Secuity Policy

Effective Date: February 27, 2026
Last Updated: February 27, 2026

This Security Policy (the "Policy") is issued by Inspyrd Inc ("Inspyrd," "Company," "we," "us," or "our") and describes the administrative, technical, physical, and organizational safeguards applied to protect systems and data associated with our website operations and related digital services.

This Policy is intended to provide a formal statement of security governance and control allocation, including the use of third-party infrastructure and platform providers. This Policy should be read together with applicable contractual terms, privacy notices, data processing agreements, and incident response procedures.

1. Purpose and Scope

1.1 Purpose

The purpose of this Policy is to:

Define Inspyrd’s security governance framework;

Identify technical and organizational controls used to protect confidentiality, integrity, and availability;

Clarify security responsibilities across Inspyrd and relevant third-party service providers;

Establish security reporting, incident handling, and review mechanisms.

1.2 Scope

This Policy applies to:

Inspyrd-managed administrative processes and internal operational controls;

Digital properties operated by Inspyrd on third-party platforms;

Domain registration and DNS management arrangements used for Inspyrd-operated websites;

Vendors and subprocessors engaged to support website operation, communications, and security.

This Policy does not supersede mandatory legal obligations, contractual obligations, or provider-specific terms of service.

2. Security Governance and Accountability

Inspyrd maintains governance measures designed to support ongoing risk-based security management, including:

Security policy administration and periodic review;

Role-based accountability for operational and security functions;

Access governance and authorization oversight;

Incident response planning and escalation controls;

Vendor and third-party risk management procedures;

Records retention practices supporting legal and compliance obligations.

Security controls are selected and maintained based on risk, operational necessity, legal requirements, and proportionality to the nature of the systems and data processed.

3. Shared Responsibility Model

Inspyrd utilizes third-party service providers for domain, DNS, and website platform functions. Security obligations are therefore distributed under a shared responsibility model: Policy governance, account-level security configuration, user access control, credential hygiene, lawful processing, configuration oversight, and incident coordination. Infrastructure and service controls associated with domain registration and DNS platform operation, subject to provider terms, product features, and customer account configuration. Platform and hosting-layer controls for sites operated on GHL, including platform security architecture, service availability controls, and provider-managed infrastructure protections, subject to provider terms and service tier. Where provider functionality is optional or configurable, security outcomes may depend on account-level enablement and proper administration by Inspyrd.

4. Infrastructure and Service Context

4.1 Domain Registration and DNS Management

Inspyrd domain registrar and DNS management functions are managed through GoDaddy. This includes registrar-level domain administration and DNS record publication/control for applicable domains.

4.2 Website Platform and Hosting

Inspyrd websites are operated on GHL (GoHighLevel) as the website platform environment. Accordingly, platform-layer availability, server-side controls, and associated hosted service protections are implemented through the GHL environment and its underlying infrastructure arrangements.

4.3 Legal Clarification of Provider Reliance

Because core technical infrastructure is provided by third parties, Inspyrd does not represent that all controls are directly implemented by Inspyrd at the infrastructure layer. Inspyrd’s security commitments include provider selection, account security configuration, contractual diligence, and operational oversight consistent with this Policy.

5. Security Controls Related to The Registrar

For registrar and DNS functions managed through GoDaddy, relevant security protections generally include provider-controlled and account-configurable capabilities such as:

Registrar account authentication controls;

Administrative account access controls and recovery workflows;

DNS management interface protections;

Domain lifecycle protections (renewal, transfer, administrative safeguards);

Provider-managed platform monitoring and availability mechanisms.

5.1 Inspyrd Control Commitments for GoDaddy-Managed Assets

Inspyrd commits to commercially reasonable measures for registrar/DNS account security, including:

Limiting registrar and DNS administrative access to authorized personnel;

Applying strong credential management and authentication practices;

Maintaining least-privilege principles for DNS and domain operations;

Reviewing DNS records and domain settings for operational integrity;

Promptly investigating suspected unauthorized domain or DNS changes.

5.2 DNS Security Limitations

DNS-layer security effectiveness is contingent on provider platform controls, availability of specific security features, account configuration choices, and proper operational administration. Inspyrd will use reasonable efforts to enable available protections appropriate to risk and operational requirements.

6. Security Controls Related to GHL (Website Platform)

For websites operated on GHL, security controls generally involve provider-managed platform and hosting protections, which may include:

Managed hosting and infrastructure security operations;

Environment hardening and service-layer security controls;

Availability and resilience mechanisms at platform level;

Monitoring and operational safeguards applied by the platform;

Access and configuration controls available within customer tenant settings.

6.1 Inspyrd Control Commitments for GHL-Hosted Properties

Inspyrd commits to commercially reasonable measures within the GHL tenant/control plane, including:

Restricting administrative access to authorized users;

Configuring available security settings appropriate to business risk;

Managing user lifecycle events (provisioning, role changes, deprovisioning);

Reviewing site configuration changes and published assets;

Coordinating with platform support channels for suspected security events.

6.2 Platform Security Clarification

GHL platform security capabilities are governed by provider architecture, service terms, and feature availability. Inspyrd does not warrant that every control is independently auditable by Inspyrd where infrastructure is fully provider-managed; however, Inspyrd will maintain reasonable oversight of provider trust documentation and service updates relevant to security posture.

