Written Information Security Policy
Adopted by: Torque.ai Incorporated (d/b/a RunTorque)
Approved by: Perry Wolfe, Chief Executive Officer
Next review: June 1, 2027 (annual review required)
1. Purpose & Scope
This Written Information Security Policy (“WISP”) establishes the administrative, technical, and physical safeguards that Torque.ai Incorporated, a Delaware corporation operating as RunTorque (“the Company”), maintains to protect nonpublic personal information (“NPI”) and consumer report information in accordance with:
- The Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) and its Safeguards Rule (16 C.F.R. Part 314)
- The Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.)
- State data protection laws including the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), the Texas Identity Theft Enforcement and Protection Act, and the New York SHIELD Act
This WISP applies to all employees, contractors, vendors, and other agents of the Company who access, store, transmit, or process NPI on behalf of the Company.
2. Information Security Coordinator
The Company designates the Chief Executive Officer, Perry Wolfe, as the Information Security Coordinator responsible for implementing and supervising this WISP. Until such time as a dedicated security officer is appointed, the Coordinator’s duties include:
- Overseeing the information security program
- Conducting risk assessments at least annually
- Supervising service providers
- Evaluating and adjusting the program in light of testing, monitoring, material changes to operations, or other circumstances reasonably expected to materially impact the program
- Reporting at least annually to senior management and the board of directors on the overall status of the program and material matters related to it
3. Information Covered
The Company collects, processes, and stores the following categories of nonpublic personal information about consumers and counterparties:
- Identity information: name, address, date of birth, Social Security number, government identification numbers, email address, phone number
- Financial information: income, employment history, bank account information, credit reports and scores, debt obligations
- Transaction information: credit application data, loan terms, payment history, vehicle and collateral information
- Authentication information: passwords, multi-factor authentication tokens, session data
4. Risk Assessment
The Company conducts a formal information security risk assessment at least annually, and additionally upon material changes to systems, vendors, or operations. Risk assessments evaluate:
- Reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of NPI
- The sufficiency of existing safeguards to control identified risks
- Risks in employee training and management
- Risks in information systems, including network and software design, information processing, storage, transmission, and disposal
- Risks from detecting, preventing, and responding to attacks, intrusions, and other system failures
Results of each risk assessment are documented and retained for no less than six (6) years.
5. Administrative Safeguards
5.1 Access Controls
- Access to NPI is granted on a strict least-privilege basis. Each user receives only the access necessary to perform their job function.
- All access is authenticated through individually-assigned credentials. Shared accounts are prohibited.
- Multi-factor authentication is required for all administrative access, all access to production systems, and all access to NPI in bulk.
- Access is reviewed and certified by the Information Security Coordinator at least quarterly.
- Access is revoked within twenty-four (24) hours of termination, transfer, or change in role.
5.2 Personnel Security
- All personnel with access to NPI complete information security awareness training prior to receiving access, and at least annually thereafter.
- Personnel sign confidentiality agreements that survive termination.
- Background checks are conducted on all personnel with access to production systems or NPI.
5.3 Vendor Management
- The Company maintains a register of all third-party service providers with access to NPI.
- Each service provider undergoes a security review prior to engagement, including verification of SOC 2 Type II, ISO 27001, or equivalent attestation where appropriate.
- All service providers are bound by written agreements containing confidentiality, security, and breach notification provisions.
- Service provider security is reassessed at least annually.
6. Technical Safeguards
6.1 Encryption
- In transit: All NPI transmitted over public networks is protected with TLS 1.2 or higher.
- At rest: All NPI stored in the Company’s database (Supabase / PostgreSQL) is encrypted at rest using AES-256.
- Backups: All backups containing NPI are encrypted using equivalent strength.
- Sensitive identifiers: Social Security numbers, full government ID numbers, and bank account credentials are never stored in cleartext. Where retention is necessary, values are encrypted with application-layer encryption or stored as one-way hashes.
6.2 Network Security
- Production systems are protected by network-level access controls and firewall policies.
- The Company employs row-level security (RLS) policies in the database to enforce data isolation between organizations (dealers, lenders, consumers, and administrative tenants).
