Document Owner: CEO/CTO

Last Updated: October 21, 2025

Review Frequency: Annually

1. Purpose

This document outlines Kino AI's information security policies and procedures to protect company and customer data from unauthorized access, disclosure, modification, or destruction.

2. Scope

These policies apply to all Kino AI employees, contractors, and systems that process, store, or transmit company or customer data.

3. Access Control

3.1 Multi-Factor Authentication (MFA)

• MFA with biometric verification is required for all employee access to company systems
• MFA must be enabled on all accounts with access to customer data
• Biometric authentication (fingerprint, Face ID) is the preferred second factor

3.2 Least-Privilege Access

• Employees are granted only the minimum access necessary for their role
• Access to customer data requires explicit authorization from CEO/CTO
• Access rights are reviewed quarterly and upon role changes

3.3 Password Management

• Passwords must meet complexity requirements (minimum 12 characters, mix of upper/lower case, numbers, special characters)
• Internal password rotation system requires updates every 90 days
• Password managers are required for storing credentials