Information Security Policy

Field	Value
Document ID	ISP-001
Version	1.0
Classification	Internal — distributed to customers under NDA
Owner	Lauren ten Hoor (Director, designated DPO)
Approved by	Lauren ten Hoor (Director)
Effective date	2026-04-30
Next review	2027-04-30 (annually, or on material change)
Distribution	Internal staff (currently: founder); paying customers via in-app compliance section; prospects under NDA

1. Statement of intent

Nozemans Software Pte Ltd ("Cadences" or the "Company") is committed to protecting the confidentiality, integrity, and availability of all information assets entrusted to it by its customers and used in delivering the Cadences.work service. This includes employee performance feedback, time-tracking data, identifying information, and authentication credentials.

The Director approves this Information Security Policy and the supporting Information Security Management System (ISMS), and commits the Company to:

complying with all applicable legal, regulatory, and contractual information-security obligations, including the EU General Data Protection Regulation, the Singapore Personal Data Protection Act, and obligations to customers under signed Data Processing Agreements;
aligning controls with the ISO/IEC 27001:2022 framework, with audit readiness targeted through 2026 and formal certification during 2027 once customer demand justifies the audit spend;
providing the resources necessary to operate, maintain, and continually improve the ISMS;
ensuring this policy and its sub-policies are communicated to all personnel and made available to interested parties as appropriate.

2. Purpose

This Policy establishes the framework, responsibilities, objectives, and minimum standards for information security at the Company. It is the parent document of the ISMS; sub-policies covering specific control domains are listed in §7 and inherit their authority from this document.

3. Scope

This Policy applies to:

all personnel of the Company (currently the sole director and any future employees, contractors, or interns);
all information assets — including production systems, source code, customer data, internal data, and intellectual property — regardless of location, format, or ownership;
all locations and devices from which Company business is conducted, including the founder's workstation and mobile device;
all third parties acting on behalf of the Company (sub-processors, service providers, advisors) to the extent of their engagement with Company information.

It explicitly covers the Cadences.work production environment hosted on Vercel (Dublin, dub1) and Supabase (Ireland, eu-west-1), the source-code repository on GitLab, and all administrative SaaS tools listed in the MFA & Admin-Account Audit Checklist.

4. Organisational context and roles

4.1 The Company is a one-person organisation

The Company has one director and no employees, contractors, or interns. The Director, Lauren ten Hoor, holds every internal information-security role personally. This is the steady state of the Company; the policies in this ISMS are written for this state, not as a transitional arrangement.

Separation of duties as understood in multi-person organisations is not achievable in this organisational form. The Company achieves equivalent assurance through compensating controls:

Immutable audit trails — Git history, Vercel deployment logs, Supabase audit logs, application audit log;
Automated gates — CI type-check / lint / dependency-scan, MFA enforcement, RLS at the database layer;
External attestation — sub-processor SOC 2 / ISO 27001 reports, planned compliance-platform monitoring (Sprinto/Vanta), planned ISO 27001 third-party audit;
Documented self-review — material decisions and post-incident reviews recorded in writing in this repository.

4.2 Internal roles (all held by the Director)

Role	Responsibility
Top Management	Approves policy, allocates resources, reviews ISMS performance
ISMS Owner	Operates and maintains the ISMS
Data Protection Officer (Singapore PDPA)	PDPC liaison; data subject correspondence
Information Security Officer	Day-to-day security operations
Incident Commander	Leads response to security incidents

4.3 External mandated party — EU Representative

The Company has a designated EU Representative under GDPR Article 27 (see eu-representative-mandate.md). The Representative is not personnel of the Company:

They do not have access to Company systems, data, or accounts;
They do not perform any operational security role;
Their function is limited to forwarding correspondence from EU supervisory authorities and EU data subjects to the Director, and to being addressed in lieu of the Company by those parties (Art. 27(5));
Personnel-security controls (training, AUP acknowledgement, on-boarding/off-boarding under HRP-001) do not apply to them. Their relationship is governed by the written mandate and is closer to that of a contracted service than an employee.

