Information Security Policy

Bridgit Platform (askbridgit.ca)
Version 1.2 | Effective: April 30, 2026 | Next Review: April 30, 2027
Regulatory Mapping: ISO 27001 (A.5, A.6, A.7, A.18), SOC 2 (CC1, CC2), GDPR (Art. 24), PIPEDA (P1, P8, P10)

Document Control

• Document Owner: Matthew Bromwich, Platform Administrator / CISO
• Version: 1.2
• Effective Date: April 30, 2026
• Last Review Date: April 30, 2026
• Next Review Date: April 30, 2027
• Classification: Internal
• Audit Frequency: Annually

Version History:

• 1.0 | February 18, 2026 | Matthew Bromwich | Initial policy establishment
• 1.1 | April 30, 2026 | Matthew Bromwich | Added SOC 2 CC2.2 (communication of control objectives), updated to reflect actual platform architecture and current operational state
• 1.2 | April 30, 2026 | Matthew Bromwich | Incorporated PIA findings: encryption specifics, MFA accuracy, account lockout details, GCP region confirmation, incident response cross-references

1. Purpose and Objectives

This policy establishes the information security governance framework for the Bridgit platform (askbridgit.ca). It defines organizational responsibilities, security principles, employee obligations, compliance requirements, and accountability mechanisms to protect the confidentiality, integrity, and availability of all information assets.

This policy demonstrates Bridgit's commitment to accountability as required under GDPR Article 24 (Responsibility of the Controller) and PIPEDA Principle 1 (Accountability).

Objectives:

• Protect information assets against unauthorized access, disclosure, modification, or destruction
• Ensure compliance with GDPR, PIPEDA, ISO 27001, and SOC 2
• Define clear security roles, responsibilities, and accountability
• Establish security awareness practices proportionate to the current team size
• Communicate control objectives and individual responsibilities to all personnel (SOC 2 CC2.2)
• Provide a governance framework that supports continuous improvement

Bridgit acts as both Data Controller (for its own operations) and Data Processor (for organizational customers who determine the purposes and means of processing their data).

2. Scope

This policy applies to:

Personnel:

• All personnel with access to Bridgit production systems, source code, or cloud infrastructure
• Currently: a small team led by the Platform Administrator (Matthew Bromwich), who fulfills the roles of CISO, DPO, and system administrator
• As the team scales, these responsibilities will be separated with formal reporting lines

Information assets:

• Web application: React/TypeScript frontend, Node.js/Express API
• Database: PostgreSQL 15 on Google Cloud SQL (bridgit_db)
• Caching: Redis 7 (JWT blacklisting, session management)
• File storage: Google Cloud Storage
• Secrets: GCP Secret Manager (API keys, credentials, encryption keys)
• Source code: GitHub repository (private)
• AI usage data: ai_usage_logs table (prompts, providers, token counts)

Third-party integrations:

• AI providers: OpenAI, Anthropic, Google AI, Cohere (receive user data in prompts)
• Stripe: billing and subscription data
• Google OAuth: authentication tokens
• Tavily: web search queries for AI context
• Apify: public social media data for CTRL dashboard

Environments:

• Production: askbridgit.ca (Cloud Run, northamerica-northeast1, Montreal, Canada). All production data resides exclusively in Canadian GCP regions. No data is stored in US or non-Canadian GCP regions.
• Staging: staging.askbridgit.ca (Cloud Run, northamerica-northeast1, same Canadian region)
• Local development: Docker containers (PostgreSQL, Redis, API, frontend). Local development uses synthetic or anonymized data; production data synced locally only for debugging and deleted after use.

Exclusions:

• Personal devices that do not access Bridgit systems or store platform data
• Information officially designated as public and published through approved channels

3. Core Security Principles

Bridgit's security program is founded on these principles:

Confidentiality: Information is protected from unauthorized disclosure. Access is granted on a need-to-know basis. Controls: AES-256-GCM application-level encryption for OAuth tokens (dedicated ENCRYPTION_KEY), Google Cloud SQL AES-256 encryption at rest (Google-managed keys), TLS 1.2+ enforced in transit (TLS 1.0/1.1 disabled by Cloud Run), GCP Secret Manager for all credentials and API keys, RBAC middleware on all API routes, progressive account lockout (5 failures: 30 min, 10: 2 hours, 15: 24 hours).

Integrity: Information is protected from unauthorized modification. All changes are authorized, traceable, and reversible. Controls: git version control with author attribution, GitHub Actions CI/CD pipeline, automated testing and linting, database constraints and validation, comprehensive audit logging in activity_instances.

Availability: Systems are accessible to authorized users when needed. Controls: Cloud Run auto-scaling and health-based restart, Cloud SQL automated daily backups, manual pg_dump before each deployment, GCS regional redundancy, Redis append-only persistence.

