Draft for internal review only — not legal advice. This document is a working draft based on the EquestrianIQ Pre-Launch Policy Pack (v0.1) and must be reviewed by qualified counsel before launch.
Purpose
This internal policy sets minimum security requirements for the app, documents and user data.
Minimum controls
- Encryption in transit using current TLS standards.
- Encryption at rest for databases, document storage and backups.
- Least-privilege access for internal staff and service accounts.
- Multi-factor authentication for admin and production access.
- Secure password storage using recognised hashing standards.
- Role-based access controls in the product and admin systems.
- Audit logs for document access, export, sharing, permission changes and admin access.
- Secure backups and tested restoration procedures.
- Vulnerability management and patching process.
- Secure software development practices, code review and environment separation.
- Regular review of third-party providers and subprocessors.
Internal access
Staff must not browse user records casually. Support access to user documents is limited, logged, justified and approved per the Internal Staff Access Policy.