SOC 2 policy bundle — eight policies in one markdown

# Information Security Policy
**Owner:** {{CTO}} · **Effective:** {{DATE}} · **Review:** Annual
## 1. Purpose
{{COMPANY}} protects the confidentiality, integrity, and availability of customer data. This policy defines the principles all employees follow.
## 2. Scope
All systems, employees, contractors, and sub-processors handling {{COMPANY}} customer data.
## 3. Principles
- Least-privilege access (per-role, per-resource)
- Defense-in-depth (multiple controls per risk)
- Fail-closed defaults
- Continuous monitoring
- Incident-response readiness
## 4. Roles
- **CTO** — accountable for security posture
- **CISO** (or designated security lead) — executes the security program
- **All employees** — comply with this policy

# Access Control Policy
**Owner:** {{CTO}} · **Effective:** {{DATE}} · **Review:** Annual
## 1. Authentication
- All accounts use SSO (Google Workspace / Microsoft 365 / Okta)
- MFA enforced on every SaaS account (no exceptions)
- Hardware security keys (YubiKey) required for admin accounts
## 2. Authorization
- Roles defined per system; reviewed quarterly
- Joiners: access provisioned within 24h of start date
- Leavers: access revoked within 4h of departure
- Quarterly access reviews per role + per user

# Change Management Policy
**Owner:** {{CTO}} · **Effective:** {{DATE}} · **Review:** Annual
## 1. Source control
- All production changes flow through GitHub PRs
- Every PR requires at least one approver (not the author)
- Securie reviews every PR for security impact (sandbox-verified findings ship as Suggested Changes)
## 2. Deploy
- Vercel / Fly / Railway production deploys gated by Securie's deploy-time check
- Rollback capability tested quarterly
- Production secrets injected at runtime, never committed

# Incident Response Policy
**Owner:** {{CTO}} · **Effective:** {{DATE}} · **Review:** Annual
## 1. Severity matrix
- **SEV1** — customer data breach OR production outage > 30min
- **SEV2** — degraded availability OR potential data exposure (unconfirmed)
- **SEV3** — internal-only impact
## 2. Response
- SEV1: page on-call within 5min; war-room within 15min
- All incidents logged in {{INCIDENT_TRACKER}}
- Post-incident review within 5 business days; root-cause + action items published
- Customer notification within 72h of confirmed breach (GDPR Article 33)

# Data Retention + Classification Policy
**Owner:** {{DPO}} · **Effective:** {{DATE}} · **Review:** Annual
## 1. Classification
- **Public** — marketing pages, public docs
- **Internal** — internal docs, employee comms
- **Confidential** — customer data, source code, secrets
## 2. Retention
- Account data: lifetime of account + 90 days
- Logs: 12 months
- Backups: 90 days rolling
- Deleted-customer data: purged within 30 days
## 3. Encryption
- At-rest: AES-256 (cloud-provider default)
- In-transit: TLS 1.3 minimum

# Vendor Management Policy
**Owner:** {{CTO}} · **Effective:** {{DATE}} · **Review:** Annual
## 1. Onboarding
- Every vendor signs a DPA before processing customer data
- Sub-processor list published at /sub-processors
- Quarterly review of vendor security posture (re-score per insurer-portal model)
## 2. Offboarding
- Data returned or destroyed within 90 days of contract end
- Access revoked within 4h of contract end

# Business Continuity + Disaster Recovery Policy
**Owner:** {{CTO}} · **Effective:** {{DATE}} · **Review:** Annual
## 1. RTO / RPO
- RTO (recovery time): 4h for production
- RPO (recovery point): 1h for production
## 2. Backups
- Production DB: hourly snapshots, 90-day retention, geo-redundant
- Restore drill: quarterly (verified working before incident)

# Cryptography Policy
**Owner:** {{CTO}} · **Effective:** {{DATE}} · **Review:** Annual
- Symmetric: AES-256-GCM
- Asymmetric: Ed25519 / RSA-4096
- Hashing (passwords): Argon2id
- Hashing (data integrity): SHA-256
- Random: cryptographically-secure RNG only
- TLS: 1.3 minimum, 1.2 with strict cipher suites for legacy
- Key rotation: 90 days for high-value, 30 days for payment-touching