Security & Data Handling

Purpose and Scope

This Security and Data Handling Framework establishes the principles, controls, and practices governing the protection of information processed, stored, or transmitted through SpaceBilt’s websites, including corporate, investor relations, and related digital platforms.

This framework applies to:

  • Public-facing websites and investor relations portals
  • Data submitted by visitors, investors, analysts, partners, and suppliers
  • Website infrastructure operated by SpaceBilt or authorized service providers

It does not authorize the storage or transmission of classified information.

Security Governance and Standards Alignment

SpaceBilt aligns its website security posture with recognized industry and government standards, including where applicable:

  • NIST Cybersecurity Framework (CSF)
  • NIST SP 800-53 / 800-171 (as applicable to controlled environments)
  • ISO/IEC 27001 principles
  • DFARS 252.204-7012 (where flow-down applies)
  • SEC cybersecurity disclosure expectations (for investor-facing systems)

Security controls are implemented using a risk-based approach appropriate to the sensitivity of data handled by public and investor-facing websites.

Data Classification and Handling

All information associated with the website is handled according to the following data categories:

  • Public Information
    • Corporate descriptions, press releases, filings, and marketing content
    • Handling: No restrictions beyond integrity and availability controls.

  • Business Contact Information
    • Names, titles, email addresses, and institutional affiliations
    • Handling: Access limited to authorized personnel; encrypted in transit; retained per policy.

  • Investor Relations Communications
    • Analyst inquiries, webcast registrations, subscription data
    • Handling: Protected against unauthorized access; no financial account or identity data stored.

  • Controlled or Sensitive Business Information
    • Internal credentials, administrative logs, security telemetry
    • Handling: Restricted access; encryption at rest and in transit; monitoring enabled.

The website is not intended for submission of ITAR-controlled, EAR-controlled, classified, or export-restricted technical data.

Technical Security Controls

  • Access Control
    • Role-based access control (RBAC) for administrative functions
    • Multi-factor authentication (MFA) for privileged users
    • Least-privilege principles enforced

  • Encryption
    • TLS encryption for data in transit
    • Industry-standard encryption for sensitive data at rest, where applicable

  • Network and Infrastructure Security
    • Secure hosting environments with firewall protection
    • Network segmentation between public-facing systems and internal networks
    • DDoS protection and traffic monitoring

  • Application Security
    • Secure coding practices
    • Regular vulnerability scanning and patch management
    • Protection against common web threats (e.g., OWASP Top 10)

Monitoring, Logging, and Incident Response

  • Continuous monitoring of website availability and security events
  • Logging of administrative access and system activity
  • Defined incident response procedures for suspected or confirmed security events
  • Prompt containment, investigation, and remediation of incidents

Security incidents impacting personal or regulated data are escalated in accordance with internal incident response and legal notification requirements.

Data Retention and Disposal

  • Data is retained only as long as necessary for legitimate business, regulatory, or investor relations purposes
  • Secure disposal methods are used for data no longer required
  • Retention periods align with legal, regulatory, and contractual obligations

Third-Party and Cloud Service Management

Third-party service providers supporting website operations are:

  • Assessed for security capabilities prior to engagement
  • Contractually required to maintain appropriate security controls
  • Restricted from using data for unauthorized purposes

Where cloud services are used, configurations follow industry security benchmarks.

International Operations and Data Transfers

For international visitors and subsidiaries:

  • Data may be processed in the United States or other approved jurisdictions
  • Appropriate safeguards are applied to cross-border data transfers
  • Compliance is maintained with applicable data protection and export control laws

User Responsibilities

Users of the website are responsible for:

  • Providing accurate, non-sensitive information
  • Refraining from submitting proprietary, export-controlled, or classified data
  • Protecting any credentials issued for restricted-access features

Continuous Improvement and Review

This framework is reviewed periodically and updated as necessary to reflect:

  • Evolving cybersecurity threats
  • Regulatory and contractual requirements
  • Changes to website functionality or data handling practices