Governance

⚖ These governance documents are published in draft form as part of our founding transparency commitment. They reflect our current operating standards and are pending formal adoption at our first board meeting. We believe you should be able to see how we govern ourselves before, during, and after that process — not just after.

Articles of Incorporation (Florida)

DRAFT

Layer 1 — At a glance

The founding legal document that establishes CivicOS Institute as a Florida nonprofit corporation. It defines our legal name, perpetual existence, charitable and educational purposes, prohibited activities, and dissolution procedures. Filed with the State of Florida to create the legal entity.

Incorporated in: FloridaCorporation type: Nonprofit, 501(c)(3) pendingPurpose: Charitable, educational, and scientificDissolution: Assets transfer to qualifying 501(c)(3) organizations

Last reviewed: Not yet reviewed

Layer 2 — Full text

ARTICLES OF INCORPORATION

CIVICOS INSTITUTE

ARTICLE I: NAME

The name of the corporation is CivicOS Institute.

ARTICLE II: DURATION

The period of duration is perpetual.

ARTICLE III: PURPOSE

The corporation is organized exclusively for charitable, educational, and scientific purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code of 1986, as amended, or the corresponding section of any future federal tax code. The specific purposes for which the corporation is organized include:

(a) Conducting research and development in civic technology, open data systems, and digital public infrastructure;

(b) Developing and maintaining open-source software platforms for civic engagement and governance;

(d) Promoting transparency, accountability, and accessibility in democratic institutions;

(e) Collaborating with public sector entities, academic institutions, and civil society organizations to improve civic systems;

(f) Building and supporting communities of practice around civic technology and open government;

(g) Publishing research, documentation, and educational materials related to civic technology;

(h) Hosting conferences, workshops, and educational events related to civic technology and governance;

(i) Providing technical assistance and consulting services to government entities and nonprofit organizations working in the public interest;

(j) Any other lawful activities consistent with the foregoing purposes that are appropriate for a corporation exempt from federal income tax under Section 501(c)(3).

ARTICLE IV: PROHIBITED ACTIVITIES

Notwithstanding any other provision of these Articles, the corporation shall not:

(a) Engage in activities that do not further its exempt purposes;

(b) Carry on propaganda or otherwise attempt to influence legislation, except as permitted by Section 501(h) of the Internal Revenue Code;

(c) Participate in or intervene in any political campaign on behalf of or in opposition to any candidate for public office;

(d) Allow any part of its net earnings to inure to the benefit of any private shareholder or individual;

(e) Operate for the benefit of private interests, except as incidental to its exempt purposes;

(f) Discriminate on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, age, or disability.

ARTICLE V: DISSOLUTION

Upon dissolution or winding up of the corporation, after paying or adequately providing for debts and obligations, the remaining assets shall be distributed to one or more qualifying exempt organizations:

(a) Organized and operated exclusively for charitable, educational, or scientific purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code;

(b) Qualified as exempt under Section 501(c)(3) of the Internal Revenue Code (or corresponding provisions of future law);

Under no circumstances shall any assets be distributed to private individuals or for private benefit.

ARTICLE VI: INITIAL REGISTERED AGENT AND OFFICE

The street address of the initial registered office is:

4884 Beresford Circle

West Palm Beach, Florida 33417

The name of the initial registered agent at that address is:

Nicholas A. Cerbone

The registered agent has signed below indicating acceptance of this appointment.

ARTICLE VII: INITIAL BOARD OF DIRECTORS

The number of directors constituting the initial Board of Directors is 1. The names and addresses of the initial directors are:

1. Nicholas A. Cerbone

4884 Beresford Circle

West Palm Beach, Florida 33417

ARTICLE VIII: INCORPORATOR

The name and address of the incorporator is:

Nicholas A. Cerbone

4884 Beresford Circle

West Palm Beach, Florida 33417

ARTICLE IX: MEMBERSHIP

The corporation shall have no members. All governance authority is vested in the Board of Directors.

ARTICLE X: LIABILITY LIMITATION

To the fullest extent permitted by Florida law, no director or officer of the corporation shall be personally liable to the corporation or its members for monetary damages for breach of fiduciary duty as a director or officer, except for liability:

(a) For any breach of the director's or officer's duty of loyalty to the corporation;

(b) For acts or omissions not in good faith or which involve intentional misconduct or a knowing violation of law;

(d) For any transaction from which the director or officer derived an improper personal benefit.

ARTICLE XI: INDEMNIFICATION

The corporation shall indemnify any person who was or is a party or is threatened to be made a party to any threatened, pending, or completed action, suit, or proceeding by reason of the fact that such person is or was a director, officer, employee, or agent of the corporation, to the fullest extent permitted by Florida law.

