications (SOC 2, ISO 27001, etc.)
  • Security requirements included in vendor contracts
  • Periodic re-assessment of vendor security posture

11. Regulatory Compliance

Our security program supports compliance with applicable regulations:

  • General Data Protection Regulation (GDPR) for EU/EEA data subjects
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Annual internal security audits
  • Third-party security assessments

12. Security Awareness

We invest in ongoing security training for all team members:

  • Security awareness training during onboarding
  • Annual refresher training for all employees
  • Role-specific security training for developers and administrators
  • Phishing simulation exercises

13. Reporting Security Issues

We encourage responsible disclosure of security vulnerabilities:

If you believe you have discovered a security vulnerability in our systems:

  • Email us at info@holdings4j.com with subject "Security Disclosure"
  • Provide detailed information about the vulnerability
  • Allow reasonable time for us to address the issue before public disclosure
  • Do not access, modify, or delete data that does not belong to you

We will acknowledge receipt of vulnerability reports within 72 hours and will not pursue legal action against researchers following responsible disclosure.

14. Contact Information

For security-related questions, concerns, or to report potential security issues:

4J Holdings LLC
1209 Mountain Road Pl NE Ste R
Albuquerque, NM 87110
United States

Email: info@holdings4j.com
Subject Line: "Security Inquiry" or "Security Disclosure"

← Return to Homepage Privacy Policy Terms of Service Cookie Policy GDPR Compliance