Appearance
Policies — pointer
Authoritative location:
docs/security-compliance/is now the operating-control documentation home.This directory was a skeleton; the policies it listed as drafting targets have landed in
docs/security-compliance/per ENG-214.
Where to find each policy
| Policy | Location |
|---|---|
| Information Security Policy (umbrella) | Security & Compliance overview |
| Access Control Policy | docs/security-compliance/access-control-policy.md |
| Change Management Policy | Documented across SOC 2 CC8 rows + the ADR discipline + CI guards (staging-collections-guard, staging-cluster-drift) |
| Incident Response Plan | docs/security-compliance/incident-response-plan.md + security incident response runbook |
| Business Continuity / Disaster Recovery | Documented in CMS EDE Appendix A § 11 + HIPAA §164.308(a)(7) |
| Data Classification Policy | docs/infrastructure/data-classification.md |
| Vendor Management Policy | docs/security-compliance/vendor-register.md |
| Risk Assessment Policy + first assessment | docs/security-compliance/risk-assessment.md |
| Acceptable Use Policy | Operating rules in CLAUDE.md Security rules section; formal policy doc to be drafted when team grows beyond founders |
| Employee Onboarding / Offboarding Policy | Onboard runbook + Offboard runbook |
| Encryption Policy | docs/security-compliance/encryption-policy.md |
| Data Retention Policy | docs/security-compliance/data-retention-policy.md |
| Privacy Impact Assessment | docs/security-compliance/privacy-impact-assessment.md |
This page kept as a pointer for legacy /policies URL stability.
