1. Executive Summary
This Information Security Policy establishes the strategic framework governing Future Today Inc.'s information security program across all platforms, infrastructure, and environments. It defines the principles, responsibilities, and control domains that protect the confidentiality, integrity, and availability of company information assets.
Future Today operates a hybrid infrastructure spanning cloud environments and production data centres, supporting a growing streaming platform ecosystem. The company's security posture is evaluated through a structured audit and hardening program, with critical and high-priority security tasks completed annually across the Server Security, Network Security, and Application Security domains.
This policy applies organisation-wide and is supported by an ongoing remediation roadmap addressing the remaining open action items. The Security team conducts continuous monitoring, periodic audits, and iterative hardening cycles to maintain a proactive, risk-based security posture.

2. Purpose & Scope
2.1 Purpose
This policy exists to:
  • Establish a unified, risk-based approach to protecting Future Today's information assets
  • Define clear roles and responsibilities for information security across the organisation
  • Set minimum-security standards for all systems, applications, and infrastructure components
  • Guide the planning, execution, and measurement of the security audit and hardening program
  • Ensure compliance with applicable legal, regulatory, and contractual obligations

2.2 Scope
This policy applies to all:
  • Information assets owned, operated, or managed by Future Today Inc.
  • Employees, contractors, vendors, and third parties with access to Future Today systems
  • Technology environments including AWS cloud infrastructure, INAP production servers, DR environments, encoding servers, and CDN/streaming infrastructure
  • Applications, databases, load balancers, and monitoring systems that support Future Today's platform

3. Policy Objectives
Future Today's information security program is guided by the following strategic objectives:
Objective Description
Confidentiality Ensure that information is accessible only to those authorised to access it. This includes enforcing strict access controls, VPN-gated SSH access, SSH key-based authentication, and database privilege reviews.
Integrity Protect the accuracy and completeness of information and processing methods through OS-level hardening, application security reviews, firewall rule validation, and change management.
Availability Ensure that authorised users have reliable access to information and systems. This is achieved through load balancer hardening, monitoring (Zabbix), centralised log management, and database backup verification.
Risk Management Identify, assess, and mitigate security risks through structured audit cycles, prioritised action plans, and a risk-based approach to remediation — focusing on Critical and High-priority items first.
Compliance Maintain alignment with applicable security standards and regulatory requirements through regular infrastructure audits, documented controls, and a formal review cycle.
4. Governance & Ownership
Effective information security requires clear ownership, accountability, and escalation paths. The following governance structure underpins this policy:
4.1 Roles & Responsibilities
Role Responsibilities
IT Security Team Own and execute the security audit program; conduct hardening reviews; manage vulnerability remediation; maintain monitoring infrastructure; prepare security reports.
System Administrators Implement technical security controls; apply OS patches; enforce SSH access policies; manage firewall rules and security group configurations.
Application Developers Adhere to secure coding standards; ensure PHP configurations meet security baselines; validate SSL certificates; maintain application-level security configurations.
Database Administrators Manage database user access rights; remove orphaned accounts; verify backup integrity; enforce least-privilege principles on all DB environments.
Management / Leadership Approve this policy and any material amendments; allocate resources for remediation activities; review and accept residual risk for items that remain in progress.
All Staff & Contractors Comply with this policy and all supporting procedures; report suspected security incidents; complete security awareness requirements.
4.2 Policy Exception Process
Exceptions to this policy require written approval from the IT Security Team lead and must document the business justification, compensating controls, and a defined review date. All exceptions are logged and reviewed quarterly.

5. Security Domains
The information security program is organised into five core domains. Each domain maps directly to the categories of security controls audited and hardened as part of Future Today's 2025–2026 security program.
5.1 Network Security
Network security controls protect the integrity and confidentiality of information in transit and prevent unauthorised access to Future Today's infrastructure across AWS cloud and INAP production environments. It includes tasks such as VPN Access Control, Firewall & Security Groups and Traffic Restriction.

5.2 Server Security
Server security controls ensure that all operating systems and server configurations maintain a hardened baseline, reducing the attack surface across Future Today's production, DR, and encoding environments. It includes tasks such as OS-Level Hardening, IP Reputation & Blocking, Password Policy, and Access Management

5.3 Application Security
Application security controls protect Future Today's web-facing services, APIs, and PHP-based application stack from exploitation, misconfiguration, and certificate vulnerabilities. This includes PHP Configuration, SSL/TLS Certificate Management and Web Server hardening.

