# Written Information Security Program (WISP)

## 1. Purpose & Scope
Protect customer/provider data across MM App systems (mobile, backend, storage, analytics).

## 2. Roles & Responsibilities
- Security Owner: overall program maintenance and audits
- Engineering Lead: secure SDLC, code reviews, dependency updates
- DevOps: backups, secrets, CI/CD hardening, IAM least-privilege
- Support: data access limited by role; follows PII handling rules

## 3. Data Classification
- Public (marketing images)
- Internal (non-PII configs, logs)
- Confidential (user profiles, chat, license info)
- Restricted (payment tokens/IDs, auth tokens)

## 4. Access Control
- Firebase/GCP IAM by least privilege, quarterly reviews
- App roles via Firebase custom claims (`admin`, `support`)
- MFA required for privileged consoles (GCP, Stripe)

## 5. Secure Development
- PR reviews include security checklist
- Dependency scanning (npm audit, GitHub Dependabot)
- Secrets via runtime secrets/CI vault; no secrets in code

## 6. Data Protection
- Encryption in transit (TLS) & at rest (GCP-managed)
- Client uploads restricted (Storage rules), moderated
- Backups daily; monthly restore test

## 7. Incident Response
- Follow Breach-Response Playbook
- 24–72h external notifications as applicable

## 8. Vendor Management
- Stripe, Google, OpenAI — assess DPAs, subprocessor lists
- Revoke unused API keys quarterly

## 9. Logging & Monitoring
- Audit logs for auth, admin, Stripe events
- Alerting on anomalous volumes or errors

## 10. Training & Reviews
- Annual security training for staff with access
- WISP reviewed semi-annually