Security & Compliance · Internal policies

The 10 policies.

The internal security policies KumoKodo, Inc. operates Kodori under — the documents a SOC 2 Type I auditor pulls when the engagement opens. Each policy summary below; the full Markdown source lives in the public repo for transparency. Auditor-grade PDF set with version history is available under NDA.

Effective 2026-05-02. Review cadence: annual + on material change. Owner today: Sam Simpson (Founder, KumoKodo, Inc.).

← Security overviewResponsible disclosure →Sub-processors →Request full PDF set →
  1. 01

    Information Security Policy

    Umbrella commitments — confidentiality, integrity, availability, lawful processing — that every other policy operates under.

    docs/security-policies/01-information-security.md

  2. 02

    Acceptable Use Policy

    What personnel may and may not do with customer data, source code, and production infrastructure. Permitted vs prohibited use; production-data-exfiltration prohibition.

    docs/security-policies/02-acceptable-use.md

  3. 03

    Access Control Policy

    Identity foundation (SSO-only), role taxonomy (customer-side: owner / admin / member; KumoKodo-side: founder / engineer / contractor), grant + review + revoke lifecycle, deny-wins ACL composition.

    docs/security-policies/03-access-control.md

  4. 04

    Change Management Policy

    PR-based code workflow with second-engineer review, Drizzle Kit migrations with manual review of generated SQL, Vercel atomic deploys, emergency-change protocol with post-incident documentation.

    docs/security-policies/04-change-management.md

  5. 05

    Data Classification Policy

    Customer-data five-tier sensitivity model (public / internal / confidential / restricted / regulated) + KumoKodo-internal four-class taxonomy. Cross-flow rules; PII auto-escalation via DLP.

    docs/security-policies/05-data-classification.md

  6. 06

    Encryption Policy

    In-transit (TLS 1.2+ everywhere) + at-rest (AES-256 R2 + Neon, AES-256-GCM application envelope when BYO-KMS configured) + algorithms in use + key-rotation cadence + crypto-erasure via BYO-KMS revocation.

    docs/security-policies/06-encryption.md

  7. 07

    Incident Response Policy

    Four-tier severity taxonomy + detection paths + response timelines (Sev 1: 0-15 min commander declared, 1-72 hr regulatory notification per applicable law) + post-mortem template.

    docs/security-policies/07-incident-response.md

  8. 08

    Vendor (Sub-processor) Management Policy

    Selection criteria (SOC 2 Type II OR ISO 27001 floor; BAA execution mandatory for HIPAA-path), contracting requirements, quarterly monitoring, 30-day customer notice on changes.

    docs/security-policies/08-vendor-management.md

  9. 09

    Backup & Disaster Recovery Policy

    Per-asset backup strategy (Neon PITR, R2 cross-region, GitHub repo replication), 5 recovery scenarios with concrete RTOs / RPOs, customer-side controls.

    docs/security-policies/09-backup-recovery.md

  10. 10

    Risk Assessment Policy

    Annual cadence + quarterly active-monitoring + triggered out-of-cycle reviews. Standing 13-row risk register with 1-25 likelihood × impact scoring + treatment plan per risk.

    docs/security-policies/10-risk-assessment.md

Request the auditor-grade PDF set.

For SOC 2 / HIPAA / 21 CFR Part 11 / ISO 27001 / FedRAMP security review — email security@kumokodo.ai with your firm name and the framework you’re reviewing under. We respond within one business day with the versioned PDF set under NDA + a CAIQ-LITE security questionnaire pre-filled against the policy controls.