5.4 Database Security
Database security controls ensure that MySQL and RDS database environments are access-controlled, free of orphaned accounts, and backed up with verified integrity. This includes Access Rights Management, Account Hygiene, and Network-Level Controls

5.5 Monitoring & Incident Response
Monitoring and logging controls provide real-time visibility into security events, system performance, and anomalous activity across Future Today's production infrastructure. Monitoring includes Infrastructure, Logs, Server level access along with Incident Escalation.

6. Compliance & Audit Program
Future Today maintains a structured, periodic security audit program covering all five security domains. Each audit cycle produces a checklist-based review with control statuses, environment scope, and remediation tracking.
6.1 Audit Scope
The 2025–2026 Infrastructure Security Audit covers the cloud and hosted Production environments and encompasses 22 distinct security controls across network, server, application, database, and monitoring domains. The audit is prepared by the IT Security Team and reviewed on a rolling basis throughout the year.

7. Risk Management & Remediation Roadmap
Future Today employs a risk-based approach to prioritising security remediation. Items identified during audit cycles are classified by severity (Critical, High, Medium), assigned to a responsible team, and tracked to closure through the security action plan.
Critical items are assigned immediate remediation with no planned deferral
  • High-priority items are targeted for completion within the current audit cycle
  • Medium-priority items are reviewed quarterly and addressed based on available capacity and residual risk
  • All open items are reviewed in weekly IT Security stand-ups and monthly status reports to leadership

8. Policy Review & Maintenance
This policy is a living document and must be reviewed and updated to remain effective. The following review cadence applies:
Review Trigger Action Required
Annual scheduled review Full policy review and reissue by the IT Security Team; sign-off by leadership.
Material infrastructure change Relevant sections updated within 30 days of the change being implemented.
Security incident or near-miss Post-incident review; policy updated where gaps are identified within 60 days.
Regulatory or contractual change Policy updated and re-distributed within 30 days of the change taking effect.
New data collection from children Section 9 (COPPA WISP) reviewed and updated before any new collection of Children's Data begins. Security Coordinator approval required.
Children's data breach or near-miss Section 9.8 incident response invoked immediately. WISP updated within 30 days based on post-incident review findings.
All amendments to this policy must be version-controlled, communicated to relevant stakeholders, and archived. Version history is maintained by the IT Security Team.

9. Children's Data Protection & COPPA Compliance
Future Today operates HappyKids, a streaming platform that delivers family-safe content and is COPPA and CARU compliant. Because HappyKids and related services collect, process, and store personal information from users under the age of 13 ("Children's Data"), Future Today is subject to the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and its implementing regulations at 16 C.F.R. Part 312.
This section establishes the Written Information Security Program (WISP) requirements specific to Children's Data. It supplements — and must be read alongside — the technical and operational controls in Sections 5 through 7 of this policy.
9.1 COPPA Compliance Overview
COPPA requires operators of websites or online services directed to children under 13 to maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Future Today's compliance program encompasses:
  • Collection of identifiers (IP address, Device IDs) from users of our kids-directed apps. These identifiers are used for operational purposes only and not for targeting of advertisements.
  • Clear and comprehensive privacy notices describing data collection, use, and disclosure practices
  • A right for parents to review and delete their child's personal information
  • Reasonable information security safeguards proportionate to the nature and volume of Children's Data processed
  • Contractual obligations on third-party service providers who access Children's Data
9.2 Definition of Children's Personal Information
In accordance with 16 C.F.R. § 312.2, "Personal Information" means individually identifiable information about an individual collected online, including but not limited to the categories listed in the table below. Future Today treats all of the following as subject to the highest level of protection under this policy:
Category Description
Names A child's first and last name.
Physical Address Home or other physical address including street name and city or town.
Online Contact Info Email address or any substantially similar identifier permitting direct online contact (e.g., IM, VoIP, video chat identifiers).
Screen Names A screen or user name that functions as online contact information.
Telephone Numbers Any telephone number associated with a child or their household.
Government Identifiers Government-issued identifiers such as Social Security numbers, state ID, birth certificates, or passport numbers.
Persistent Identifiers Identifiers that recognise a user over time across websites or services — including cookies, IP addresses, device serial numbers, and unique device identifiers.
Media Photographs, videos, or audio files containing a child's image or voice.
Geolocation Geolocation data sufficient to identify a child's street name and city or town.
Biometrics Biometric identifiers including fingerprints, retina/iris patterns, genetic data, voiceprints, facial templates, or gait patterns.
Combined Data Any combination of the above that could identify a specific child or their parent when aggregated.

