# Risk assessment policy

**Version:** 1.0
**Effective date:** 2026-04-17

## 1. Purpose

Maintain a living view of the risks that could affect Frameboard's confidentiality, availability, integrity, and regulatory posture.

## 2. Cadence

- Full refresh annually (each April)
- Event-driven updates: any new feature that processes new data types, any new sub-processor, any incident with severity SEV-2 or above

## 3. Scoring

Each risk is scored on likelihood (1-5) and impact (1-5). Priority score = likelihood × impact.

- 1-5: accept
- 6-12: mitigate with controls
- 13-20: mitigate urgently or transfer
- 21-25: do not operate until mitigated

## 4. Current risk register

| ID | Risk | L | I | Score | Owner | Status | Mitigation |
|---|---|---|---|---|---|---|---|
| R-01 | Single founder with exclusive production access | 3 | 5 | 15 | Founder | Open | Password manager recovery path; insurance; hiring of second engineer planned 2026-Q3 |
| R-02 | Airtable is both primary store and SPOF | 3 | 4 | 12 | Founder | Mitigating | Nightly backups; RTO 4h tested; migration path to Postgres scoped for 2027 |
| R-03 | Credential leak via accidental commit of `.env` | 2 | 5 | 10 | Founder | Mitigating | git-secrets pre-commit hook; quarterly scan; secrets only in Netlify env vars |
| R-04 | Supply chain compromise (npm dependency) | 2 | 4 | 8 | Founder | Mitigating | Lockfile pinned; `npm audit` monthly; critical patches within 7 days |
| R-05 | Anthropic API training on customer content | 1 | 3 | 3 | Founder | Accepted | API contract prohibits training; zero-data-retention configured where offered |
| R-06 | Buyer-side Framebot prompt injection exposing seller data | 2 | 4 | 8 | Founder | Mitigating | Read-only design; no tool use; narrow system prompt; proposal summary limited to public fields |
| R-07 | DDoS against `/signup` or `/login` | 2 | 3 | 6 | Founder | Mitigating | Netlify edge rate limiting; Cloudflare ready as failover |
| R-08 | Customer loses MFA device, social-engineer support to recover | 2 | 4 | 8 | Founder | Mitigating | Identity verification procedure for recovery requests |
| R-09 | Compliance obligations exceed small-team capacity (SOC 2 Type II scope creep) | 3 | 3 | 9 | Founder | Open | Use this policy set; engage auditor when deals require; scope only Security + Availability + Confidentiality |
| R-10 | Sub-processor exits market or suffers prolonged outage | 2 | 4 | 8 | Founder | Mitigating | Alternatives pre-identified for every sub-processor (see 04-vendor-management-policy.md) |

## 5. Review record

| Date | Reviewed by | Changes |
|---|---|---|
| 2026-04-17 | Sam Chapman | Initial register |

## 6. Risk acceptance process

A risk can be formally accepted (not mitigated further) when:

- Score is 5 or below, OR
- Mitigation cost is disproportionate to impact AND
- Written acceptance by the security officer is recorded in this document

Acceptances expire at the next annual review and must be re-argued.