Defense in depth: Security is implemented in multiple layers. Controls: HTTPS (TLS), RBAC middleware, JWT with Redis blacklisting, organization_id tenant isolation, GCP IAM, Helmet CSP headers, CORS restrictions.

Least privilege: Users and systems are granted minimum necessary access. Controls: RBAC with four organizational roles (admin, manager, member, viewer) and two system roles, GCP IAM with role-specific permissions, Secret Manager access restricted by IAM policy, MFA available for all users with enforcement option for admin roles (REQUIRE_MFA_FOR_ADMINS feature flag). MFA is currently optional by default; mandatory enforcement for all users is planned.

Security by design: Security requirements are integrated into all development stages. Controls: CLAUDE.md codifies security rules, PRD process includes security requirements, staging validation before production, automated testing gates in CI/CD.

4. Organizational Structure and Governance (ISO 27001 A.5, A.6)

Current State

Platform Administrator / CISO: Matthew Bromwich

• Direct authority over all platform infrastructure, source code, and cloud resources
• Fulfills CISO, DPO, and system administrator roles
• Responsible for: security strategy, policy maintenance, incident response, vendor assessment, regulatory compliance, risk management, audit coordination
• Contact: mbromwich@askbridgit.ca

This is a small team. All security decisions are made by the Platform Administrator with documentation in git history and policy documents. There is no separate security team, no formal committee structure, and no board oversight at current scale.

Future State (as team scales)

When headcount warrants, the following will be established:

• Separation of CISO, DPO, and system administrator roles
• Security Operations function (SOC monitoring, incident response)
• GRC function (policy, risk, compliance, audit coordination)
• Information Security Steering Committee (quarterly, cross-functional)
• Formal reporting line: CISO reports to CEO with board visibility

These are planned structures, not current operational reality.

5. Roles and Responsibilities (SOC 2 CC1.3)

Platform Administrator / CISO (Matthew Bromwich):

• Owns all security policies and the risk register
• Manages GCP IAM roles, Secret Manager, and Cloud SQL access
• Coordinates incident response per the Incident Response Policy
• Conducts vendor assessments per the Vendor Management Policy
• Maintains the Records of Processing Activities (GDPR Art. 30)
• Approves all production deployments and infrastructure changes
• Conducts semi-annual policy reviews and security audits
• Responds to data subject requests and regulatory inquiries

Organization Administrators (tenant-level):

• Manage user access within their organization on the platform
• Configure organization-specific settings and data retention
• Oversee data collection and processing within their scope

All Platform Users:

• Comply with the Terms of Service and acceptable use requirements
• Report suspected security issues via the Report a Problem form (includes security triage section)
• Maintain the accuracy of their own profile data
• Use strong passwords and protect authentication credentials

Third-Party Vendors:

• Comply with Data Processing Agreements and contractual security clauses
• Notify Bridgit of security incidents per DPA terms
• Maintain applicable security certifications

6. Employee Security (ISO 27001 A.7)

Prior to Employment (A.7.1)

Security responsibilities are communicated during onboarding. New team members are required to read CLAUDE.md, the deployment guide, and relevant security policies before gaining access to production systems.

No formal pre-employment background checks are conducted at current scale. This will be implemented as the team grows.

During Employment (A.7.2)

All personnel with production access must:

• Follow the security rules codified in CLAUDE.md (mandatory backup before deployment, verification chain, no console.log in production, surgical edits, never use gcloud run services update --set-env-vars)
• Use GCP Secret Manager for all credentials — never commit secrets to source code
• Validate changes on staging before production deployment
• Report security concerns via the Report a Problem form or directly to the Platform Administrator
• Follow the Incident Response Policy severity levels (P1-P4) for security events
• Comply with data protection requirements (GDPR, PIPEDA)
• Not access data beyond what is required for their role
• Not share credentials or access tokens

Non-compliance may result in access revocation or termination of engagement.

Termination or Change of Role (A.7.3)

Upon termination or role change:

• GCP IAM roles and access permissions revoked within 24 hours
• GitHub repository access removed
• Local development data deleted per Data Retention Policy media disposal procedures (database dumps, .env files, git clones, Docker volumes)
• Any shared credentials rotated in GCP Secret Manager

7. Security Awareness and Training (SOC 2 CC1.4)

Onboarding: new team members read CLAUDE.md, the deployment guide, and the complete policy suite before gaining production access. Security expectations are communicated before any access is granted.

