Security & Compliance
PrimeTDAP's documented information-security posture. All policies, procedures, and AI-governance artifacts live here. Export individual docs as PDF via the browser print dialog. Reviewers (CRTA infra/security teams, auditors) can be granted read-only access to specific sections on request.
Governance
Information Security Policy
Top-level policy — scope, objectives, roles, enforcement.
Access Control Policy
Who can access what; tiering, provisioning, periodic review.
Change Management Process
How code/config/prompt changes are reviewed, tested, deployed, rolled back.
User Lifecycle Procedure
Onboarding, role changes, offboarding, leaver process.
Acceptable Use Policy
What platform users may and may not do.
Operations
Incident Response Plan
Detection, triage, containment, communications, post-incident review.
Business Continuity & Disaster Recovery
PG backup/restore, App Service redeploy, recovery time/point objectives.
Encryption Standards
At rest + in transit. Key management. Algorithms + key length minimums.
Vendor & Sub-processor Inventory
Microsoft, Anthropic, ACS — what they do, what data they touch.
Risk & Architecture
Risk Register
Documented information-security risks + treatment plan.
Security Architecture Document
Network diagram, auth flow, data flow, tier isolation, AI surface.
Data Handling
PII Inventory & Data Flow
What personal data we hold, where it lives, who accesses, retention.
Data Retention Policy
Per-table TTLs + automated enforcement schedule.
AI Governance
AI Use Policy
Authorized use, prohibited use, oversight, model selection rationale.
NIST AI RMF Alignment
GOVERN / MAP / MEASURE / MANAGE — control-by-control.
EU AI Act Classification
Use-case risk classification + obligations (forward-looking; EU not in scope today).
ISO 42001 Gap Assessment
AI Management System maturity vs ISO 42001:2023.
Public-facing
Privacy Policy
How we collect, use, share, and retain personal data. Public.
Terms of Service
Platform usage terms. Public.
AI Disclosure / Model Card
Which models, what data they see, opt-out path. Public.
Data Processing Agreement (template)
Client-contracts addendum. Provided to prospective clients.
Operational Tools
Security Events
Audit trail of authentication, authorisation, rate-limit, AI-budget, DSAR, and retention events. Filter by type, severity, user, date.
Access Review Export (JSON)
Current platform access roster: Primus admins, Primus view, Primus read-only, CRTA users (YAML + PG overlay), CEO Readout allowlist. Run monthly per Access Control Policy §6.
Documents are versioned in source control. Changes go through normal deploy review. Last refresh of this index reflects the live deploy.