Information Security Policy Pack
The policies that govern our security program. The catalog is public so you can scope a questionnaire. The full text is available under the Bonterms Mutual NDA. Reviewed 2026-05-06.
How to use this catalog
If your security questionnaire asks for a specific policy, find it in the table below and reference it in your document request. We share full policy text under the Bonterms Mutual NDA, which you can review in advance at duocircle.com/legal/mutual-nda.
Policy catalog
All policies below are owned by the DuoCircle security organization, approved by the executive team, and reviewed at least annually. Material changes are versioned and recorded in the change log.
| Policy | Purpose |
|---|---|
| Information Security Policy | Top-level policy that establishes the security program, scope, and roles. |
| Access Control Policy | How identities are provisioned, authenticated, authorized, reviewed, and deprovisioned. |
| Acceptable Use Policy | Expectations for use of corporate accounts, devices, and customer data. |
| Asset Management Policy | Tracking, classification, and lifecycle for hardware, software, and data assets. |
| Data Classification and Handling Policy | How DuoCircle classifies data sensitivity and the controls each class receives. |
| Encryption and Key Management Policy | Cryptographic standards for data at rest, in transit, and in use, including key lifecycle. |
| Change Management Policy | Standard, normal, and emergency change procedures for production systems. |
| Secure Development Policy | Code review, secrets handling, dependency management, and CI security checks. |
| Vulnerability Management Policy | Scanning, triage, and remediation SLAs by severity. |
| Incident Response Plan | Detection, classification, response, communication, and post-incident review. |
| Business Continuity and Disaster Recovery Plan | RTO and RPO commitments, recovery procedures, and DR test cadence. |
| Vendor Management Policy | Subprocessor selection, security review, contract requirements, and ongoing monitoring. |
| Risk Management Policy | Risk identification, assessment, treatment, and the formal risk register. |
| Logging and Monitoring Policy | What gets logged, how long it is retained, and what triggers an alert. |
| Physical Security Policy | Office, device, and remote-work physical security controls. |
| Personnel Security Policy | Background checks, confidentiality obligations, training, and offboarding. |
| Privacy Policy (Internal) | Operational obligations for handling personal data, including DSR procedures. |
| Acceptable Use of AI and ML Tools | Guardrails for staff use of generative AI tools, including data classification rules. |
Approval
Each policy is reviewed and approved by the security organization and the executive team. Material changes are versioned, dated, and recorded in the change log.
Distribution
Policies are distributed to all personnel as part of onboarding, with attestation required. Updates are communicated to active staff through internal channels.
Exceptions
Documented exceptions require written approval from the security organization, a defined scope and duration, and a compensating control or remediation plan.
Need the full text of a policy?
Reference the specific policy by name in your document request, sign the Bonterms Mutual NDA, and we will send the full text the same business day in most cases.
Request Policies