Policies

DPO-authored documents that codify our position on specific topics. Engineering doesn't write these; engineering provides the inputs (data inventory, third-party list, security controls) and the DPO synthesises.

Current policies

• DPO designation — who, contact, role.

Pending (DPO to author)

• Privacy notice (user-facing) — published at zevop.com/privacy.
• Cookie policy.
• Retention policy (cross-references each product's retention.md).
• Subject Access Request (SAR) handling procedure.
• Breach notification template (referenced from incident-response.md).
• Vendor onboarding checklist (DPA review, fields list, region check).
• Records of Processing Activities (RoPA) — formal document drawn from per-product data-inventory.md files.
• Acceptable Use Policy for internal access.

Convention

Policies are markdown files at this level. Each policy is owned by the DPO. Reviews are annual unless a triggering event (NDPC guidance change, new product launch) forces a refresh.