Register Owner: CHRO and CISO
Effective Date: June 14, 2026
Reviewed: Annually
Next Review: June 14, 2027
This register defines which policies and training each person must acknowledge, organized into a common Core Package, reusable attribute overlays, and department packages. It operationalizes the acknowledgment and training duties in the Human Resources Security Policy and the Security Awareness Training procedure, and is canonical for SOC 2 CC1.4 / CC2.2 and ISO/IEC 27001 A.6.3.
All acknowledgments and training are assigned, completed, and attested in Vanta. Completion records are retained for at least 7 years per the Records Retention Schedule. Production and Confidential-data access is gated on background-check clearance per Background Checks — see the Onboarding checklist.
How to read this register
- Everyone gets the Core Package.
- Attributes (production access, handles candidate/employee data, Access Person, etc.) add overlays regardless of department — assign each when the attribute becomes true.
- Each department gets a package = Core + named overlays + department-specific policies.
- Packages fire on the events in the trigger matrix.
Core Package — all personnel
Acknowledged at hire (within 30 days of start) and re-acknowledged annually by the hire anniversary, plus re-served on any material revision. Items marked (awareness) are covered through the Security Awareness Training baseline rather than a standalone attestation.
| Document | Basis |
|---|
| Information Security Policy | Binding umbrella policy; explicit at-hire + annual re-ack |
| Acceptable Use | Plain-language companion to the Information Security Policy |
| Access Control Policy | Universal MFA / least-privilege |
| Data Management Policy | Data classification & handling |
| Code of Conduct | All staff, every seniority |
| Human Resources Security Policy | Defines the acknowledgment / training duty |
| Asset Management Policy | Everyone is issued a device; loss-reporting duty |
| AI Acceptable Use Policy | Approved-tools list; no Confidential data in unapproved AI tools |
| Insider Trading Policy (baseline) | All staff are “Covered Persons” |
| Anti-Bribery & Corruption Policy (baseline) | Worldwide, all staff |
| Workplace Violence Prevention Policy | All staff, all locations (CA-mandated) |
| Whistleblower Policy | All staff; introduced at hire |
| Employee Privacy Policy | Notice at hire; BYOD / monitoring consent |
| Incident Response Plan (awareness) | Everyone must know how to report |
| Risk Management Policy (awareness) | “All personnel: report observed risks” |
| Physical Security Policy (awareness) | Clear-desk / visitor rules |
| Security Awareness Training — baseline module | Phishing, passwords, device, data classification, AI |
Attribute overlays
Reusable add-ons assigned by what a person does, not by department. Each is triggered when the attribute becomes true and then refreshed annually.
| Overlay | Who / trigger | Adds |
|---|
| A — Production / customer-data access | On grant of production or customer-data access (gated by T2 background check) | Production-access training (Access Control §Production); deep Data Management handling module |
| B — Handles candidate/employee personal data | Recruiting, HR, or anyone touching the Sourcing Database or candidate records | Employee Privacy (operational); Data Subject Rights; Employment AI Bias Audit awareness |
| C — People-managers & recruiters | On becoming a manager / recruiter | Fair-chance hiring + adverse-action handling (Background Checks) |
| D — Access Person (Insider Trading) | Executives, Finance, Legal, Sales, BD, Customer Success, Corp Dev, Investor Relations | Pre-clearance acknowledgment + annual certification; Restricted List monitoring |
| E — Anti-bribery high-risk | Sales (esp. intl / public-sector), BD, finance/AP, procurement, executives, anyone meeting government officials | Enhanced ABAC training + annual certification |
| F — AI/ML builders | Engineers / data scientists building AI features | AI Risk Management; AI System Lifecycle; Reidentification Audit; Sourcing Data Acquisition; DPIA; AI Serious Incident Reporting |
Department packages
Each package is Core Package + the items below.