ARTICLE XII: ADDITIONAL PROVISIONS

1. The corporation shall keep correct and complete books and records of account and shall keep minutes of the proceedings of its Board of Directors and any committees.

2. The corporation shall have a seal, which may be altered at the pleasure of the Board of Directors.

3. These Articles may be amended by the affirmative vote of two-thirds (2/3) of the directors then in office at any duly convened meeting, subject to approval by the appropriate state authority.

4. All references to sections of the Internal Revenue Code shall be to the Internal Revenue Code of 1986, as amended, or to corresponding provisions of subsequent federal tax laws.

5. If any provision of these Articles is held invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions, and these Articles shall be construed as if such invalid provision had never been contained herein.

CERTIFICATION

The undersigned incorporator certifies that he/she has executed these Articles of Incorporation on behalf of the corporation and that the statements contained herein are true and correct.

_________________________________________

Nicholas A. Cerbone, Incorporator

Date: _______________________

ACCEPTANCE OF APPOINTMENT AS REGISTERED AGENT

I, Nicholas A. Cerbone, hereby accept appointment as Registered Agent for CivicOS Institute and agree to serve as such in accordance with Florida Statutes.

_________________________________________

Nicholas A. Cerbone, Registered Agent

Date: _______________________

FILING CHECKLIST FOR FLORIDA

Before filing, ensure you have:

□ Completed all [BRACKETED] placeholders

□ Registered Agent signature (required in Florida)

□ Incorporator signature

□ $70 filing fee (online or check/money order if mailing)

□ Optional: $35 for name reservation (if you want to secure the name first)

□ Optional: $30 for expedited processing (24 hours)

Filing Options:

1. ONLINE (Recommended): https://efile.sunbiz.org

- Fastest processing (5-10 business days)

- Immediate confirmation

- Pay by credit card

2. BY MAIL:

- Send to: New Filing Section, Division of Corporations, P.O. Box 6327, Tallahassee, FL 32314

- Include check or money order payable to "Florida Department of State"

- Processing: 10-15 business days

3. IN PERSON:

- Clifton Building, 2661 Executive Center Circle, Tallahassee, FL

- Same day processing available

After Filing:

□ Download Certificate of Incorporation from Sunbiz

□ Apply for EIN (if not already obtained) at irs.gov

□ Open bank account

□ File IRS Form 1023 or 1023-EZ for 501(c)(3) status

501(c)(3) COMPLIANCE NOTES

These Articles include all required provisions for 501(c)(3) status:

✓ Specific 501(c)(3) purpose language (Article III)

✓ Prohibition on private inurement (Article IV)

✓ Dissolution clause requiring assets go to other 501(c)(3)s (Article V)

✓ Limitation on legislative activities (Article IV(b))

✓ Prohibition on political campaign activities (Article IV(c))

These provisions satisfy IRS requirements for tax-exempt status under Section 501(c)(3).

Layer 3 — Download

Download PDF Download DOCX

Bylaws

DRAFT

Layer 1 — At a glance

The internal rulebook that governs how CivicOS Institute operates day to day. It defines Board composition, officer roles, meeting procedures, voting rules, financial controls, and amendment procedures. Includes provisions for provisional directors during the founding period. Submitted with the IRS 501(c)(3) application.

Board: 3–9 directors, 3-year staggered termsProvisional directors: Full voting rights, 12-month maximum termMeetings: Minimum 4 per yearAmendment: Two-thirds vote with 7-day notice

Last reviewed: Not yet reviewed

Layer 2 — Full text

CIVICOS INSTITUTE BYLAWS

ARTICLE I: NAME AND PURPOSE

Section 1.01: Name

The name of this organization is [CIVICOS INSTITUTE], hereinafter referred to as the "Organization."

Section 1.02: Existence

The Organization is a nonprofit corporation incorporated under the laws of [STATE OF INCORPORATION]. These Bylaws constitute the code of rules adopted by the Organization for the regulation and management of its affairs.

Section 1.03: Purpose

The Organization is organized exclusively for charitable, educational, and scientific purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code of 1986, as amended, or the corresponding section of any future federal tax code, including:

(a) Conducting research and development in civic technology, open data systems, and digital public infrastructure;

(b) Developing and maintaining open-source software platforms for civic engagement and governance;

(d) Promoting transparency, accountability, and accessibility in democratic institutions;

(e) Collaborating with public sector entities, academic institutions, and civil society organizations to improve civic systems;

(f) Any other lawful activities consistent with the foregoing purposes that are appropriate for a corporation exempt from federal income tax under Section 501(c)(3).