4.4 Future personnel

If the Company engages additional personnel (employees, contractors, interns, advisors with sensitive access), the role assignments above shall be re-evaluated to introduce separation of duties where practical, and the affected sections of this Policy and its sub-policies shall be updated. Until then, references to "personnel" in this ISMS mean the Director.

5. Information security objectives

The Company sets measurable security objectives annually. The current objectives are:

#	Objective	Measure	Target	Review
O-1	Maintain availability of the production service	Uptime	≥97.0% rolling 90-day (matches the default SLA in the MSA template); higher (≥99.5% / ≥99.9%) where committed on a customer's Order Form	Monthly
O-2	Detect and respond to security incidents promptly	Mean time to acknowledge	<1 hour from first signal	Per incident
O-3	Notify affected customers of breaches without undue delay	Time from confirmation to first notification	≤72 hours	Per incident
O-4	Maintain effective access control	MFA enforcement on admin accounts	100%	Quarterly
O-5	Minimise unpatched vulnerabilities	Critical CVEs in production deps	0 unpatched >7 days	Continuous
O-6	Reach ISO 27001 audit-ready posture; obtain certificate when customer demand justifies the audit spend	Audit-ready posture; certificate obtained	Audit-ready by 2026-12-31; certificate during 2027	Annually
O-7	Limit personal data leaving the EU/EEA	Customer data processed outside EU	Authentication-required only; no persistent data in non-EU regions	Quarterly

Performance against these objectives is reviewed by the Director at least quarterly and recorded in the management-review log.

6. Risk management approach

The Company maintains a risk register documenting identified information-security risks, their likelihood and impact, and the controls or mitigations applied. Risks are classified as Low, Medium, High, or Critical based on a 5×5 risk matrix.

The Company commits to:

identifying new risks on at least a quarterly basis or whenever a material change occurs (new sub-processor, new feature, new customer segment, new regulatory development);
treating risks proportionately, choosing among avoidance, mitigation, transfer (e.g. cyber insurance), or documented acceptance;
documenting accepted risks with the rationale for acceptance and the residual exposure;
presenting the top risks to top management (the Director) at the annual management review.

The risk-management methodology is detailed in the Risk Management Policy and the live state is recorded in the Risk Register.

7. Sub-policies

This Policy is supported by the following sub-policies, each of which inherits its authority from this document and elaborates on a specific control domain. All sub-policies share the same review cadence and approval authority unless stated otherwise.

ID	Policy	Scope
ACP-001	Access Control Policy	Authentication, authorisation, joiner/mover/leaver, MFA
AUP-001	Acceptable Use Policy	Personnel use of Company systems and information
DCP-001	Data Classification & Handling Policy	Classification levels, handling rules per level
IRP-001	Incident Management Policy	Detection, response, notification — operationalised in incident-response.md
RMP-001	Risk Management Policy	Risk identification, assessment, treatment
VMP-001	Vendor / Supplier Management Policy	Sub-processor selection, due diligence, monitoring
BCP-001	Business Continuity & Disaster Recovery Plan	Backup, restore, RPO/RTO, continuity scenarios
CMP-001	Change Management Policy	Code, configuration, infrastructure changes
CRP-001	Cryptography Policy	Encryption standards, key management
EPP-001	Endpoint Security Policy	Founder's workstation and mobile device hardening
HRP-001	HR Security Policy	Personnel security, onboarding, offboarding

8. Compliance with legal and regulatory requirements

The Company commits to compliance with the following:

Singapore Personal Data Protection Act (PDPA) — including Section 26 (transfer of personal data abroad) and Section 26B (data breach notification to PDPC).
EU General Data Protection Regulation (GDPR) — Articles 5, 6, 13, 25, 28, 30, 32, 33, 34, and 27 (EU representative).
2021 EU Standard Contractual Clauses for international transfers.
EU-US Data Privacy Framework where applicable to US-based sub-processors.
UK GDPR and Data Protection Act 2018 with the UK International Data Transfer Addendum, for any UK customers.
Customer contracts, including signed Data Processing Agreements with each customer.

