Skip to main content
This policy defines who owns, operates, and stays accountable for information security across botBrains. It’s the canonical home for our security roles. Other policies reference these roles instead of restating them. botBrains is a two-person, fully remote company, so one named individual carries accountability and team members hold several roles at once. This is deliberate and documented here.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy covers every information security role at botBrains and applies to both team members and any contractor or supplier acting on our behalf.

Named accountability

Liam van der Viven (CTO) is the CISO and holds top-level accountability for information security at botBrains. The CISO approves every policy, owns the ISMS, decides on risk treatment and exceptions, and is the point of contact for security and privacy matters. Following the named-individual principle, accountability rests with this single named person and isn’t diffused across an unnamed committee. Ben Meyer-Meisel is the co-founder and shares operational security duties, primarily for engineering and infrastructure. Either co-founder may carry out routine security operations; only the CISO holds the named accountability described above.

Roles

RoleHeld byCore responsibilities
CISOLiam van der Viven (CTO)Owns and approves the ISMS and all policies. Sets security objectives, owns the risk register, approves exceptions, leads the management review, and coordinates incident response and breach notification.
Engineering / InfrastructureBoth co-foundersOperate and secure the product and cloud infrastructure (AWS, Hetzner, DigitalOcean, Modal, Vercel). Apply secure development, change management, patching, logging, and access controls.
Data Protection contactReached at legal@botbrains.ioHandles GDPR matters, data subject requests, the subprocessor list, and privacy incidents. botBrains is a processor for conversation data and a controller for account and billing data. See GDPR compliance.
Asset / system ownerA co-founder, assigned per system in the asset registerConfigures each critical system securely, enforces least privilege, and reviews access regularly. The Asset Management Policy maintains the inventory of systems and their owners.
All personnelEvery team member and contractorFollow every policy, protect information they handle, use approved tools and the shared password manager, and report security events promptly.
Both co-founders hold most of these roles jointly. Where a single person both performs and approves an action, botBrains relies on compensating controls described in the Secure Development Policy and the Access Control Policy, and records the resulting segregation-of-duties limitation in the risk register.

Responsibilities of all personnel

ISO 27001 mapping

This policy supports Clause 5.3 (Organizational roles, responsibilities and authorities) and Annex A 5.2 (Information security roles and responsibilities), 5.3 (Segregation of duties), and 5.4 (Management responsibilities).

Review

The CISO owns this policy and reviews it at least annually and whenever roles or the team change.