Leadermind Information Security Policy

Leadermind provides behavioural insights on executive leaders so professional investors can make better equity decisions with confidence. This Information Security Policy summarises how Leadermind protects information assets that support our products and services.

1. Purpose and Scope

This policy establishes the principles and controls Leadermind uses to safeguard information against unauthorized access, use, disclosure, alteration, or destruction. It applies to:

All Leadermind employees, contractors, and third‑party service providers with access to Leadermind systems or data.

All environments where Leadermind data is processed, stored, or transmitted, including production, development, and backup infrastructure.

2. Governance and Risk Management

Leadermind maintains a formal information security program overseen by executive leadership and a designated security owner.

Security policies and procedures are documented, reviewed at least annually, and updated as needed.

Periodic risk assessments evaluate threats to confidentiality, integrity, and availability of data and inform control selection and prioritization.

Roles and responsibilities for security, privacy, and incident response are clearly defined and communicated.

3. Data Classification and Handling

Leadermind classifies data to ensure consistent protection based on sensitivity:

Public Data—publicly available information (e.g., transcripts, filings) and derived insights suitable for general distribution.

Internal Data—operational information not intended for public release (e.g., process documentation, non‑sensitive logs).

Confidential Data—client account information, usage details, optional uploaded datasets, and security‑relevant system information.

Handling requirements include:

Confidential Data is accessed only on a need‑to‑know basis, stored in approved systems, and transmitted via encrypted channels.

Client Confidential Data is logically separated by organization and is not used for marketing or trading purposes.

4. Access Control and Authentication

Leadermind enforces least‑privilege, role‑based access control for all systems that store or process data.

Unique user accounts are required; shared credentials are prohibited.

Strong authentication is required for administrative access and is available for client accounts.

Access requests, approvals, changes, and removals are documented and executed promptly, especially for role changes or departures.

5. Technical Security Controls

Leadermind implements layered technical safeguards to protect information:

Encryption—all external connections use HTTPS/TLS; data at rest in production databases and backups is encrypted using industry‑standard algorithms.

Network Security—access to production systems is restricted through firewalls, security groups, and secure management interfaces.

Endpoint Protection—company‑managed devices used to access production or Confidential Data follow baseline standards (e.g., disk encryption, patched operating systems).

Logging and Monitoring—security‑relevant events (authentication attempts, permission changes, configuration modifications) are logged and monitored for anomalous activity.

6. Secure Development and Change Management

Leadermind’s development practices are designed to protect data and model integrity:

Source code is maintained in version‑controlled repositories with restricted access.

Changes follow a defined process including peer review, automated testing where feasible, and approval before deployment.

Production deployments use controlled pipelines; changes are tracked and, where material, documented in release notes.

Security issues identified in code or dependencies are triaged and remediated according to severity.

7. Third‑Party and Cloud Security

Leadermind relies on vetted third‑party providers for hosting and ancillary services.

Vendors with access to Confidential Data or production environments are evaluated for security posture and contractual commitments, including data‑protection terms.

Data processing locations and subprocessors are documented and made available to clients upon request.

Access by vendors is limited to what is necessary to provide their service and is subject to monitoring and revocation.

8. Incident Response and Business Continuity

Leadermind maintains documented procedures for security incidents and service disruptions.

Incidents are logged, triaged, contained, investigated, and remediated in a structured manner.

When required by contract or law, affected clients are notified without undue delay, along with relevant details and recommended actions.

Data is backed up regularly; recovery procedures are tested periodically to support continuity of service.

9. Employee Responsibilities and Training

All personnel with access to Leadermind systems or data are required to:

Acknowledge and comply with information security and acceptable‑use policies.

Complete security awareness training on topics such as phishing, password hygiene, and data handling.

Report suspected security incidents or policy violations promptly through designated channels.

10. Policy Review and Client Engagement

This Information Security Policy is reviewed at least annually and whenever significant changes occur in technology, regulations, or business operations. Leadermind supports client due‑diligence and vendor‑risk assessments by providing additional documentation under NDA as needed.

Questions regarding this policy or Leadermind’s security programme can be directed to the contact provided in the client portal or through your Leadermind relationship manager.

