Backpack Works logo
All policies
Version: 1.0Last updated: December 2025Owner: Security Lead

Information Security Policy

1. Purpose

This Information Security Policy establishes Backpack Works' commitment to protecting the confidentiality, integrity, and availability of information — our own and that entrusted to us by our clients. It is the top-level policy of our information security management program and governs all supporting policies.

2. Scope

This policy applies to all employees, contractors, and third parties who access Backpack Works systems, client data, or company information, and to all information assets regardless of format or location.

3. Policy statements

  • Confidentiality. Information is classified and protected according to its sensitivity. Access is granted on a least-privilege, need-to-know basis.
  • Integrity. Information is protected from unauthorized modification through access controls, change management, and code review.
  • Availability. Systems and data are protected against disruption through redundancy, backups, and a business continuity plan.
  • Compliance. We meet applicable legal, regulatory, and contractual obligations, including GDPR and CCPA/CPRA.
  • Continuous improvement. We assess risk regularly and improve our controls over time.

4. Roles & responsibilities

  • Management approves this policy, allocates resources, and is accountable for the security program.
  • The Security Lead maintains policies, coordinates risk assessments, and oversees incident response.
  • All personnel are responsible for following security policies, completing training, and reporting security concerns.

5. Enforcement

Violations of this policy may result in disciplinary action up to and including termination, and may carry legal consequences.

6. Review

This policy is reviewed at least annually and after any significant change to the business, technology, or threat landscape.