{ "$defs": { "Confidentiality": { "description": "Cross-cutting confidentiality classification used across privacy,\nsecurity, knowledge, IR pillars. Default rendering rule: `corpospec-report`\nexcludes `Restricted | BoardOnly | InvestorOnly` records from public output\nunless an explicit audience parameter overrides. See BDR 0076 §1.", "oneOf": [ { "const": "public", "description": "Safe to publish anywhere.", "type": "string" }, { "const": "customer", "description": "Visible to customers under standard ToS.", "type": "string" }, { "const": "internal", "description": "Employees and contractors only.", "type": "string" }, { "const": "restricted", "description": "Need-to-know subset of internal.", "type": "string" }, { "const": "board_only", "description": "Board members and direct staff.", "type": "string" }, { "const": "investor_only", "description": "Existing investors + prospective with NDA.", "type": "string" } ] }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" }, "PolicyAttestation": { "description": "Per-person attestation.", "properties": { "attested_on": { "$ref": "#/$defs/IsoDate" }, "evidence_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to evidence (signed e-doc)." }, "person": { "$ref": "#/$defs/PathRef" } }, "required": [ "person", "attested_on" ], "type": "object" }, "PolicyAudience": { "description": "Policy audience.", "oneOf": [ { "const": "all_employees", "description": "All employees.", "type": "string" }, { "const": "engineering", "description": "Engineering only.", "type": "string" }, { "const": "workforce", "description": "Contractors + employees.", "type": "string" }, { "const": "public", "description": "External facing (public).", "type": "string" }, { "const": "external_parties", "description": "Vendors + partners.", "type": "string" }, { "const": "specific_role", "description": "Specific role (PathRef in `audience_roles`).", "type": "string" } ] }, "PolicyDocKind": { "description": "Policy kind.", "oneOf": [ { "enum": [ "other" ], "type": "string" }, { "const": "information_security", "description": "Information security (overarching ISMS policy).", "type": "string" }, { "const": "acceptable_use", "description": "Acceptable-use policy.", "type": "string" }, { "const": "access_control", "description": "Access-control policy.", "type": "string" }, { "const": "password", "description": "Password / authenticator policy.", "type": "string" }, { "const": "cryptography", "description": "Cryptography policy.", "type": "string" }, { "const": "data_classification", "description": "Data classification + handling.", "type": "string" }, { "const": "retention", "description": "Data retention / disposal.", "type": "string" }, { "const": "privacy", "description": "Privacy policy (external-facing).", "type": "string" }, { "const": "cookie", "description": "Cookie policy.", "type": "string" }, { "const": "backup", "description": "Backup + recovery policy.", "type": "string" }, { "const": "byod", "description": "Bring-your-own-device.", "type": "string" }, { "const": "remote_work", "description": "Remote-work policy.", "type": "string" }, { "const": "code_of_conduct", "description": "Code of conduct.", "type": "string" }, { "const": "anti_discrimination", "description": "Anti-discrimination + AGG §12.", "type": "string" }, { "const": "anti_harassment", "description": "Anti-harassment.", "type": "string" }, { "const": "anti_bribery", "description": "Anti-bribery / corruption.", "type": "string" }, { "const": "aml", "description": "AML / sanctions / KYC.", "type": "string" }, { "const": "whistleblower", "description": "Whistleblower-protection.", "type": "string" }, { "const": "supplier_code_of_conduct", "description": "Vendor / supplier code of conduct.", "type": "string" }, { "const": "insider_trading", "description": "Disclosure / insider-trading.", "type": "string" }, { "const": "open_source", "description": "Open-source contribution policy.", "type": "string" }, { "const": "ai_usage", "description": "AI usage / acceptable AI policy.", "type": "string" }, { "const": "sdlc", "description": "Software development life-cycle.", "type": "string" }, { "const": "vulnerability_disclosure", "description": "Vulnerability disclosure / responsible-disclosure.", "type": "string" }, { "const": "environmental", "description": "Climate / environmental policy (ESRS E1).", "type": "string" }, { "const": "health_safety", "description": "Health & safety.", "type": "string" } ] }, "PolicyDocStatus": { "description": "Policy lifecycle.", "enum": [ "draft", "in_review", "approved", "published", "superseded", "retired" ], "type": "string" }, "Semver": { "description": "Semantic version string (MAJOR.MINOR.PATCH).", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$", "type": "string" } }, "$id": "https://corpospec.com/schemas/v0.16.0/policy-doc.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "Internal-policy record.", "properties": { "approver": { "$ref": "#/$defs/PathRef", "description": "Approver (board / officer)." }, "artefact_ref": { "$ref": "#/$defs/PathRef", "description": "Document artefact (PDF, MD, Notion)." }, "attestation_required": { "description": "Whether explicit attestation is required (e.g. Code of Conduct).", "type": "boolean" }, "attestations": { "description": "Attestations by individuals.", "items": { "$ref": "#/$defs/PolicyAttestation" }, "type": "array" }, "audience": { "$ref": "#/$defs/PolicyAudience" }, "audience_roles": { "description": "Roles in scope when audience == SpecificRole.", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" }, "confidentiality": { "$ref": "#/$defs/Confidentiality" }, "effective_from": { "$ref": "#/$defs/IsoDate" }, "entity": { "$ref": "#/$defs/PathRef" }, "id": { "$ref": "#/$defs/PathRef" }, "kind": { "$ref": "#/$defs/PolicyDocKind" }, "name": { "type": "string" }, "next_review_due": { "$ref": "#/$defs/IsoDate" }, "owner": { "$ref": "#/$defs/PathRef", "description": "Owner (single accountable)." }, "review_cadence": { "description": "Review cadence (e.g. \"P12M\").", "type": "string" }, "status": { "$ref": "#/$defs/PolicyDocStatus" }, "statutory_basis": { "description": "Statutory bases this policy implements (e.g. \"AGG § 12\",\n\"ISO 27001:2022 A.5.1\", \"LkSG § 6 Abs. 2\", \"HinSchG § 15\").", "items": { "type": "string" }, "type": "array" }, "supersedes": { "description": "PathRefs to the previous superseded versions, in chronological\norder (oldest first).", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" }, "version": { "$ref": "#/$defs/Semver" } }, "required": [ "id", "entity", "kind", "name", "version", "status", "audience", "artefact_ref", "owner", "approver", "effective_from", "review_cadence", "next_review_due", "statutory_basis", "attestation_required", "confidentiality" ], "title": "PolicyDoc", "type": "object", "x-corpospec-pillar": "legal" }