DRAFT — pending solicitor and security-audit review.

Information security policy

1. Scope

All systems, sub-processors, and personnel involved in operating Literate.

2. Access control

Role-based access. Production access requires hardware key 2FA. All admin actions written to an immutable hash-chained audit log.

3. Encryption

TLS 1.3 in transit. AES-256 at rest. Secrets in a managed vault, not in repo or configuration files.

4. Backups

Encrypted daily backups, EU region, 30-day retention. Recovery drills quarterly.

5. Incident response

Documented runbook. 72-hour customer notification commitment for material incidents under UK GDPR Article 33.

6. Personnel

Background checks for production access. Annual security training. NDA in place.

7. Vendor management

Sub-processors reviewed annually. DPAs in place. SCCs / UK IDTA where applicable.

8. Vulnerability management

Automated dependency scanning. Patches applied within 7 days for critical, 30 days for high.

9. Continuous improvement

This policy is reviewed annually or after any material incident.

DRAFT — replace before launch.