Trust · Policy library

The 18 policies we operate under.

Every policy is in our public repo. Reviewed annually, versioned in git, signed by the team. Customer-facing copies are downloadable below; internal-only policies are listed but their bodies are private.

Core

Information Security PolicyPublic

Top-of-stack policy that names the assets we protect, the threats we plan against, and the controls we implement.

Read →

Risk Assessment PolicyCustomer-shareable

How we identify, score, and track risks. Companion risk register is published in the repo.

Read →

Data handling

Data Classification & Handling PolicyCustomer-shareable

Four-level classification (Restricted / Confidential / Internal / Public) with per-level handling requirements.

Read →

Data Retention & Disposal PolicyCustomer-shareable

Retention windows by data class, DSR-driven deletion (30-day SLA), disposal methods.

Read →

Cryptography PolicyCustomer-shareable

Approved algorithms, key management, rotation cadence, TLS minimums.

Read →

Engineering

Secure Software Development PolicyCustomer-shareable

Threat-modeling discipline, code-review expectations, dependency hygiene, deployment standards.

Read →

Operational

Access Control PolicyPublic

Who can access production, with what role, and how we prove the access was reviewed quarterly. Drives the production-access-inventory feature.

Read →

Change Management PolicyPublic

How code reaches production — PR → CI → AI-assisted review → branch-protected merge → auto-deploy.

Read →

Incident Response PlanCustomer-shareable

Severity definitions, response phases, communication SLAs, tabletop cadence.

Read →

Business Continuity & DR PlanCustomer-shareable

RTO / RPO targets, backup posture, quarterly DR test procedure, key-person succession plan.

Read →

Vulnerability Management PolicyPublic

Dependabot + annual pen test + severity-based remediation SLAs. Aligned with SECURITY.md.

Read →

Vendor Management PolicyCustomer-shareable

How sub-processors are selected, onboarded, monitored, and offboarded. 30-day customer notice for adds.

Read →

Logging & Monitoring PolicyCustomer-shareable

What we log, what we never log, retention, alerting cadence.

Read →

Backup PolicyCustomer-shareable

Backup mechanism per asset class, retention windows, quarterly restoration test.

Read →

People

Acceptable Use PolicyInternal

What employees + contractors can and can't do with Resolute systems.

Read →

Code of ConductInternal

Minimum behavioral standard for everyone with Resolute credentials.

Read →

Onboarding / Offboarding PolicyInternal

Per-system checklists for joiners + leavers. Even at headcount of 1.

Read →

Password & MFA PolicyPublic

Required factors, ordering, lockout thresholds, the no-SMS rule.

Read →

Memos & supporting documents

Not policies — context the auditor will ask about, especially around solo-founder operations.

Key Person Risk memoInternal

Solo-founder succession + business-continuity plan. Sealed envelope, attorney POA, customer-facing communication templates.

Read →

Separation of Duties — Compensating Controls memoInternal

Eight compensating controls that substitute for human-to-human SoD while we're a one-engineer team.

Read →

Solo-founder BCP scenariosInternal

Ten specific failure modes (founder lost device, MFA factor lost, sub-processor BK, etc.) with documented mitigations.

Read →

Risk registerInternal

18-entry quantitative risk assessment, scored Likelihood × Impact, tiered + reviewed quarterly.

Read →

For your security team

Need a specific policy under NDA, or a SOC 2 readiness attestation pack? Email security@resolute-security.com. The Security Review Packet PDF bundles the most-requested customer-facing artifacts in one download.