7. Access Control and Identity Security

Inspyrd applies access governance principles intended to reduce unauthorized access risk:

Role-based access allocation where feasible;

Least-privilege and need-to-know assignment practices;

Credential management standards and periodic access review;

Timely removal or adjustment of access upon role changes;

Segregation of administrative and operational responsibilities where practicable.

Where available in provider environments, additional authentication controls are enabled in accordance with risk and operational feasibility.

8. Configuration Management and Change Oversight

Inspyrd maintains controls designed to reduce configuration-related risk, including:

Structured review of material domain/DNS changes;

Controlled publication workflows for website changes;

Administrative accountability for security-relevant configuration updates;

Logging and recordkeeping of significant administrative actions where available.

Change execution may include provider-managed tooling and related audit capabilities.

9. Encryption and Data Protection Controls

Inspyrd requires commercially reasonable safeguards for data protection in transit and at rest, taking into account third-party platform architecture. In environments under provider management, encryption controls may be implemented at provider layer and governed by provider service design.

Inspyrd additionally applies data minimization and purpose limitation principles in line with applicable privacy documentation and legal requirements.

10. Logging, Monitoring, and Security Detection

Security monitoring is implemented through a combination of provider-level capabilities and Inspyrd operational oversight. Depending on service context, this may include:

Account activity visibility and administrative event tracking;

Service notifications and provider alert channels;

Investigation workflows for anomalous behavior and unauthorized access indicators;

Escalation procedures to provider support and internal stakeholders.

The depth and granularity of logs may vary based on provider features and service tier.

11. Vulnerability and Risk Management

Inspyrd applies a risk-based approach to vulnerability and security issue management, including:

Monitoring security advisories and service communications from relevant providers;

Assessing potential impact to Inspyrd-managed assets and configurations;

Implementing risk treatment actions proportionate to severity and exploitability;

Tracking remediation progress and validating closure where feasible.

For provider-managed infrastructure vulnerabilities, remediation timelines and technical implementation may depend on provider action.

12. Incident Response and Notification

12.1 Incident Handling

Inspyrd maintains incident response procedures for suspected or confirmed security events, including:

Triage and classification of reported events;

Containment and risk mitigation actions;

Coordination with affected providers (including GoDaddy and/or GHL, as applicable);

Documentation, root-cause analysis (where feasible), and corrective measures.

12.2 Notification

Where legally or contractually required, Inspyrd will provide notices of qualifying incidents to affected parties and/or competent authorities within applicable timeframes.

Where incident facts depend on provider-controlled systems, notification timelines may incorporate dependency on provider confirmation and forensic outputs.

13. Business Continuity and Operational Resilience

Inspyrd supports resilience objectives through operational planning and provider-reliant continuity capabilities. Given the platform model used for website operations, continuity outcomes may rely substantially on provider-level redundancy, availability architecture, and recovery procedures.

Inspyrd will take commercially reasonable measures to maintain continuity planning proportional to service criticality.

14. Vendor and Subprocessor Oversight

Inspyrd conducts reasonable diligence and oversight for material third-party providers supporting website and security operations, which may include:

Review of provider security representations and trust materials;

Contractual terms addressing confidentiality and security obligations;

Ongoing review of material service or security changes communicated by providers;

Escalation and reassessment processes where significant risk changes are identified.

Provider participation does not eliminate Inspyrd’s governance obligations, and Inspyrd retains accountability for its own administrative and configuration controls.

15. User and Customer Security Responsibilities

Where users interact with appointment, waitlist, or communication workflows, users are expected to adopt reasonable security practices, including protecting device access and avoiding disclosure of sensitive credentials.

Enterprise or partner users with delegated administrative access must comply with contractual security obligations and internal access governance requirements.

16. Compliance and Legal Positioning

This Policy is intended to support alignment with applicable legal and regulatory requirements relating to information security, privacy, and incident management. No provision of this Policy shall be interpreted as a guarantee of absolute security.

Security controls are risk-based and evolve over time. Control operation may vary by provider capabilities, subscription tier, legal requirements, and operational constraints.

17. Limitations and No Absolute Warranty

While Inspyrd uses commercially reasonable safeguards, no transmission channel, platform, hosting environment, registrar service, or DNS system can be guaranteed to be fully secure or uninterrupted at all times.

Inspyrd disclaims, to the maximum extent permitted by law, any representation of infallibility regarding third-party infrastructure and services not solely controlled by Inspyrd.

18. Policy Review, Amendments, and Version Control

Inspyrd may update this Policy periodically to reflect legal, operational, contractual, and technical changes, including modifications to provider relationships or security capabilities.

Material updates will be published through appropriate channels. The "Last Updated" date above identifies the most recent revision.

19. Security Contact and Reporting

Security inquiries, risk disclosures, and incident-related communications may be directed to:

Inspyrd Inc
Attn: Security and Privacy Office
Email: [email protected]
Alternate Privacy Contact: [email protected]
Mailing Address:

If you report a potential vulnerability, please provide sufficient technical detail to support triage and validation.

20. Interpretation and Precedence

This Policy is drafted in English. Where translated versions exist, the English version controls unless mandatory local law provides otherwise.

In the event of conflict between this Policy and binding contractual terms with enterprise customers, the contractual terms govern to the extent of conflict.

By using Inspyrd Services, you acknowledge this Policy and the shared-responsibility security model described herein, including the role of GoDaddy for registrar/DNS management and GHL for site platform operations.