> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Index of botBrains security policies and their ISO 27001 relevance

These policies make up the botBrains Information Security Management System (ISMS). Each one maps to one or more ISO/IEC 27001:2022 clauses or Annex A controls. See [ISO 27001](/trust/iso-27001) for how the ISMS fits together.

<Warning>
  botBrains is **not yet ISO 27001 certified**. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
</Warning>

| Policy                                                                                                 | What it covers                                                                                                           | ISO 27001 relevance                        |
| ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------ |
| [Information Security Policy](/trust/policies/information-security-policy)                             | Establishes management's commitment, the ISMS framework, and our top-level security objectives                           | Clause 5.2; Annex A 5.1                    |
| [Roles and Responsibilities](/trust/policies/roles-and-responsibilities)                               | Defines who owns, operates, and stays accountable for information security across botBrains                              | Clause 5.3; Annex A 5.2-5.4                |
| [Risk Management Policy](/trust/policies/risk-management-policy)                                       | Sets our methodology for identifying, assessing, and treating information security risks                                 | Clauses 6.1, 8.2, 8.3; Annex A 5.7         |
| [Acceptable Use Policy](/trust/policies/acceptable-use-policy)                                         | Defines how personnel may use company information, devices, accounts, and AI and SaaS tooling                            | Annex A 5.10, 6.7, 8.1                     |
| [Access Control Policy](/trust/policies/access-control-policy)                                         | Governs how botBrains grants, reviews, and revokes identities, authentication, and least-privilege access                | Annex A 5.15-5.18, 8.2, 8.3, 8.5           |
| [Cryptography Policy](/trust/policies/cryptography-policy)                                             | Defines encryption standards for data at rest and in transit and how we manage keys and certificates                     | Annex A 8.24                               |
| [Asset Management Policy](/trust/policies/asset-management-policy)                                     | Maintains an inventory of information assets and assigns ownership and handling rules                                    | Annex A 5.9-5.11, 7.10, 7.14               |
| [Data Classification Policy](/trust/policies/data-classification-policy)                               | Classifies, labels, and governs how we handle data across its lifecycle by sensitivity                                   | Annex A 5.12-5.14, 8.10-8.12               |
| [Data Protection Policy](/trust/policies/data-protection-policy)                                       | Ensures lawful, GDPR-compliant processing of personal and customer data, including AI conversation data                  | Annex A 5.34, 8.11; GDPR                   |
| [Data Retention Policy](/trust/policies/data-retention-policy)                                         | Defines how long we keep each category of data and how we securely delete it                                             | Annex A 5.33, 5.34, 8.10                   |
| [Human Resource Security Policy](/trust/policies/human-resource-security-policy)                       | Covers screening, onboarding, security awareness, discipline, and offboarding of personnel                               | Annex A 6.1-6.6, 6.8; Clause 7.2, 7.3      |
| [Physical Security Policy](/trust/policies/physical-security-policy)                                   | Protects offices, equipment, and physical media and controls access to secure areas                                      | Annex A 7.1-7.14                           |
| [Operations Security Policy](/trust/policies/operations-security-policy)                               | Governs secure day-to-day operations, including change management, capacity, and malware protection                      | Annex A 8.6, 8.7, 8.9, 8.19, 8.31, 8.32    |
| [Logging and Monitoring Policy](/trust/policies/logging-and-monitoring-policy)                         | Defines what we log, how we protect logs, and how we monitor and review security events                                  | Annex A 8.15-8.17                          |
| [Vulnerability Management Policy](/trust/policies/vulnerability-management-policy)                     | Sets how we identify, prioritize, and remediate technical vulnerabilities through scans, patching, and penetration tests | Annex A 8.8                                |
| [Backup Policy](/trust/policies/backup-policy)                                                         | Defines backup frequency, scope, encryption, and tested restoration of critical systems and data                         | Annex A 8.13                               |
| [Secure Development Policy](/trust/policies/secure-development-policy)                                 | Embeds security into our software development lifecycle, code review, testing, and deployment                            | Annex A 8.25-8.31                          |
| [Network Security Policy](/trust/policies/network-security-policy)                                     | Governs segmentation, secure configuration, and protection of our networks and network services                          | Annex A 8.20-8.23, 8.9                     |
| [Incident Management Policy](/trust/policies/incident-management-policy)                               | Defines how we report, triage, escalate, and learn from security incidents                                               | Annex A 5.24-5.28, 6.8                     |
| [Breach Notification Policy](/trust/policies/breach-notification-policy)                               | Defines our obligations and timelines for notifying authorities and affected parties of a data breach                    | Annex A 5.26; GDPR Art. 33/34              |
| [Business Continuity and Disaster Recovery](/trust/policies/business-continuity-and-disaster-recovery) | Ensures botBrains can continue and recover critical services during and after disruption                                 | Annex A 5.29, 5.30, 8.13, 8.14; Clause 8.1 |
| [Supplier Management Policy](/trust/policies/supplier-management-policy)                               | Manages information security risk across our vendors, subprocessors, and cloud providers                                 | Annex A 5.19-5.23                          |
| [Responsible Disclosure Policy](/trust/policies/responsible-disclosure-policy)                         | Gives external researchers a safe channel to report vulnerabilities to botBrains                                         | Annex A 5.7, 6.8, 8.8                      |
| [Code of Conduct](/trust/policies/code-of-conduct)                                                     | Sets ethical conduct expectations for personnel, including anti-bribery and anti-corruption                              | Annex A 5.4, 6.2                           |
