Company Policies
Philosophy
Our policies are designed to enable speed and autonomy while maintaining security and reliability. We favor:
- Automation over paperwork - Tools enforce policies, not approval workflows
- Guardrails over gates - You can't do unsafe things, but safe things are frictionless
- Self-service over tickets - Get what you need when you need it
- Principles over rules - Understand the "why" and make good decisions
- Trust + verify - Move fast, audit asynchronously
- Blameless culture - Learn from incidents, don't punish mistakes
Our Security Stack
We use these tools to enforce policies automatically:
| Category | Tool | Purpose |
|---|---|---|
| Identity & Access | Keycloak | Single sign-on, RBAC, MFA |
| Network Security | Netbird VPN (WireGuard) | Zero-trust remote access |
| Source Control | GitHub | Code repository, branch protection |
| CI/CD | GitHub Actions | Automated testing, deployment |
| Infrastructure | Ansible + Onpremise + DigitalOcean | Infrastructure as code |
| Containers | Docker | Application isolation |
| Communication | Rocket.Chat | Team collaboration, incident response |
| Documentation | Docusaurus | Living documentation |
Policy Categories
00. Principles
Core security and engineering principles that guide all our decisions.
01. Access Control
Solves: Access sprawl, unclear permissions
How we manage identity, authentication, and authorization across all systems using Keycloak as our single source of truth.
02. Secrets Management
Solves: Secrets in code, credential leaks
How we handle API keys, passwords, and other secrets using Ansible Vault and GitHub Secrets with automated scanning.
03. Infrastructure
Solves: Configuration drift, inconsistent servers
Infrastructure as code standards using Ansible, with drift detection and standardized server provisioning.
04. Incident Response
Solves: Chaotic incident handling, unclear procedures
Clear runbooks for handling production incidents, from detection to post-incident review.
05. CI/CD Security
Secure GitHub Actions workflows, required checks, and deployment gates.
06. Self-Service Guides
How to get things done without waiting for approvals - new services, team onboarding, common tasks.
Quick Links
Need to...
- 🔑 Request access to a system?
- 🔐 Store a secret safely?
- 🚀 Deploy a new service?
- 🚨 Respond to an incident?
- 🔧 Provision a server?
- 📝 Onboard a new team member?
Policy Maintenance
These policies are living documents that evolve with our needs and tools.
How to update policies:
- Create a PR with proposed changes
- Tag
@securityor@devopsfor review - Discuss in RocketChat #engineering channel
- Merge and announce in #general
Policy review schedule:
- Quarterly review of all policies
- Update after major incidents
- Continuous improvement based on team feedback
Getting Help
- Questions about policies: #engineering channel in RocketChat
- Security concerns: #security channel or DM @security-team
- Incident in progress: #incidents channel, mention @oncall
- Policy suggestions: Create an issue in this docs repo