Register Owner: CHRO and CISO
Effective Date: June 14, 2026
Reviewed: Annually
Next Review: June 14, 2027
This register defines which policies and training each person must acknowledge, organized into a common Core Package, reusable attribute overlays, and department packages. It operationalizes the acknowledgment and training duties in the Human Resources Security Policy and the Security Awareness Training procedure, and is canonical for SOC 2 CC1.4 / CC2.2 and ISO/IEC 27001 A.6.3. All acknowledgments and training are assigned, completed, and attested in Vanta. Completion records are retained for at least 7 years per the Records Retention Schedule. Production and Confidential-data access is gated on background-check clearance per Background Checks — see the Onboarding checklist.

How to read this register

  1. Everyone gets the Core Package.
  2. Attributes (production access, handles candidate/employee data, Access Person, etc.) add overlays regardless of department — assign each when the attribute becomes true.
  3. Each department gets a package = Core + named overlays + department-specific policies.
  4. Packages fire on the events in the trigger matrix.

Core Package — all personnel

Acknowledged at hire (within 30 days of start) and re-acknowledged annually by the hire anniversary, plus re-served on any material revision. Items marked (awareness) are covered through the Security Awareness Training baseline rather than a standalone attestation.
DocumentBasis
Information Security PolicyBinding umbrella policy; explicit at-hire + annual re-ack
Acceptable UsePlain-language companion to the Information Security Policy
Access Control PolicyUniversal MFA / least-privilege
Data Management PolicyData classification & handling
Code of ConductAll staff, every seniority
Human Resources Security PolicyDefines the acknowledgment / training duty
Asset Management PolicyEveryone is issued a device; loss-reporting duty
AI Acceptable Use PolicyApproved-tools list; no Confidential data in unapproved AI tools
Insider Trading Policy (baseline)All staff are “Covered Persons”
Anti-Bribery & Corruption Policy (baseline)Worldwide, all staff
Workplace Violence Prevention PolicyAll staff, all locations (CA-mandated)
Whistleblower PolicyAll staff; introduced at hire
Employee Privacy PolicyNotice at hire; BYOD / monitoring consent
Incident Response Plan (awareness)Everyone must know how to report
Risk Management Policy (awareness)“All personnel: report observed risks”
Physical Security Policy (awareness)Clear-desk / visitor rules
Security Awareness Training — baseline modulePhishing, passwords, device, data classification, AI

Attribute overlays

Reusable add-ons assigned by what a person does, not by department. Each is triggered when the attribute becomes true and then refreshed annually.
OverlayWho / triggerAdds
A — Production / customer-data accessOn grant of production or customer-data access (gated by T2 background check)Production-access training (Access Control §Production); deep Data Management handling module
B — Handles candidate/employee personal dataRecruiting, HR, or anyone touching the Sourcing Database or candidate recordsEmployee Privacy (operational); Data Subject Rights; Employment AI Bias Audit awareness
C — People-managers & recruitersOn becoming a manager / recruiterFair-chance hiring + adverse-action handling (Background Checks)
D — Access Person (Insider Trading)Executives, Finance, Legal, Sales, BD, Customer Success, Corp Dev, Investor RelationsPre-clearance acknowledgment + annual certification; Restricted List monitoring
E — Anti-bribery high-riskSales (esp. intl / public-sector), BD, finance/AP, procurement, executives, anyone meeting government officialsEnhanced ABAC training + annual certification
F — AI/ML buildersEngineers / data scientists building AI featuresAI Risk Management; AI System Lifecycle; Reidentification Audit; Sourcing Data Acquisition; DPIA; AI Serious Incident Reporting

Department packages

Each package is Core Package + the items below.