Engineering
Sales
- Overlay D (Access Person — pre-clearance + annual certification)
- Overlay E (enhanced ABAC + annual certification)
- Trade Compliance Policy (export / sanctions / restricted-party screening)
- Outbound Communications Policy (TCPA / CAN-SPAM / AI-disclosure for outreach)
Marketing
Finance
Customer Support / Customer Success
Leadership (executives + sole member)
Design
- Secure Development Policy awareness (if building product surfaces)
- Overlay F / AI Acceptable Use emphasis if working on AI media features (synthetic media of persons)
- Overlay A / B only if they touch real customer or candidate data; otherwise Core only
Advisory
Advisors are “Covered Persons” / third parties, not full employees — assign a reduced package scoped to their access:
Trigger matrix
| Event | What is assigned |
|---|
| Initial onboarding | Core Package + department package + applicable overlays — completion within 30 days of start; production / Confidential access withheld until T2 background check clears |
| Role / department change | Re-assign the new department package + newly-triggered overlays (especially D and E); drop overlays no longer applicable; access review runs same day |
| Annual | Core re-acknowledgment + all baseline training by hire anniversary; annual certifications for Overlay D (Access Persons) and Overlay E (high-risk roles) |
| Event-driven / out-of-cycle | Topical training after a material policy change or incident (CISO-issued); Restricted List updates pushed to Access Persons at least weekly |
| Offboarding | No new acknowledgments; access revoked per Offboarding SLA; insider-trading / MNPI obligations persist post-employment |
Companion agreements & consents
The packages above are read-and-acknowledge policy attestations collected in Vanta. This section is the signature layer — agreements, consents, and certifications that require an executed signature and are filed as signed PDFs in the HRIS (Rippling) or SharePoint, with Vanta signature slots where noted. Assign each alongside the matching package or trigger.
At hire — all personnel
| Document | Template | Signer | Collection surface |
|---|
| Offer letter | — (HR ops) | Employee/contractor | Rippling / HRIS |
| Employee Agreement & Confidentiality Acknowledgement (infosec responsibilities + NDA/confidentiality + policy ack) | employee-agreement | Employee/contractor + CHRO | HRIS; Vanta slots employee-agreements, employee-signed-confidentiality |
| IP / invention assignment (full PIIA, incl. CA §2870 notice) | proprietary-information-inventions-assignment | Employee/contractor + CHRO/GC | HRIS |
| Code-of-Conduct acknowledgement (signed form) | covered by employee-agreement §5 | Employee/contractor | HRIS |
Consents & disclosures — situational
| Document | Template | When |
|---|
| FCRA Disclosure (Form A) + Authorization (Form B) | background-check-consent | At offer, before Checkr runs — two stand-alone signature events |
| Summary of Rights under the FCRA | CFPB model (delivered, not signed) | With the above |
| Adverse-Action letters (pre- and final) | adverse-action-letter | Only if a check triggers it; delivered, not counter-signed |
| Production-Access Acknowledgement | production-access-acknowledgement | Before prod/customer-data access and re-signed annually — signed counterpart to Overlay A |
| BYOD / consent-to-monitoring | byod-monitoring-consent | At hire / on BYOD enrollment |
Recurring certifications — overlay-driven
| Document | Source | Who / cadence |
|---|
| Insider-trading annual certification | insider-trading-annual-certification | Overlay D Access Persons — annual |
| Insider-trading per-trade pre-clearance | insider-trading-preclearance-request | Overlay D Access Persons — per transaction |
| Anti-bribery annual certification | anti-bribery-annual-certification | Overlay E high-risk roles — annual |
| Gifts & hospitality disclosures | Gifts & Hospitality Register | As incurred |
State privacy notices — acknowledge receipt
| Document | Source | Who |
|---|
| CA Applicant / Personnel Privacy Notice | california-applicant-personnel-notice | CA applicants & staff |
| Employee Privacy Notice (state-specific: CA / NY / CT / DE) | Employee Privacy Policy | Staff in those states |
At offboarding
| Document | Template | Note |
|---|
| Termination checklist | termination-checklist | Access revocation, device & property return |
| Exit acknowledgement of surviving obligations | exit-acknowledgement | Confidentiality / IP / insider-trading obligations persist post-employment per HR Security → Termination |
Template coverage
Every signable item above now has a template, except those intentionally sourced externally — the offer letter (HR ops in Rippling) and the FCRA Summary of Rights (CFPB model document). The state-specific employee-privacy notices for NY / CT / DE are delivered inside the Employee Privacy Policy §“State-specific notice” with acknowledgement captured in Vanta; only CA has a standalone notice document.
Six templates were added on June 14, 2026 to close prior gaps: the full PIIA (with the California Labor Code §2870 notice, superseding the thin employee-agreement §4 clause), the BYOD & monitoring consent, the insider-trading pre-clearance and annual certification, the anti-bribery annual certification, and the exit acknowledgement.
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|
| 1.0 | June 14, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |