← All policies

HR Security Policy

1. Purpose

To establish the personnel-security obligations that apply before, during, and after engagement with the Company, and to specify how those obligations are met given the Company's current organisational form.

2. Scope

This Policy covers all personnel of the Company. The Company is currently a one-person organisation: the only person engaged in operating the Company and accessing its information systems is the Director, Lauren ten Hoor. The Director's pre-engagement, in-engagement, and termination obligations are detailed in §4–§6 below.

The EU Representative under GDPR Article 27 is not personnel of the Company. They have no access to Company systems or information, perform no operational role, and are not subject to the personnel-security controls in this Policy. Their relationship is governed by the EU Representative Mandate and managed under the Vendor / Supplier Management Policy framework.

This Policy also describes the procedures that apply if and when additional personnel (employees, contractors, interns, advisors needing sensitive access) are engaged (§7).

3. Roles

4. The Director's personnel-security baseline

The personnel-security controls equivalent to those that would be applied to an external hire are met for the Director as follows.

4.1 Identity and right-to-engage

• The Director's identity and right to act on behalf of the Company are verified through ACRA (Singapore corporate registry) at company formation. ACRA records constitute documentary evidence and are kept up to date.
• Tax residency and personal-identity documentation are retained for the Company's accountant.

4.2 Confidentiality

• The Director is bound by fiduciary duties to the Company under Singapore company law.
• Customer-facing confidentiality obligations flow through the Data Processing Agreement and the Information Security Policy.
• An explicit personal NDA is not separately required because the Director and the Company are not arms-length parties; instead, the Director's compliance with confidentiality is enforced through the ISMS itself.

4.3 Acknowledgement of policies

• The Director approves and signs each ISMS policy on issue. Approval at §10 of each policy serves as the acknowledgement.
• Re-acknowledgement occurs annually at the policy review.

4.4 Awareness training

• The Director completes information-security awareness training annually through a recognised provider (e.g. KnowBe4 Compliance Plus, Curricula, SANS Security Awareness).
• Privacy-and-data-protection training (GDPR fundamentals, Singapore PDPA fundamentals, AI privacy considerations) is completed annually.
• Certificates of completion are retained for at least 3 years.

4.5 Disciplinary process

• The Director's accountability for ISMS compliance is to the Company itself, recorded in the management-review log. Material lapses trigger a documented corrective-action item in the Risk Register.
• Where a lapse may have caused harm to customers or breached a regulatory obligation, the Incident Management Policy governs the response and the Information Security Policy §13 governs the consequences.

5. Continuity-of-control for the sole personnel

Because the Company has one director, the absence (incapacity, unavailability) of that person is itself a personnel-security risk. This is treated as a continuity scenario in Business Continuity & Disaster Recovery Plan §7, with the following personnel-side mitigations:

• A sealed emergency-access kit at the Director's residence, containing password-manager emergency-access details, Google account 2-Step Verification backup codes, EU Representative contact details, and pre-drafted customer / regulator notification templates.
• A designated trusted contact (next of kin) who knows where the kit is and what to do.
• A planned cyber-incident retainer with an external advisor, which can be activated by the trusted contact for technical continuity.

These mitigations are reviewed annually and updated whenever personal circumstances change.

6. Termination — succession of the sole director

The Company has not contemplated a planned termination of the Director's engagement at this stage of operations. In the event of unplanned termination (for example, sale of the Company, transfer to a successor entity, or incapacity), the following applies:

• All Company information remains the property of the Company and not the Director's personal property.
• The Director's continuing confidentiality obligations under Singapore company law and any future shareholder agreement persist beyond cessation of role.
• The trusted-contact procedure in BCP-001 §7 governs the operational handover during incapacity.

7. Procedures applying to any future personnel

If the Company engages additional personnel, the following procedures apply.

7.1 Pre-engagement

• Background verification proportionate to the role and lawful in the jurisdiction of engagement: identity, right-to-work, references for the most recent employer(s), and verification of declared qualifications relevant to the role.
• Confidentiality / NDA agreement signed before any access to Company information.
• Acceptable Use acknowledgement for AUP-001.
• Information Security Policy acknowledgement for ISP-001.
• For contractors processing Customer Personal Data: a back-to-back Data Processing Agreement consistent with the customer-facing DPA.

7.2 During engagement

• Information-security awareness training within 30 days of joining and annually thereafter, with retained certificates.
• Role-specific training where applicable (secure development for engineers, incident handling for those holding response roles).
• Access reviews per the Access Control Policy §6 and §8.
• Annual acknowledgement of all applicable ISMS policies.

7.3 Termination

• All access revoked on the same business day as departure (or earlier where the departure is involuntary).
• Hardware and Company-owned devices returned.
• BYOD Company-data wipe per Endpoint Security Policy.
• Final review to confirm no Company information remains under personal control.
• Written reminder of continuing confidentiality obligations.
• Off-boarding checklist recorded.

7.4 Disciplinary

• Suspected violations are investigated by the Director (or, in future, the role with appropriate authority) fairly and confidentially.
• Sanctions are proportionate and consistent with applicable employment law.

8. Compliance and references

ISO/IEC 27001:2022 Annex A: A.6.1 (screening), A.6.2 (terms and conditions of employment), A.6.3 (information security awareness, education and training), A.6.4 (disciplinary process), A.6.5 (responsibilities after termination or change of employment), A.6.6 (confidentiality or non-disclosure agreements).

GDPR Article 32(4) (any person acting under the authority of the controller or processor having access to personal data shall not process them except on instructions from the controller, unless required to do so by law).

9. Version history