Leadermind Security & Governance

Leadermind provides behavioral and cognitive insights on executive leaders so professional investors can make better equity decisions with confidence. This Security & Governance overview explains how Leadermind protects client data, structures its controls, and maintains objectivity and methodological rigor for institutional use.

1. Security Principles

Leadermind is designed for institutional investors who operate within strict risk, compliance, and governance frameworks. Security and governance are grounded in the following principles:

Confidentiality—client information and usage data are protected against unauthorized access.

Integrity—data, scores, and models are safeguarded against unauthorized alteration.

Availability—the platform is engineered for resilient, reliable access during critical market workflows.

Transparency—methods, limitations, and controls are documented so investment teams can appropriately size and govern Leadermind’s role in their process.

2. Data Scope & Classification

Leadermind primarily processes publicly available information (e.g., earnings-call transcripts, interviews, filings, and other primary-source materials) to generate behavioral and psychometric analytics. Client‑specific information falls into three broad categories:

Account & access data—user names, business contact details, authentication artefacts.

Usage & configuration data—watchlists, portfolios, saved views, custom labels, and workflow settings.

Optional client uploads—where enabled, clients may upload or integrate internal identifiers or portfolio files; these are treated as confidential and segregated by client.

Data is classified and handled according to sensitivity, with stricter controls for any client‑specific or potentially identifying information.

3. Technical & Organizational Controls

Leadermind maintains layered technical and organizational measures consistent with modern financial‑data SaaS expectations:

Access control—role‑based access, unique accounts, strong authentication, and least‑privilege principles for both client users and internal staff.

Encryption—encryption in transit (HTTPS/TLS) for all client connections; industry‑standard encryption for data at rest in production environments.

Environment separation—segregation of development, staging, and production environments, with controlled promotion and change management.

Logging & monitoring—security‑relevant events (authentication, admin changes, data‑export actions) are logged and monitored for anomalous behaviour.

Vendor management—critical infrastructure and service providers are evaluated for security posture and contractual safeguards before use.

4. Governance, Risk & Compliance

Leadermind’s security and governance programme is coordinated at the executive level and integrated into product and engineering decision‑making. Key practices include:

Written policies and training—documented information‑security, privacy, and acceptable‑use policies; periodic training for staff with access to client or production systems.

Risk assessment—periodic reviews of threats, vulnerabilities, and business impact, including data classification and third‑party risk.

Secure development lifecycle—code review, change approval, and testing standards intended to reduce security vulnerabilities and protect model integrity.

Incident response—documented procedures for detecting, triaging, containing, and remediating incidents; client notification obligations are defined in contractual terms.

Where clients require alignment with specific regulatory regimes (e.g., policies supporting their obligations under data‑protection, broker‑dealer, or asset‑management rules), Leadermind works with them to provide the necessary documentation and assurances.

5. Objectivity, Methodology & Model Governance

Because Leadermind’s outputs are used in investment decisions, methodological governance is as important as technical security. Leadermind commits to:

Documented methodology—clear, investor‑oriented explanations of data sources, psychometric frameworks, modeling approaches, and known limitations of scores and signals.

Version control & change logs—tracking and communicating material changes to models or scoring so clients can understand effects on backtests, risk models, and live use.

Evidence‑based design—reliance on peer‑reviewed research, empirical validation, and ongoing outcome analysis rather than undocumented heuristics or “black‑box” claims.

No hidden incentives—Leadermind does not trade on, monetise, or selectively disclose client usage data or proprietary investment views; analytics are provided as tools, not advice or recommendations.

6. Client Responsibilities & Integration into Governance

Leadermind is one input into a broader research and risk process. Clients remain responsible for:

Integrating Leadermind within their own compliance, model‑risk, and investment‑committee frameworks.

Managing user access and promptly revoking access for departing staff.

Evaluating Leadermind’s analytics in the context of their portfolio, mandate, and risk tolerance.

Leadermind supports these responsibilities with documentation, audit‑ready logs (where contracted), and clear lines of communication for risk, compliance, and technology stakeholders.

7. Contact & Further Information

Additional detail on security architecture, subprocessors, business‑continuity planning, and model documentation is available under NDA upon request and may be incorporated into due–diligence questionnaires and vendor‑risk reviews.

For security, governance, or due‑diligence enquiries, institutional clients can contact their Leadermind representative or reach the security team via the channel provided in the client portal.