| Access | All workforce access is provisioned through Rippling SSO with role-based bundles. | CISO | Access Control Policy, Access Matrix | Vanta IdP integration; quarterly access review evidence | Continuous + quarterly review |
| Access | Privileged access requires named approval and is reviewed at least quarterly. | CISO | Access Control Policy, Access Reviews | Linear access tickets; access-review reports | Quarterly |
| Access | Terminated user access is revoked within 24 business hours. | CISO + CHRO | Offboarding | Rippling deprovisioning logs; offboarding ticket | Continuous |
| Change | Code changes require peer review and a passing CI build. | CTO | Code Review, Change Management | GitHub branch-protection settings; PR history | Continuous |
| Change | Production deployments use change-approval ticketing. | CTO | Change Management | GitHub Actions deploy logs; Linear ticket trail | Continuous |
| Crypto | Customer data is encrypted at rest (AES-256) — AWS KMS-managed for AWS-resident services; Vultr platform-managed encryption for Vultr-resident services; Vault Transit application-layer envelope wrap (Neuroscale-managed keys, never leave Vault) for Confidential customer data on either cloud — and in transit (TLS 1.2+). | CISO | Cryptography Policy | Vanta AWS configuration tests; Vultr platform-encryption attestation; Vault Transit audit-device logs (Better Stack + AWS S3 Object Lock) | Continuous |
| Crypto | Secrets are stored in HashiCorp Vault (cross-cloud secrets-of-record for both AWS- and Vultr-hosted workloads; workload-bound auth via Vault AWS / Kubernetes / AppRole / OIDC methods — no long-lived static tokens) — no secrets in source. | CTO | Secrets Management | GitGuardian / GitHub secret-scanning; CI checks; Vault audit-device logs to Better Stack and AWS S3 (Object Lock) | Continuous |
| IR | An Incident Response Plan exists, is tested annually, and assigns roles. | CISO | Incident Response | Annual tabletop after-action report | Annual |
| IR | Security incidents are logged, triaged, and resolved with documented RCAs. | CISO | Incident Response | Linear “Security Incidents” project; RCA intake records | Per incident |
| Vuln Mgmt | Vulnerability scans run at least quarterly with severity-based remediation SLAs. | CISO | Vulnerability Management | Detectify / Snyk / Dependabot reports; Linear “Vulnerabilities” board | Continuous + quarterly review |
| Vuln Mgmt | Penetration test runs at least annually. | CISO | Vulnerability Management | Pen-test report on file (vendor TBD) | Annual |
| Logging | Production systems (AWS and Vultr) emit security events to Better Stack with retention per the Records Retention Schedule and the tiered table in Operations Security. AWS infra logs flow through CloudWatch + S3 (Object Lock); Vultr infra logs forward to Better Stack with audit copies in AWS S3 (Object Lock). | CTO | Logging & Monitoring | Better Stack ingestion + retention configuration; CloudWatch + S3 Object Lock | Continuous |
| BCP | Business-continuity and disaster-recovery plan is documented and tested annually. | CTO | Business Continuity, RTO/RPO Matrix | Annual restore-test report | Annual |
| Asset | All workforce devices are managed (Rippling MDM) and encrypted (FDE). | CISO | Asset Management | Rippling MDM compliance reports | Continuous |
| Asset | Decommissioned media is disposed via certified destruction with a signed CoD. | CISO | Records Disposal | Disposal log + CoDs | Per disposal |
| Vendor | All third parties with Confidential-data or production access undergo a tiered risk assessment before contract signature. | CISO + CFO | Third-Party Management, Vendor Risk Assessment | Vendor Inventory; signed agreements; SOC 2 / DPA on file | Continuous + annual re-review (High tier) |
| HR | Workforce members complete annual security-awareness training and policy re-acknowledgement. | CISO + CHRO | HR Security Policy | Vanta training + acknowledgement records | Annual |
| Privacy | Data-subject requests are tracked and resolved within statutory deadlines. | GC (Privacy Officer) | Data Subject Rights | DSR Tracker (Linear); DSR intake form records | Per request |
| Privacy | DPIAs are completed for high-risk processing before launch. | GC (DPO) | DPIA | DPIA Register (Linear); DPIA intake records | Per launch |