Ongoing reinforcement:

• Code review enforces CLAUDE.md security rules on every change
• Post-incident reviews communicate lessons learned and new control requirements
• Policy updates communicated via git commits and pull request descriptions
• Dependency vulnerability findings (npm audit, Dependabot) communicated when action is needed

Role-specific:

• Developers: secure coding (OWASP Top 10), input validation, authentication/authorization patterns, secrets management, CLAUDE.md rules
• Platform administration: incident response procedures, GCP security controls, vendor assessment, regulatory notification timelines

No formal security awareness training program (e-learning, simulated phishing) exists at current scale. This is identified as a gap to be addressed as the team grows.

Incident response training: the Incident Response Policy defines P1-P4 severity levels, containment procedures by incident type, breach notification timelines (GDPR 72 hours, PIPEDA as-soon-as-feasible), and post-incident review processes. The Report a Problem form includes a security triage section with incident type classification, severity assessment, and data exposure questions. All personnel with production access are expected to be familiar with these procedures.

Effectiveness is measured through: code review compliance, incident recurrence rates, and adherence to deployment procedures.

8. Compliance and Legal Requirements (ISO 27001 A.18)

Applicable Regulations and Standards

• ISO/IEC 27001 — information security management
• SOC 2 Type II — trust services criteria
• GDPR — processing of EU resident personal data
• PIPEDA — processing of Canadian personal data
• Quebec Law 25 — Quebec privacy requirements

Audit Schedule

Frequency: semi-annually.

Scope: policies and procedures, technical controls (access, encryption, logging), infrastructure configuration (GCP IAM, Cloud SQL authorized networks, Secret Manager), vendor compliance (DPA review, SOC 2 report review), and dependency vulnerabilities (npm audit).

Methodology: document review, infrastructure configuration audit, dependency scanning, and incident history analysis. No formal external audit or penetration testing is currently conducted. This is identified as a gap.

Findings are documented with remediation plans, tracked through the development backlog, and verified after implementation.

Policy Review

This policy is reviewed semi-annually and upon: P1/P2 security incidents, significant regulatory changes, major platform architecture changes, or team structure changes.

Review is conducted by the Platform Administrator. Changes are version-controlled in git with descriptive commit messages. Previous versions are retained in git history. Changes are communicated to all personnel with repository access.

9. Policy Communication and Distribution

Internal Communication

All security policies are maintained in the git repository alongside the platform source code, accessible to all personnel with repository access.

Channels:

• Onboarding: new team members read all policies as part of development setup
• Ongoing: policy updates communicated via git commit messages and pull request descriptions
• Ad-hoc: post-incident reviews communicate new requirements

No formal annual acknowledgment or re-certification process exists at current scale. Personnel demonstrate understanding through adherence to documented procedures in code review and deployment workflows.

External Communication

Security practices are communicated externally through:

• Privacy Policy published at /legal/privacy
• Terms of Service published at /legal/terms-of-service
• Data Retention Policy published at /legal/data-retention
• Incident Response Policy (internal, shared with regulators as needed)
• Vendor DPAs and contractual security clauses

Stakeholder Notification

Policy changes: communicated via git commit history and direct communication to affected personnel.

Security events affecting external parties: communicated per the Incident Response Policy breach notification procedures (GDPR 72-hour, PIPEDA as-soon-as-feasible).

10. Communication of Control Objectives and Responsibilities (SOC 2 CC2.2)

Security control objectives and individual responsibilities are communicated through:

Policy documentation:

• All security policies maintained in the git repository alongside platform source code
• CLAUDE.md contains codified development security rules (mandatory backup, verification chain, no console.log, surgical edits, secrets management)
• Deployment guide documents operational security procedures (backup, rollback, migration, recovery)
• Control mappings (00-control-mappings.md) document which policies cover which compliance controls

Role-specific communication:

• Development: CLAUDE.md defines security obligations enforced through code review
• Platform administration: Incident Response Policy defines triage, containment, and notification responsibilities
• All personnel: this Information Security Policy defines general security obligations

Change communication:

• Policy changes tracked in git with descriptive commit messages
• Control mapping changes documented in 00-control-mappings.md
• New security requirements added to CLAUDE.md are immediately visible to all developers
• Post-incident reviews communicate lessons learned and any new control requirements

Verification that personnel understand responsibilities:

• Code review process enforces compliance with documented standards
• Automated testing (npm run test:quick) and linting (npm run lint) verify adherence to technical security controls
• Staging validation confirms security controls operate correctly before production deployment
• Deployment checklist (scripts/prepare-deployment.sh) enforces mandatory backup

Audit evidence: git commit history, pull request records, GitHub Actions run logs, and policy version history document all communication activities and compliance verification.

