Skip to main content
Every workforce member acknowledges this policy on hire and annually. Violations are taken seriously because the cost is measured in patient harm, regulatory exposure, and customer trust.
Owner: Security Officer · Approved by: CEO · Policy version: 1.0 · Effective: April 2026 · Next review: April 2027

Scope

This policy applies to every member of the Denialbase workforce — full-time employees, part-time employees, contractors, consultants, interns — and to anyone with authorized access to Denialbase systems. It applies regardless of location, device, or time.

Principles

  1. Customer data is a privilege — access is granted for business need, not curiosity.
  2. Default to least privilege — request the minimum you need; revoke what you don’t use.
  3. PHI never leaves governed systems — approved stack only (see Subprocessors).
  4. Every action is attributable — no shared accounts, no anonymous access.
  5. Report first, explain later — reporting a suspected incident always wins over staying silent.

Account security

  • Strong, unique passwords on every account. Minimum: 16 characters for password-manager-generated passwords; 14 characters if manually chosen.
  • 1Password is provided — use it. No passwords in personal notes, Slack, email, or browser autofill for company accounts.
  • 2FA required — TOTP or passkey. Passkeys strongly preferred. No SMS-based 2FA for production-touching accounts.
  • Never share credentials — not with teammates, not with support vendors, not with family.
  • No session sharing — don’t hand off an authenticated session mid-flow.
  • Lock workstations when unattended for any length of time.

PHI handling

“Curiosity browsing” of customer data is a fireable offense. Every access is audit-logged.
Access only the PHI needed for the specific task. If you can do the job with aggregated or masked data, do that.
Do not paste, screenshot, email, or copy PHI into:
  • Personal email
  • Consumer chat apps (WhatsApp, Signal personal accounts, Telegram)
  • Personal cloud storage (iCloud, Google Drive personal, Dropbox personal)
  • AI tools not on our Subprocessors list
  • Screen-recording or annotation tools outside our approved stack
  • Screenshots posted in Slack for anything other than masked/demo data
PHI is accessible only from managed workstations with FDE + EDR + MDM. No access from personal laptops, tablets, or phones without explicit approval.
When discussing a customer issue, use the minimum PHI identifiers needed. Prefer internal IDs (e.g. denial_id=abc123) to patient names. Never discuss PHI in public channels (external Slack, public GitHub issues).
Suspected PHI exposure — yours or someone else’s — is reported immediately to security@denialbase.com. Reporting in good faith is never penalized, even if the suspicion turns out to be unfounded.

Devices

Managed workstations (required for production access)

  • Full-disk encryption (FileVault, BitLocker) — enforced by MDM.
  • Auto-lock after 5 minutes of inactivity.
  • EDR agent installed and active.
  • OS + browser patching within 7 days of CVE availability (managed by MDM).
  • No local admin rights for non-engineering roles; engineering may have local admin but not to disable security agents.
  • Return on offboarding — managed workstation wiped on return (or remotely wiped if unreturned beyond 14 days).

Personal devices

  • Phones / tablets may be used for email, Slack, and status-page checks via work accounts enrolled in MDM. No PHI access.
  • Personal computers may not access production or customer data without Security Officer approval + compensating controls.

Removable media

  • USB drives with customer data: prohibited.
  • Personal USB drives in managed workstations: discouraged, EDR monitors.

Clear desk / clear screen

  • Physical papers with PHI: not printed unless strictly necessary; shredded when no longer needed; never left on a desk.
  • Screens: locked when unattended; screen filter in public spaces; screen recording requires clearing the frame first.

Networks

  • Production access via approved channels — authenticated admin UI, GCP web console, or approved IDE with MFA. No ad-hoc SSH with static keys.
  • Public Wi-Fi: company VPN required for any production-adjacent work. Personal Wi-Fi: WPA2/WPA3 with a strong password.
  • No hotspot sharing of production sessions to untrusted devices.
  • No port forwarding from production to personal networks.

