| Information Security Policy | Establishes management’s commitment, the ISMS framework, and our top-level security objectives | Clause 5.2; Annex A 5.1 |
| Roles and Responsibilities | Defines who owns, operates, and stays accountable for information security across botBrains | Clause 5.3; Annex A 5.2-5.4 |
| Risk Management Policy | Sets our methodology for identifying, assessing, and treating information security risks | Clauses 6.1, 8.2, 8.3; Annex A 5.7 |
| Acceptable Use Policy | Defines how personnel may use company information, devices, accounts, and AI and SaaS tooling | Annex A 5.10, 6.7, 8.1 |
| Access Control Policy | Governs how botBrains grants, reviews, and revokes identities, authentication, and least-privilege access | Annex A 5.15-5.18, 8.2, 8.3, 8.5 |
| Cryptography Policy | Defines encryption standards for data at rest and in transit and how we manage keys and certificates | Annex A 8.24 |
| Asset Management Policy | Maintains an inventory of information assets and assigns ownership and handling rules | Annex A 5.9-5.11, 7.10, 7.14 |
| Data Classification Policy | Classifies, labels, and governs how we handle data across its lifecycle by sensitivity | Annex A 5.12-5.14, 8.10-8.12 |
| Data Protection Policy | Ensures lawful, GDPR-compliant processing of personal and customer data, including AI conversation data | Annex A 5.34, 8.11; GDPR |
| Data Retention Policy | Defines how long we keep each category of data and how we securely delete it | Annex A 5.33, 5.34, 8.10 |
| Human Resource Security Policy | Covers screening, onboarding, security awareness, discipline, and offboarding of personnel | Annex A 6.1-6.6, 6.8; Clause 7.2, 7.3 |
| Physical Security Policy | Protects offices, equipment, and physical media and controls access to secure areas | Annex A 7.1-7.14 |
| Operations Security Policy | Governs secure day-to-day operations, including change management, capacity, and malware protection | Annex A 8.6, 8.7, 8.9, 8.19, 8.31, 8.32 |
| Logging and Monitoring Policy | Defines what we log, how we protect logs, and how we monitor and review security events | Annex A 8.15-8.17 |
| Vulnerability Management Policy | Sets how we identify, prioritize, and remediate technical vulnerabilities through scans, patching, and penetration tests | Annex A 8.8 |
| Backup Policy | Defines backup frequency, scope, encryption, and tested restoration of critical systems and data | Annex A 8.13 |
| Secure Development Policy | Embeds security into our software development lifecycle, code review, testing, and deployment | Annex A 8.25-8.31 |
| Network Security Policy | Governs segmentation, secure configuration, and protection of our networks and network services | Annex A 8.20-8.23, 8.9 |
| Incident Management Policy | Defines how we report, triage, escalate, and learn from security incidents | Annex A 5.24-5.28, 6.8 |
| Breach Notification Policy | Defines our obligations and timelines for notifying authorities and affected parties of a data breach | Annex A 5.26; GDPR Art. 33/34 |
| Business Continuity and Disaster Recovery | Ensures botBrains can continue and recover critical services during and after disruption | Annex A 5.29, 5.30, 8.13, 8.14; Clause 8.1 |
| Supplier Management Policy | Manages information security risk across our vendors, subprocessors, and cloud providers | Annex A 5.19-5.23 |
| Responsible Disclosure Policy | Gives external researchers a safe channel to report vulnerabilities to botBrains | Annex A 5.7, 6.8, 8.8 |
| Code of Conduct | Sets ethical conduct expectations for personnel, including anti-bribery and anti-corruption | Annex A 5.4, 6.2 |