- All API endpoints require authentication. Endpoints handling NPI require both authentication and authorization checks at the application layer.
- Webhook endpoints validating inbound data from external systems verify HMAC signatures or equivalent cryptographic authentication.
6.3 Application Security
- Code is reviewed prior to deployment to production.
- Dependencies are monitored for known vulnerabilities and patched on a defined cadence.
- Secrets, including API keys and database credentials, are stored in environment variable management systems and never committed to source control.
6.4 Logging & Monitoring
- The Company maintains an immutable audit log (the
rt_eventstable) recording all material actions on consumer applications: status changes, decisions, document accesses, credit pulls, consents, and communications. - FCRA permissible-purpose declarations are recorded for every consumer report access.
- Logs are retained for no less than six (6) years from the date of the event or from the date the underlying account is closed, whichever is later.
7. Physical Safeguards
- The Company operates a cloud-native, distributed workforce model. No NPI is stored on local workstations or removable media.
- Personnel devices used to access NPI are configured with full-disk encryption, screen-lock policies, and current operating system security updates.
- Physical destruction of legacy storage media containing NPI follows NIST 800-88 guidance.
8. Incident Response
The Company maintains documented procedures for responding to information security incidents, including suspected or confirmed unauthorized access to or acquisition of NPI. The incident response procedure provides for:
- Detection and reporting of incidents
- Investigation and containment
- Eradication and recovery
- Notification to affected consumers, regulators (including state attorneys general, the FTC, and applicable state Departments of Banking), and law enforcement as required by applicable law
- Notification to affected service providers and counterparties
- Post-incident review and remediation
Notifications to affected consumers are made without unreasonable delay and within the timeframes required by applicable state law.
9. Consumer Reports and FCRA Compliance
The Company is a “user of consumer reports” as defined by the Fair Credit Reporting Act. Accordingly:
- The Company obtains consumer reports only for permissible purposes documented at the time of access (15 U.S.C. § 1681b).
- Consumer consent for credit inquiries is captured and stored in an auditable form, including a cryptographic hash of the disclosure language presented to the consumer, the consent version, IP address, and timestamp.
- The Company generates and delivers adverse action notices in accordance with FCRA § 615 and ECOA / Regulation B § 1002.9 within thirty (30) days of an adverse decision communicated to it by a lender.
- Risk-based pricing notices are issued in accordance with Regulation V § 1022.72 where applicable.
- The Company maintains a process for handling consumer disputes regarding the accuracy of information provided to or received from consumer reporting agencies.
10. Training
All personnel with access to NPI complete information security training:
- Upon initial engagement
- Annually thereafter
- Upon material changes to systems or policies
Training content includes:
- Recognition of phishing and social engineering
- Password and credential management
- Acceptable use of Company systems
- Incident reporting obligations
- FCRA, GLBA, and applicable state privacy law obligations
11. Testing & Monitoring
- The Information Security Coordinator periodically tests the effectiveness of safeguards through manual review, automated tooling, and engagement of third-party assessors as appropriate.
- The Company intends to achieve SOC 2 Type II attestation within twelve (12) months of platform launch.
- Material findings are documented and remediated on a defined timeline.
12. Disposal
- NPI is retained only as long as necessary to fulfill the purpose for which it was collected and to satisfy applicable legal retention requirements.
- Disposal procedures follow the FTC’s Disposal Rule (16 C.F.R. Part 682) and require that NPI be rendered unreadable or undecipherable through appropriate means.
13. Annual Review
This WISP is reviewed by the Information Security Coordinator at least annually and updated as needed to reflect changes in technology, business operations, threats, and applicable law. The next scheduled review is June 1, 2027.
14. Document Control
This is version 1.0 of the Torque.ai Incorporated Written Information Security Policy. The authoritative copy is maintained by the Information Security Coordinator. Copies may be requested by service providers, regulators, partners, and other counterparties through compliance@runtorque.ai.
Approved this 1st day of June, 2026.
____________________________________
Perry Wolfe, Chief Executive Officer
Torque.ai Incorporated
Torque.ai Incorporated · Delaware C-Corporation
800 N. King Street, Suite 304, Wilmington, DE 19801 · operating as RunTorque