Third-party tools

Any new SaaS tool or service that will handle Denialbase data (not just PHI — any internal data beyond Public) must be approved via the Vendor management process before use.
AI tools in production workflows must be on the Subprocessors list. Anthropic (Claude) is approved for our LLM pipeline. Other AI tools (ChatGPT, Gemini, CoPilot) may be used only for non-customer, non-PHI content. Specifically:
  • ❌ Pasting customer PHI or confidential data into any ungoverned AI tool
  • ❌ Using AI coding assistants on private denialbase repos without approval
  • ✅ Using AI for non-customer writing, brainstorming, general research
  • ✅ Using GitHub Copilot if approved (organization-level agreement)
Minimal approved list. No password-manager extensions other than 1Password. No “productivity” extensions with broad data access.
Slack is the official channel. Personal channels of business communication (iMessage, WhatsApp) are discouraged and never used for confidential content.

Code and commits

  • Signed commits required (SSH or GPG) once configured (Q2 2026 rollout).
  • No secrets in git — enforced by gitleaks + CI + personal vigilance.
  • No customer data in commits — code + test seed data only.
  • Security-relevant changes require an additional reviewer per Change management.
  • Production deploys via CI/CD only; no human deploys with personal credentials.
  • Force-push to master: never, per branch protection.

Email

  • Work email for work — do not forward customer communications to personal email.
  • Phishing vigilance — if in doubt, click “Report phishing” rather than replying.
  • BCC discipline — do not mass-email customer addresses in the To/CC field.
  • No PHI in bodies — ever. Attachments with PHI only via encrypted channels and only when the policy requires it.

Remote work (Annex A.6.7)

Denialbase is remote-first. Every workforce member works from a location of their choosing. This section governs that reality.
  • Secure workspace — work in a reasonably private setting; screens not visible to unauthorized viewers. No public coffee-shop PHI work.
  • Home network hygiene — WPA2/WPA3; router firmware current; guest network separate from work network.
  • Travel — avoid PHI work on public Wi-Fi; use VPN; privacy screen recommended.
  • Audio — no PHI discussed in public audio (phone calls, video calls in coffee shops).
  • Physical surroundings — no PHI printouts; no screen photography in work area.

AI-specific rules (A.5.7 + A.8.25 implications)

Denialbase uses AI (Anthropic Claude) as a core product capability. Workforce use of AI tools:
  • Approved for product use — Anthropic Claude via our contracted API. PHI-scrubbed prompts only.
  • Approved for work assistance — GitHub Copilot (organization license), internal tooling that uses our contracted Anthropic API.
  • Not approved — consumer ChatGPT, Gemini web, Poe, Character.ai for anything containing customer data, internal strategy, or proprietary code.
  • Code generation — AI-suggested code must be reviewed like human-written code; the author is responsible for correctness.

Travel

  • Only carry data you need.
  • Workstations: BIOS password + FDE + power-down (not just sleep) when crossing borders.
  • US border crossings: know your rights; you may be asked to unlock a device. Coordinate with Legal if you anticipate this.
  • International travel with production access requires CTO notification and, in some jurisdictions, a clean travel laptop.

Enforcement

Violations may result in:
1

Verbal or written warning

For minor, first-time issues (e.g. forgotten to lock laptop; late on training completion).
2

Retraining

Just-in-time micro-learning, completed within 5 business days.
3

Access suspension

For repeat minor issues or moderate issues pending investigation.
4

Disciplinary action

Up to and including termination for serious breaches — sharing credentials, willful PHI disclosure, ignoring incident reporting obligations.
5

Legal referral

For malicious or criminal actions — data theft, extortion attempts, impersonation.
Actions are documented in the HR record and applied consistently regardless of role or tenure.

Whistleblower protection

Reports of policy violations made in good faith — including against senior leadership — are protected from retaliation. Retaliation is itself a violation of this policy and of applicable law. Anonymous reporting channel: available via a third-party ethics hotline (details provided during onboarding and available on the internal wiki).

Exceptions

  • Any deviation requires written approval from the Security Officer.
  • Exceptions include: justification, compensating controls, expiry.
  • Maximum initial exception duration: 6 months (renewable with re-justification).
  • Tracked in the Risk register.

Acknowledgement

Every workforce member signs an acknowledgement of this policy:
  • On hire (before first production access).
  • Annually thereafter.
  • Whenever a material revision is published.
The acknowledgement record is retained per HR security — records retained.

Changelog

VersionDateMaterial changes
0.12026-04Initial draft (superseded)
1.02026-04First formally-approved version. Expanded PHI handling, AI tool rules, remote work section, travel. Approved by CEO.