The DPO is responsible for tracking changes to applicable laws and updating policies accordingly.

9. Information classification

All information processed by the Company is classified into one of four levels:

Level	Description	Examples
Public	No harm if disclosed. Approved for the marketing site.	Trust page content, sub-processor list, vacancy posts
Internal	Routine business information. Disclosure not catastrophic.	Internal documentation, draft policies, metrics
Confidential	Disclosure causes harm to the Company or contractual breach.	Contracts, internal financials, full TOMs documents
Restricted	Disclosure causes severe harm or regulatory liability.	Customer Personal Data, authentication credentials, encryption keys, incident details

Handling rules per level are defined in the Data Classification & Handling Policy.

10. Personnel and training

The Director:

approves and acknowledges this Policy and its sub-policies on issue and at least annually thereafter (the acknowledgement is the signed approval at §14 of each policy);
completes information-security awareness training annually using a recognised provider (e.g. KnowBe4 Compliance Plus, Curricula) and retains the certificate of completion;
reports any suspected security incident immediately to themselves qua Incident Commander, opening an incident record per IRP-001;
does not bypass any security control without recording the decision and rationale in writing.

When additional personnel are engaged, the procedures in HRP-001 apply.

11. Reporting and incident management

All security incidents — confirmed, suspected, or reported by external parties — must be handled per the Incident Management Policy and the operational Incident Response Runbook.

Customers are notified of incidents affecting their data without undue delay and in any case within 72 hours of confirmation where reasonably possible. Supervisory authorities are notified per the GDPR (72 hours) and PDPA (where the breach affects ≥500 individuals or causes significant harm) timelines.

The vulnerability-disclosure policy is published at /security and reproduced in SECURITY.md.

12. Continual improvement and review

The ISMS shall be reviewed:

by the Director at least annually as part of the management review, with formal records;
on each material change to the Company's processing activities, technology stack, customer base, sub-processor list, or applicable law;
after each significant security incident as part of the post-mortem;
on receipt of customer feedback, audit findings, or compliance-platform alerts (Sprinto/Vanta once engaged).

This Policy and its sub-policies are reviewed at least annually for currency and alignment with ISO 27001 Annex A.

13. Sanctions for non-compliance

Violations of this Policy or any sub-policy may result in disciplinary action up to and including termination of employment or contract, and may be reported to law-enforcement or regulatory authorities where appropriate. For the sole director, violations are recorded in the management-review log and corrective action is taken in writing.

14. Approval and version history

This Policy is approved by the Director on behalf of the Company.

Version	Date	Author	Summary
1.0	2026-04-30	Lauren ten Hoor	Initial issue

Approved by:


Name:	Lauren ten Hoor
Title:	Director, Nozemans Software Pte Ltd
Signature:	_______________________________
Date:	2026-04-30

Appendix A — Document conventions for the ISMS

These conventions apply to every policy, plan, and procedure in the ISMS, to keep the document set internally consistent and ready for ISO 27001 audit evidence.

Header

Every document begins with a metadata table containing: Document ID, Version, Classification, Owner, Approver, Effective Date, Next Review, Distribution. Document IDs follow the prefix-number convention (e.g. ACP-001 for the Access Control Policy).

Structure

Every policy contains, at minimum: Purpose, Scope, Roles, Policy Statements, Compliance, Review, and Approval sections. Operational documents (runbooks, registers) may use a fitter structure but must still record an Owner and Last-Reviewed date.

Versioning

Major versions for material content changes (semantics shift, new obligations, removed sections). Minor versions for edits that don't change meaning. The version history table at the end of every document records each change.

Review cadence

Annually by default, or on any material change. The review owner and date are recorded both in the metadata header (Next Review) and in the version-history table.

Mapping to ISO 27001:2022 Annex A

A mapping of policies to Annex A controls is maintained in the Statement of Applicability (to be drafted as part of Phase 4 Sprinto/Vanta onboarding).