> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles and Responsibilities

> defines who owns, operates, and stays accountable for information security across botBrains

export const PolicyVersion = ({version, effective}) => <p><strong>Version {version}</strong> · Effective {effective}. Change history is tracked in version control.</p>;

This policy defines who owns, operates, and stays accountable for information security across botBrains. It's the canonical home for our security roles. Other policies reference these roles instead of restating them. botBrains is a two-person, fully remote company, so one named individual carries accountability and team members hold several roles at once. This is deliberate and documented here.

<Warning>
  botBrains is **not yet ISO 27001 certified**. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
</Warning>

<PolicyVersion version="1.0" effective="July 1, 2026" />

## Scope

This policy covers every information security role at botBrains and applies to both team members and any contractor or supplier acting on our behalf.

## Named accountability

**Liam van der Viven (CTO) is the CISO** and holds top-level accountability for information security at botBrains. The CISO approves every policy, owns the ISMS, decides on risk treatment and exceptions, and is the point of contact for security and privacy matters. Following the named-individual principle, accountability rests with this single named person and isn't diffused across an unnamed committee.

**Ben Meyer-Meisel** is the co-founder and shares operational security duties, primarily for engineering and infrastructure. Either co-founder may carry out routine security operations; only the CISO holds the named accountability described above.

## Roles

| Role                             | Held by                                                    | Core responsibilities                                                                                                                                                                                                         |
| -------------------------------- | ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **CISO**                         | Liam van der Viven (CTO)                                   | Owns and approves the ISMS and all policies. Sets security objectives, owns the risk register, approves exceptions, leads the management review, and coordinates incident response and breach notification.                   |
| **Engineering / Infrastructure** | Both co-founders                                           | Operate and secure the product and cloud infrastructure (AWS, Hetzner, DigitalOcean, Modal, Vercel). Apply secure development, change management, patching, logging, and access controls.                                     |
| **Data Protection contact**      | Reached at [legal@botbrains.io](mailto:legal@botbrains.io) | Handles GDPR matters, data subject requests, the subprocessor list, and privacy incidents. botBrains is a processor for conversation data and a controller for account and billing data. See [GDPR compliance](/trust/gdpr).  |
| **Asset / system owner**         | A co-founder, assigned per system in the asset register    | Configures each critical system securely, enforces least privilege, and reviews access regularly. The [Asset Management Policy](/trust/policies/asset-management-policy) maintains the inventory of systems and their owners. |
| **All personnel**                | Every team member and contractor                           | Follow every policy, protect information they handle, use approved tools and the shared password manager, and report security events promptly.                                                                                |

Both co-founders hold most of these roles jointly. Where a single person both performs and approves an action, botBrains relies on compensating controls described in the [Secure Development Policy](/trust/policies/secure-development-policy) and the [Access Control Policy](/trust/policies/access-control-policy), and records the resulting segregation-of-duties limitation in the risk register.

## Responsibilities of all personnel

* Read, understand, and follow this and every other [ISMS policy](/trust/iso-27001).
* Protect the confidentiality and integrity of any information classified Internal or Confidential. See the [Data Classification Policy](/trust/policies/data-classification-policy).
* Report actual or suspected security events through the [Incident Management Policy](/trust/policies/incident-management-policy).
* Complete security awareness activities and acknowledge policies when onboarding and after material changes. See the [Human Resource Security Policy](/trust/policies/human-resource-security-policy).

## ISO 27001 mapping

This policy supports **Clause 5.3 (Organizational roles, responsibilities and authorities)** and **Annex A 5.2 (Information security roles and responsibilities)**, **5.3 (Segregation of duties)**, and **5.4 (Management responsibilities)**.

## Review

The CISO owns this policy and reviews it at least annually and whenever roles or the team change.
