Privacy Policy

---

Effective Date: November 2025
Version: 0.02
Approved By: John (Chris) Rondthaler, owner of Rondthaler Labs

The purpose of this policy is to define how Rondthaler Labs protects the confidentiality, integrity, and availability of company and client information. This document establishes minimum security requirements for all systems, data, and personnel operating under the rondthaler.dev domain or associated business activities.

This policy applies to:

• All employees, contractors, consultants, and partners working with Rondthaler Labs.
   
• All computing systems, cloud services, virtual machines, and networks used for business or client projects.
   
• All customer, internal, or third-party data handled during consulting, development, or AI/IT lab activities.
   

1. Confidentiality: Access to data is limited to authorized individuals who require it for legitimate business purposes.
    
2. Integrity: Systems are maintained to prevent unauthorized modification of data or code.
    
3. Availability: Services and systems are designed to ensure reliable, continuous access for authorized users.
    
4. Accountability: All users are responsible for adhering to this policy and applicable data protection laws.
    

• Chief Consultant / Owner (currently John Rondthaler) is accountable for overall security governance and compliance.
   
• Technical Staff and Contractors must follow approved procedures when configuring servers, VMs, and client environments.
   
• All Personnel must complete annual security awareness training and immediately report suspected incidents or policy violations.
   

All data within Rondthaler Labs systems shall be classified into one of the following categories:

• Public: Approved for public release (marketing content, website material).
   
• Internal: Business information not intended for external sharing.
   
• Confidential: Client data, project files, or personally identifiable information (PII).
   
• Restricted: Sensitive system credentials, encryption keys, or regulated data (e.g., HIPAA, GDPR-covered data).
   

Confidential and Restricted data must always be encrypted in transit and at rest.

• Access to systems follows the principle of least privilege (PoLP).
   
• All administrative and remote access must use multi-factor authentication (MFA).
   
• Shared credentials are prohibited; each user must have unique, auditable accounts.
   
• Access reviews occur quarterly or at project completion.
   

• All endpoints and servers must run supported operating systems with automatic updates enabled.
   
• Security baselines (firewall, antivirus, patch management) are enforced across all systems.
   
• Production and development environments are separated logically or physically.
   
• Proxmox, pfSense, and Azure environments are secured by role-based access and network segmentation.
   

• Sensitive data is stored on encrypted drives (AES-256 or equivalent).
   
• Off-site or cloud backups are encrypted and tested quarterly.
   
• Client data retention follows project contracts; data is deleted securely upon project closure or client request.
   

• VLAN segmentation is applied across lab and production networks.
   
• Firewalls and intrusion detection are configured to monitor traffic.
   
• Wireless networks use WPA3 or stronger encryption.
   
• Remote connections must occur via VPN or encrypted SSH only.
   

Rondthaler Labs commits to responsible AI practices:

• No client or end-user data is used to train AI models without explicit written consent.
   
• AI systems are documented to ensure transparency of data flow and model behavior.
   
• All datasets used for experimentation are anonymized and stored under secure project folders.
   

• Any suspected breach, data loss, or unauthorized access must be reported within 1 hour of discovery.
   
• An internal incident response lead will evaluate scope, contain impact, and document findings.
   
• Clients affected by a verified incident will be notified promptly per contract terms and applicable law.
   

• Vendors with access to Rondthaler Labs systems or client data must sign confidentiality agreements and demonstrate adequate security controls.
   
• Cloud services (e.g., Azure, GitHub, OpenAI API) are used under least-privilege configurations.
   

Rondthaler Labs aligns its security practices with the following frameworks where applicable:

• NIST Cybersecurity Framework (CSF)
   
• ISO 27001:2022 Information Security Management System principles
   
• GDPR and CCPA for applicable client data
   

This policy is reviewed at least annually or after major system or organizational changes. Improvement recommendations are documented and tracked to closure.

Questions or reports related to this policy should be directed to:
Security Office -- Rondthaler Labs
📧 security@rondthaler.dev