11. Management Oversight and Accountability (SOC 2 CC1.1, CC1.2)

Management oversight is exercised through:

Deployment oversight:

• Every production deployment requires: database backup (scripts/prepare-deployment.sh), automated testing, linting, and staging validation
• Three deployment modes with increasing rigor: code_only, schema_change_local_data, schema_change_production_clone
• All deployments logged in git history and GitHub Actions run records

Incident oversight:

• Incident Response Policy defines P1-P4 severity levels with response timelines (15 min to 24 hours)
• All incidents logged in the breach register
• Post-incident reviews conducted within 2 weeks of closure for P1-P3 incidents

Risk oversight:

• Risk Assessment Policy defines a 5x5 likelihood x impact matrix
• Risk register reviewed semi-annually
• Risk treatment plans tracked to completion through the development backlog

Vendor oversight:

• Vendor Management Policy defines quarterly reviews for Critical tier (GCP, AI providers)
• Semi-annual reviews for High tier (Stripe, Google OAuth)
• Annual reviews for Standard tier (Tavily, Apify, GitHub)

Key metrics:

• Incident count and severity trends (breach register)
• Dependency vulnerability status (npm audit, Dependabot)
• Policy review completion (git history)
• Backup execution (deployment logs)

No formal security dashboard or KPI reporting exists at current scale. Oversight is exercised through direct operational involvement by the Platform Administrator.

12. Competence and Professional Development

The Platform Administrator maintains security competence through:

• Hands-on management of GCP security controls, IAM, and Secret Manager
• Active use of security tooling (npm audit, Dependabot, ESLint, Playwright)
• Ongoing engagement with security best practices and regulatory updates
• Post-incident analysis and lessons learned
• AI-assisted security research and policy development

No formal certification requirements, CPE tracking, or training budget exists at current scale. As the team grows, formal competence requirements will be established for security-focused roles (target: CISSP or equivalent for security lead roles).

13. Integrity and Ethics (SOC 2 CC1.5)

All personnel with platform access are expected to:

• Handle data ethically and in accordance with its classification level
• Not access data beyond what is required for their role
• Not use production data for unauthorized purposes
• Not share credentials or access tokens
• Report suspected security violations via the Report a Problem form

Accountability controls:

• All code changes attributed to their author via git
• Production deployments auditable through GitHub Actions run logs
• GCP IAM and Secret Manager access logged in GCP audit logs
• Application-level audit trail in activity_instances table

The Platform Administrator models ethical behavior through transparent decision-making documented in git history, policy documents, and PRD processes.

At current scale, no formal whistleblower mechanism, code of ethics document, or annual ethics acknowledgment exists. Security concerns can be reported via the Report a Problem form, which includes a confidential security triage section. These formal mechanisms will be established as the team scales.

14. Enforcement and Disciplinary Actions

Non-compliance with this policy may result in:

• Verbal or written warning
• Temporary suspension of access to production systems
• Revocation of repository or infrastructure access
• Termination of engagement

The severity of the response is proportionate to the nature and impact of the violation. All enforcement actions are documented.

Suspected security breaches must be reported immediately via the Report a Problem form or directly to the Platform Administrator. Failure to report a known security issue is itself a policy violation.

15. Data Controller Information

Data Controller: Bridgit, Ottawa, Ontario, Canada
Website: askbridgit.ca
General contact: hello@askbridgit.ca
Data Protection Officer: Matthew Bromwich (mbromwich@askbridgit.ca)

For questions about this policy, data protection matters, or to exercise privacy rights, contact the DPO.

16. Related Policies and References

• Data Protection & Consent Policy — GDPR/PIPEDA processing, consent, subject rights, Art. 30 ROPA
• Data Retention Policy — retention schedules, deletion procedures, media disposal (A.8.3)
• Access Control Policy — authentication, authorization, MFA, cryptographic controls (A.9, A.10)
• Monitoring & Operations Policy — logging, backup, network security, detection, ITGCs (A.12, A.13)
• Vendor Management Policy — third-party risk, DPAs, sub-processor management (A.15)
• Incident Response Policy — classification, detection, response, breach notification (A.16)
• Risk Assessment Policy — risk framework, scoring, mitigation, BCP, SDLC, DPIA (A.8.1, A.14, A.17)
• Privacy Policy (/legal/privacy) — public-facing privacy notice
• Terms of Service (/legal/terms-of-service) — platform usage terms
• CLAUDE.md — codified development security rules
• Deployment Guide (/docs/deployment/DEPLOYMENT_GUIDE.md) — operational procedures
• GDPR (EU) 2016/679
• PIPEDA (S.C. 2000, c. 5)
• ISO/IEC 27001:2022

17. Policy Administration

• Version: 1.2
• Effective Date: April 30, 2026
• Last Review: April 30, 2026
• Next Review: April 30, 2027
• Owner: Matthew Bromwich, Platform Administrator / CISO
• Review Frequency: Annually, or after any P1/P2 incident or significant change
• Approved By: Matthew Bromwich, April 30, 2026

This policy is maintained alongside the platform source code and is subject to version control. Changes require review and re-approval.