Engineering

Sales

  • Overlay D (Access Person — pre-clearance + annual certification)
  • Overlay E (enhanced ABAC + annual certification)
  • Trade Compliance Policy (export / sanctions / restricted-party screening)
  • Outbound Communications Policy (TCPA / CAN-SPAM / AI-disclosure for outreach)

Marketing

Finance

Customer Support / Customer Success

Leadership (executives + sole member)

Design

  • Secure Development Policy awareness (if building product surfaces)
  • Overlay F / AI Acceptable Use emphasis if working on AI media features (synthetic media of persons)
  • Overlay A / B only if they touch real customer or candidate data; otherwise Core only

Advisory

Advisors are “Covered Persons” / third parties, not full employees — assign a reduced package scoped to their access:

Trigger matrix

EventWhat is assigned
Initial onboardingCore Package + department package + applicable overlays — completion within 30 days of start; production / Confidential access withheld until T2 background check clears
Role / department changeRe-assign the new department package + newly-triggered overlays (especially D and E); drop overlays no longer applicable; access review runs same day
AnnualCore re-acknowledgment + all baseline training by hire anniversary; annual certifications for Overlay D (Access Persons) and Overlay E (high-risk roles)
Event-driven / out-of-cycleTopical training after a material policy change or incident (CISO-issued); Restricted List updates pushed to Access Persons at least weekly
OffboardingNo new acknowledgments; access revoked per Offboarding SLA; insider-trading / MNPI obligations persist post-employment

Companion agreements & consents

The packages above are read-and-acknowledge policy attestations collected in Vanta. This section is the signature layer — agreements, consents, and certifications that require an executed signature and are filed as signed PDFs in the HRIS (Rippling) or SharePoint, with Vanta signature slots where noted. Assign each alongside the matching package or trigger.

At hire — all personnel

DocumentTemplateSignerCollection surface
Offer letter— (HR ops)Employee/contractorRippling / HRIS
Employee Agreement & Confidentiality Acknowledgement (infosec responsibilities + NDA/confidentiality + policy ack)employee-agreementEmployee/contractor + CHROHRIS; Vanta slots employee-agreements, employee-signed-confidentiality
IP / invention assignment (full PIIA, incl. CA §2870 notice)proprietary-information-inventions-assignmentEmployee/contractor + CHRO/GCHRIS
Code-of-Conduct acknowledgement (signed form)covered by employee-agreement §5Employee/contractorHRIS

Consents & disclosures — situational

DocumentTemplateWhen
FCRA Disclosure (Form A) + Authorization (Form B)background-check-consentAt offer, before Checkr runs — two stand-alone signature events
Summary of Rights under the FCRACFPB model (delivered, not signed)With the above
Adverse-Action letters (pre- and final)adverse-action-letterOnly if a check triggers it; delivered, not counter-signed
Production-Access Acknowledgementproduction-access-acknowledgementBefore prod/customer-data access and re-signed annually — signed counterpart to Overlay A
BYOD / consent-to-monitoringbyod-monitoring-consentAt hire / on BYOD enrollment

Recurring certifications — overlay-driven

DocumentSourceWho / cadence
Insider-trading annual certificationinsider-trading-annual-certificationOverlay D Access Persons — annual
Insider-trading per-trade pre-clearanceinsider-trading-preclearance-requestOverlay D Access Persons — per transaction
Anti-bribery annual certificationanti-bribery-annual-certificationOverlay E high-risk roles — annual
Gifts & hospitality disclosuresGifts & Hospitality RegisterAs incurred

State privacy notices — acknowledge receipt

DocumentSourceWho
CA Applicant / Personnel Privacy Noticecalifornia-applicant-personnel-noticeCA applicants & staff
Employee Privacy Notice (state-specific: CA / NY / CT / DE)Employee Privacy PolicyStaff in those states

At offboarding

DocumentTemplateNote
Termination checklisttermination-checklistAccess revocation, device & property return
Exit acknowledgement of surviving obligationsexit-acknowledgementConfidentiality / IP / insider-trading obligations persist post-employment per HR Security → Termination

Template coverage

Every signable item above now has a template, except those intentionally sourced externally — the offer letter (HR ops in Rippling) and the FCRA Summary of Rights (CFPB model document). The state-specific employee-privacy notices for NY / CT / DE are delivered inside the Employee Privacy Policy §“State-specific notice” with acknowledgement captured in Vanta; only CA has a standalone notice document. Six templates were added on June 14, 2026 to close prior gaps: the full PIIA (with the California Labor Code §2870 notice, superseding the thin employee-agreement §4 clause), the BYOD & monitoring consent, the insider-trading pre-clearance and annual certification, the anti-bribery annual certification, and the exit acknowledgement.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0June 14, 2026Initial versionCameron WolfeIshan Jadhwani