Information Security Policy
Version: 1.0 · Effective: July 14, 2026 · Owner: CEO / Security Lead Review cadence: Annual, or on material change.
1. Purpose
Define how EcoPowerHub AI LLC ("the Company") protects the confidentiality, integrity, and availability (CIA) of information assets used to build and operate EcoService Pro.
2. Scope
Applies to all employees, contractors, and systems (production, staging, development, corporate laptops) that store, process, or transmit Company or customer data.
3. Roles & responsibilities
- CEO (Eng. Martin): Ultimate accountability, policy approval.
- Security Lead: Runs the program; owns this policy, the risk register, and incident response.
- Engineering: Implements controls; peer-reviews code; runs CI security checks.
- All personnel: Complete annual security awareness training; report incidents within 24 h.
4. Guiding principles
- Least privilege — access is granted on need-to-know, revoked on role change.
- Defense in depth — RLS + auth + rate limits + audit logs are layered, not alternatives.
- Secure by default — new features ship with RLS, input validation, and auditing on day 1.
- Assume breach — every action is logged and every secret is rotatable.
5. Control domains
| Domain | Control | Reference |
| --- | --- | --- |
| Access control | RBAC, MFA, session expiry | access-control-policy.md |
| Data protection | AES-256 at rest, TLS 1.2+ in transit, key rotation | data-privacy-policy.md |
| Change management | PR review, protected main, CI must pass | .github/workflows/ |
| Vulnerability mgmt | Weekly bun audit, monthly Supabase linter | Risk register R-04 |
| Logging & monitoring | audit_logs, security_events, Sentry | src/lib/audit.server.ts |
| Incident response | 24 h detection SLA, 72 h regulator notice | incident-response-plan.md |
| Vendor management | Annual review of every sub-processor | vendors/assessments.md |
| BCP / DR | Daily Supabase PITR (7 days), RPO 24 h, RTO 4 h | Risk register R-07 |
6. Acceptable use
Company systems may not be used for illegal activity, harassment, or crypto mining. Personal use is permitted in moderation and never with customer data.
7. Enforcement
Violations may result in access revocation, disciplinary action, or termination. Contractors in violation are removed from the project.
8. Exceptions
Documented in the risk register with a compensating control, an owner, and an expiry date. No open-ended exceptions.
9. Related documents
- Access Control Policy · Data Privacy Policy · Incident Response Plan · Risk Register · Vendor Assessments
Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.