# Security programme overview

**Version:** 1.0
**Effective date:** 2026-04-17
**Owner:** Sam Chapman, Founder
**Review cycle:** Annual

## 1. Scope

This security programme covers the Frameboard platform and all supporting systems used to deliver it:

- Production web application hosted on Netlify
- Netlify Functions (serverless backend)
- Airtable (primary data store)
- Netlify Blobs (file storage)
- Mux (video hosting)
- Stripe (payments)
- Resend (transactional email)
- Anthropic API (AI generations)
- GitHub (source control)
- Developer workstations used to administer the above

The programme applies to all employees, contractors, and any third party with access to customer data.

## 2. Trust services criteria in scope

For SOC 2 readiness, Frameboard will attest to:

- **Security** (Common Criteria - mandatory)
- **Availability**
- **Confidentiality**

Privacy is handled via a separate GDPR programme; Processing Integrity is not claimed at this stage and will be added when we introduce accounting-grade calculations beyond invoicing.

## 3. Roles and responsibilities

At current headcount, the founder holds every formal role. As the team grows, roles will be delegated per the RACI below. Until then, the founder has sole custody of production credentials.

| Role | Current holder | Primary duties |
|---|---|---|
| Security officer | Sam Chapman | Policy owner, risk register owner, incident commander |
| Engineering lead | Sam Chapman | Code review, deploy approvals, infrastructure |
| Customer success | Sam Chapman | Customer-facing incident communication |
| Privacy officer (GDPR) | Sam Chapman | Data subject requests, DPA sign-off |

When a second hire joins, security-sensitive duties will be split so no single person both writes and deploys to production unreviewed. This is tracked as risk item R-01 in `08-risk-assessment-policy.md`.

## 4. Governance cadence

- **Daily:** automated monitoring (Netlify health checks, Plausible error alerts, Stripe fraud alerts)
- **Weekly:** review of error-reporter logs, failed login spike checks
- **Monthly:** access review (Airtable, GitHub, Netlify, Stripe dashboards)
- **Quarterly:** tabletop incident exercise; sub-processor review
- **Annually:** full policy review, penetration test, risk assessment refresh

## 5. Training

Every person with production access reads policies 00, 01, 05, 07 in their first week and signs an acknowledgement in HR records. Refresher acknowledgement required annually.

## 6. Exceptions

Any exception to these policies must be documented in the risk register (`08-risk-assessment-policy.md`) with: what, why, compensating controls, review date. Exceptions expire after 6 months unless re-approved.