Policies

Policy drafts

13 policies are written in version-controlled Markdown and rendered as checksummed PDFs.

All 13 policies are version 0.1 drafts. None is approved or effective. A draft describes requirements but does not prove that a control operates.

Acceptable Use and Endpoint Security Policy

Establishes minimum safeguards for devices used to access source code, secrets, production, or customer data.

draftv0.1CC5 · CC6 · CC7

Access Control Policy

Defines identity, authentication, least-privilege, customer authorization, and privileged-access requirements.

draftv0.1CC6

AI and Customer Data Handling Policy

Governs model providers, permitted data, training restrictions, retention, human review, and AI transparency for Fi.

draftv0.1CC2 · CC3 · CC6 · CC9

Business Continuity and Disaster Recovery Policy

Defines backup, off-site protection, restoration, continuity priorities, and disaster-recovery testing for Fi.

draftv0.1CC7 · CC9

Cryptography and Key Management Policy

Defines approved encryption use, secret storage, key lifecycle, rotation, recovery, and verification.

draftv0.1CC6

Data Classification, Retention, and Disposal Policy

Defines Cellect data classes, permitted handling, retention schedules, deletion, and disposal evidence.

draftv0.1CC2 · CC5 · CC6

Incident Response Policy and Plan

Defines detection, triage, containment, recovery, notification, evidence preservation, and learning for security incidents.

draftv0.1CC2 · CC7

Information Security Policy

Establishes Cellect's owner-operated information security program and governance responsibilities.

draftv0.1CC1 · CC2 · CC4 · CC5 · CC7

Physical Security Policy

Defines office, equipment, visitor, media, environmental, and physical-access safeguards for self-hosted Fi infrastructure.

draftv0.1CC6 · CC7

Security Risk Management Policy

Defines how Cellect identifies, assesses, treats, accepts, and monitors security risks.

draftv0.1CC3 · CC4 · CC9

Secure Development and Change Management Policy

Defines secure design, version control, testing, deployment, rollback, and emergency-change requirements for Fi.

draftv0.1CC5 · CC7 · CC8

Vendor and Subprocessor Management Policy

Establishes inventory, due diligence, contracting, monitoring, and offboarding requirements for material providers.

draftv0.1CC3 · CC9

Vulnerability Management and Disclosure Policy

Defines scanning, intake, severity, remediation, independent testing, retesting, and responsible disclosure.

draftv0.1CC4 · CC7 · CC8

Approved reviewers can read the Markdown rendering and download the corresponding PDF.

Open document room