9.3 Designated Privacy & Security Officers
Future Today designates the following individuals to coordinate and execute the Children's Data Information Security Program. These individuals operate in addition to the broader governance roles defined in Section 4.1.
Role Contact Responsibilities
Security Coordinator (COPPA) [Name / Email] Overall COPPA program management; annual risk assessments; vendor oversight for children's data; incident response coordination; annual WISP review.
Technical Lead (COPPA) [Name / Email] Implementation of technical safeguards for HappyKids infrastructure; encryption management; patch management; security scanning of children's data systems.

The Security Coordinator is responsible for: reviewing and updating this section at least annually; ensuring all personnel with access to Children's Data complete COPPA-specific security training; verifying third-party service providers maintain adequate protections; and reporting COPPA program status to senior management.

9.4 Risk Assessment for Children's Data
Future Today conducts a comprehensive risk assessment of Children's Data environments at least annually, or whenever there is a material change in business operations (e.g., new product launch, migration to a new cloud provider, new data collection practices on HappyKids). The assessment evaluates:
Risk Category Examples of Threats Evaluated Mitigation Reference
Internal Risks Unauthorised employee access, weak passwords, insecure coding practices, social engineering, lost/stolen devices. Section 9.5.1 (Administrative Safeguards), Section 9.5.4 (SDLC)
External Risks Network intrusion, denial-of-service (DoS) attacks, malware/ransomware, third-party data breaches. Section 9.5.2 (Technical Safeguards), Section 9.7 (Vendor Oversight)
Data Integrity Corruption of backups, unauthorised modification or deletion of Children's Data. Section 9.5.2 (Technical Safeguards), Section 9.5.5 (Retention & Disposal)

9.5 Information Security Safeguards for Children's Data
The following safeguards are maintained in accordance with 16 C.F.R. § 312.8(b). Controls are proportionate to the sensitivity of the Children's Data collected, Future Today's size and complexity, and the volume and risk profile of HappyKids' data processing activities.

9.5.1 Administrative Safeguards

  • Employee Training: All employees with access to Children's Data must complete COPPA security awareness training upon hire and annually thereafter, covering COPPA requirements, data handling best practices, phishing recognition, and password hygiene.
  • Access Control: Access to Children's Data is granted on a need-to-know basis only. Role-based access control (RBAC) is enforced to limit who can view or modify children's data. Access rights are reviewed quarterly and revoked immediately upon termination of employment.

9.5.2 Technical Safeguards

  • Encryption: Children's Data is encrypted in transit using TLS 1.2 or higher,.
  • Multi-Factor Authentication (MFA): MFA is required for all administrative access to cloud infrastructure (AWS) and internal systems that process or store Children's Data.
  • Password Policy: Strong password requirements — minimum length, complexity, and expiry — are enforced.
  • Network Security: Firewalls and AWS Security Groups are configured to deny all inbound traffic by default, with only necessary ports permitted. All external inbound HTTP/HTTPS traffic to internal encoding and processing servers is blocked. These controls directly support the protection of Children's Data pipelines.
  • Secure Configurations: Systems follow secure configuration baselines aligned with CIS Benchmarks. OS patches and software updates are applied promptly across all HappyKids-related environments. Unused ports and services are removed from production servers.
  • SSL/TLS Certificate Management: SSL certificate validity and configuration across all HappyKids web applications is reviewed and validated as part of each application security audit cycle.

9.5.3 Physical Safeguards

  • Device Security: Company-issued laptops and mobile devices are encrypted and password-protected to prevent data loss in the event of theft or loss.
  • Clean Desk Policy: Sensitive documents containing Children's Data must be secured when not in use. Computers must be locked when the user steps away from their workstation.

9.5.4 Secure Development Lifecycle (SDLC)

  • Code Review: All code changes affecting the collection, processing, or storage of Children's Data must be peer-reviewed for security vulnerabilities (e.g., OWASP Top 10) prior to deployment to production.
  • Data Minimisation: HappyKids systems are designed to collect only the minimum amount of Children's Data necessary for the specific feature or activity being supported.
  • Security Testing: New features or major changes to HappyKids data handling undergo security testing as part of the SDLC, including verification that COPPA consent flows function correctly and that data minimisation principles are enforced by design.

9.5.5 Data Retention & Disposal

  • Retention Limits: Children's Data is retained in accordance with Future Today's Data Retention Policy. Retention periods are reviewed annually.
  • Secure Disposal: Data that is no longer required is securely destroyed — including digital wiping of storage media and destruction of physical records — to prevent unauthorised access during or after disposal.

9.6 Testing & Monitoring
Future Today employs the following measures to monitor and test the effectiveness of its Children's Data safeguards:
  • Continuous Monitoring: Automated tools (including Zabbix and centralised log management) monitor system logs for suspicious activity, unauthorised access attempts, and potential data exfiltration affecting Children's Data environments.
  • Vulnerability Scanning: Automated vulnerability scans of HappyKids web applications and APIs are performed at regular intervals to identify and remediate security weaknesses.
  • Penetration Testing: The IT Security Team conducts regular security reviews using scanning tools and manual verification of access permissions. Independent third-party penetration testing is conducted annually as the organisation's scale warrants.
  • Apache X-Header Monitoring: Server-level IP lookup and blocking with detailed access logging is deployed across key server domains, providing real-time visibility into potentially malicious traffic targeting Children's Data environments.

9.7 Third-Party Service Provider Oversight
In accordance with 16 C.F.R. § 312.8(c), Future Today takes the following steps with respect to any third-party service provider that will collect, access, or store Children's Data on its behalf:
  • Vendor Assessment: Before engaging any third-party service provider with access to Children's Data, Future Today evaluates the provider's ability to maintain the confidentiality, security, and integrity of that information.
  • Written Assurances: Future Today obtains written assurances — via signed contract, Data Processing Addendum (DPA), or confirmed Terms of Service — that the provider will employ reasonable measures to protect Children's Data.
  • Ongoing Oversight: Third-party service providers with access to Children's Data are reviewed annually as part of the COPPA risk assessment cycle. Providers who cannot demonstrate adequate security standards are required to remediate or are replaced.
  • Data Flow Mapping: A register of all third-party service providers with access to Children's Data is maintained and reviewed by the Security Coordinator on a quarterly basis.

9.8 Incident Response for Children's Data Breaches
In the event of a suspected or confirmed security breach involving Children's Data, Future Today follows the structured incident response procedure below. This supplements the general monitoring and escalation procedures described in Section 5.5.
Step Phase Action Required
1 Detection & Analysis The Security Coordinator is notified immediately. The scope, nature, and systems affected by the incident are investigated and documented within 24 hours of detection.
2 Containment Immediate steps are taken to isolate affected systems and prevent further data loss or exfiltration — including resetting credentials, restricting network access, and taking affected servers offline if necessary.
3 Eradication & Recovery Root-cause vulnerabilities are identified, patched, and verified. Affected systems are restored from verified clean backups. Database backup integrity (verified as part of the audit program) underpins recovery capability.
4 Notification To the extent that Future Today has their contact information, Future Today will notify affected parents and appropriate regulatory bodies as required by applicable state data breach notification laws and COPPA. The FTC is notified of breaches involving Children's Data where required.
5 Post-Incident Review A post-incident review is completed within 30 days. Findings are used to update this policy section, technical safeguards, and the annual risk assessment.

Rules of Behavior & Acceptable Use — Children's Data
All employees and contractors of Future Today who have access to Children's Data must adhere to the following rules. These rules are adapted from the COPPA WISP template (Attachment C) and apply in addition to Future Today's general acceptable use policies.
# Rule Requirement
1 Unique Accounts Users must not share usernames or passwords. Each user must have a unique account for every system with access to Children's Data.
2 Clean Desk / Clear Screen Computers must be locked when the user is away from their desk. Physical documents containing Children's Data must never be left unattended.
3 No Unapproved Devices Users may not connect personal USB drives, external hard drives, or other unapproved storage devices to company computers without explicit approval from the IT Security Team.
4 Phishing Awareness Users must not open email attachments or click links from unknown or suspicious sources. Suspicious emails must be reported to the Security Coordinator immediately.
5 Software Installation Users may not install unauthorised software on company devices. All software installations require IT Security Team approval.
6 Remote Work When working remotely, users must connect via the company VPN and ensure their home Wi-Fi network is password-protected. This is required for any session involving access to Children's Data.
7 Incident Reporting Any suspected security incident, data breach, or loss of a device containing Children's Data must be reported to the Security Coordinator immediately — without exception.

Document Revision History
All changes, updates, and annual reviews of this Information Security Policy — including the COPPA Written Information Security Program — are recorded below. The IT Security Team is responsible for maintaining this history.
Version Date Revised By Description of Change Approved By
1.0 April 2026 IT Security Team Initial creation of Information Security Policy incorporating infrastructure hardening audit results and COPPA WISP requirements. Leadership