Skip to main content

Legal

Security

Review Color Card Administrator terms of service covering acceptable use, service scope, customer responsibilities, and legal conditions for website visitors and enterprise buyers.

Effective date: March 7, 2026 Applies to website visitors and enterprise inquiries
privacy-policy terms-of-service gdpr-policy data-retention-policy compliances security users-agreement cookie-policy

PLEASE REVIEW THIS SECURITY POLICY CAREFULLY

PURPOSE

This Security Policy defines the administrative, technical, and organizational safeguards implemented by Color Card Administrator (CCA) to protect information assets and support the confidentiality, integrity, and availability of systems and data.

The policy is designed to:


  • Support enterprise customer security expectations
  • Align with applicable data protection and security laws
  • Reduce the risk of unauthorized access, disclosure, alteration, or loss
  • Establish clear internal accountability and governance


This policy is risk based and proportionate to CCAs size, services, and operational complexity.

ORGANIZATION INFORMATION

Company Name: Color Card Administrator, Inc. (CCA)
Company Type: Privately held
Headquarters:
7898 Ostrow Street, Suite E
San Diego, CA 92111
United States
Services: Business card printing, management software, and related digital services

SCOPE

This policy applies to:

  • All CCA employees, contractors, consultants, and temporary personnel
  • All CCA owned or CCA managed systems, networks, applications, and infrastructure
  • All information processed, stored, or transmitted by CCA systems
  • All customer data processed on behalf of clients
    This policy does not override contractual agreements, Data Processing Agreements (DPAs), or customer specific security addenda.


POLICY PRINCIPLES

CCAs security program is guided by the following principles:

  • Confidentiality: Prevent unauthorized access to data
  • Integrity: Prevent unauthorized alteration or destruction of data
  • Availability: Maintain reliable access to systems and services
  • Accountability: Ensure actions are attributable and auditable
  • Least Privilege: Access limited to what is required
  • Defense in Depth: Layered safeguards rather than single controls


NO OVERSTATEMENT & NO GUARANTEE STATEMENT


  • CCA does not guarantee absolute security.
  • No system is immune from all threats.
  • References to ISO 27001, SOC 2, NIST, or CJIS are framework alignments only unless a formal certification or audit report is explicitly provided.
  • Security controls are implemented based on commercially reasonable and risk appropriate standards.


SECURITY GOVERNANCE & ACCOUNTABILITY

SECURITY OWNERSHIP

CCA assigns responsibility for information security oversight to designated management personnel. Responsibilities include:

  • Policy maintenance
  • Risk assessment
  • Incident coordination
  • Vendor security oversight


SEGREGATION OF DUTIES

CCA implements reasonable separation of:

  • Administrative vs. standard user access
  • Development vs. production environments
  • Approval vs. implementation activities


Where full separation is not feasible due to company size, compensating controls (logging, review, management approval) are applied.

POLICY EXCEPTIONS

Security exceptions require:

  • Documented justification
  • Risk assessment
  • Management approval
  • Defined review or expiration date


RISK MANAGEMENT

CCA maintains a risk based security approach, including:

  • Identification of critical systems and data
  • Periodic risk assessment
  • Tracking of remediation actions
  • Review following material system or business changes


DATA MINIMIZATION

CCA limits:

  • Data collection
  • Data access
  • Data retention

to what is necessary for business operations, legal obligations, and contractual requirements.

DATA RETENTION & DISPOSAL

Data is retained only as long as required and securely deleted or anonymized when no longer needed.

IDENTITY & ACCESS MANAGEMENT

ACCESS CONTROL


  • Access is granted on a least privilege and need to know basis
  • Access approval is required prior to provisioning
  • Shared user accounts are prohibited except for controlled service accounts


AUTHENTICATION


  • Strong authentication is required for system access
  • Multi factor authentication (MFA) is used where supported, especially for:
    o Administrative access
    o Remote access
  • Credentials must be protected and never shared


ACCESS REVIEWS

Privileged and sensitive access is reviewed periodically and adjusted as needed.

ENCRYPTION & KEY MANAGEMENT

ENCRYPTION IN TRANSIT

Data transmitted over public or untrusted networks is encrypted using industry standard protocols (e.g., TLS/HTTPS).

ENCRYPTION AT REST

Sensitive and restricted data is encrypted at rest where feasible and appropriate to risk.

KEY MANAGEMENT

Encryption keys are:

  • Access restricted
  • Protected from unauthorized disclosure
  • Rotated or replaced based on risk and system capability


SECURE DEVELOPMENT


  • Source code access is limited to authorized personnel
  • Changes are logged and reviewable
  • Production changes are approved, tested
  • Development and production environments are separated where feasible


VULNERABILITY & PATCH MANAGEMENT

CCA maintains vulnerability management practices including:

  • Monitoring for known vulnerabilities
  • Timely application of critical patches
  • Remediation tracking
  • Validation of fixes


LOGGING, MONITORING & AUDITABILITY


  • Systems generate logs for security relevant events
  • Logs are protected against unauthorized modification
  • Log access is restricted
  • Logs are reviewed on a risk based schedule
  • Log retention is defined based on system capability and contractual requirements


NETWORK & INFRASTRUCTURE SECURITY

CCA applies reasonable safeguards including:

  • Firewalls and network controls
  • Secure configuration baselines
  • Segmentation where appropriate
  • Controlled remote access


INCIDENT RESPONSE & BREACH MANAGEMENT

CCA maintains an incident response process to:

  • Detect and assess security incidents
  • Contain and mitigate impact
  • Restore services
  • Notify affected parties when required by law or contract


CCA does not guarantee prevention of all incidents but commits to timely and appropriate response.

BUSINESS CONTINUITY & BACKUP

CCA maintains:

  • Backup processes
  • Recovery procedures
  • Reasonable continuity measures based on service criticality


PRIVACY ALIGNMENT

CCA acts as:

  • Data Controller for account and website data
  • Data Processor for customer data processed on behalf of clients


Security controls apply to both roles and align with the Privacy Policy

CUSTOMER RESPONSIBILITIES

Customers are responsible for:

  • Data they upload or designate as regulated (e.g., CJIS)
  • User access management within customer controlled features
  • Credential protection for their users


ENFORCEMENT

Violations of this policy may result in disciplinary action up to and including termination of employment or contract.

POLICY REVIEW & UPDATES

This policy is reviewed:

  • At least annually
  • Upon significant system, legal, or business changes

CONTACT INFORMATION

Color Card Administrator, Inc.
7898 Ostrow Street, Suite E
San Diego, CA 92111
United States
Click Here to contact us.