Section 1.04: Limitations

Notwithstanding any other provision of these Bylaws, the Organization shall not:

(a) Engage in activities that do not further its exempt purposes;

(b) Carry on propaganda or otherwise attempt to influence legislation, except as permitted by Section 501(h) of the Internal Revenue Code;

(c) Participate in or intervene in any political campaign on behalf of or in opposition to any candidate for public office;

(d) Allow any part of its net earnings to inure to the benefit of any private shareholder or individual;

(e) Operate for the benefit of private interests, except as incidental to its exempt purposes.

Upon dissolution of the Organization, all remaining assets shall be distributed to one or more qualifying exempt organizations selected by the Board of Directors, in accordance with Article XII of these Bylaws.

---

ARTICLE II: MEMBERSHIP

Section 2.01: Membership Structure

The Organization shall have no voting members. All governance authority is vested in the Board of Directors as described in Article III.

Section 2.02: Non-Voting Affiliates

The Board may establish categories of non-voting affiliates, advisors, or fellows who may participate in Organization activities and provide input to the Board, but who shall have no voting rights in Board matters. The rights, responsibilities, and qualifications of such affiliates shall be determined by Board policy.

---

ARTICLE III: BOARD OF DIRECTORS

Section 3.01: General Powers

All corporate powers shall be exercised by or under the authority of the Board of Directors. The Board shall oversee the affairs of the Organization, establish strategic direction, approve major policies, and ensure the Organization operates in accordance with its mission and applicable law.

Section 3.02: Number and Composition

The Board of Directors shall consist of no fewer than [THREE (3)] and no more than [NINE (9)] Directors. Within these limits, the Board may fix the exact number of Directors by resolution. The Board shall strive to maintain diverse representation across relevant expertise areas including: technology, civic/government affairs, nonprofit governance, finance, and community organizing.

Section 3.03: Qualifications

Directors must:

(a) Be individuals at least eighteen (18) years of age;

(b) Demonstrate commitment to the Organization's mission;

(d) Not be employees of the Organization (with the exception of the Executive Director, who may serve as an ex-officio, non-voting Director if the Board so determines).

Section 3.04: Election and Terms

(a) **Initial Directors**: The incorporator(s) shall appoint the initial Board of Directors, who shall serve until the first annual meeting or until their successors are elected.

(b) **Subsequent Elections**: Directors shall be elected by majority vote of the Directors then in office at any duly convened meeting of the Board. The Board shall establish a Nominating Committee responsible for identifying and vetting candidates.

(c) **Terms**: Each Director shall serve a term of [THREE (3)] years, or until their successor is elected and qualified. Directors may serve up to [TWO (2)] consecutive full terms, after which they must rotate off the Board for at least [ONE (1)] year before becoming eligible for re-election.

(d) **Staggered Terms**: To ensure continuity, Directors shall be divided into classes with staggered terms as nearly equal in number as possible.

Section 3.05: Resignation and Removal

(a) **Resignation**: Any Director may resign at any time by delivering written notice to the Chair of the Board, the Secretary, or the Board. Such resignation shall take effect at the time specified therein or, if no time is specified, upon receipt.

(b) **Removal**: Any Director may be removed, with or without cause, by a two-thirds (2/3) vote of the Directors then in office at a duly convened meeting. A Director who fails to attend [THREE (3)] consecutive regular Board meetings without excuse acceptable to the Board may be deemed to have resigned.

Section 3.06: Vacancies

Any vacancy occurring on the Board by reason of resignation, removal, death, or otherwise may be filled by majority vote of the remaining Directors, even if less than a quorum. A Director elected to fill a vacancy shall serve the unexpired term of their predecessor.

Section 3.07: Regular Meetings

The Board shall hold at least [FOUR (4)] regular meetings per year. The time and place of regular meetings shall be determined by the Board or the Chair. Notice of regular meetings shall be given at least [FIFTEEN (15)] days in advance, unless waived by all Directors.

Section 3.08: Special Meetings

Special meetings of the Board may be called by the Chair, the Executive Director, or by any [TWO (2)] Directors. Notice of special meetings, stating the date, time, place, and purpose, shall be given at least [SEVEN (7)] days in advance, unless waived by all Directors.

Section 3.09: Meeting Participation

Directors may participate in and act at any meeting through the use of conference telephone, video conference, or similar communications equipment by means of which all persons participating in the meeting can hear each other. Participation in such manner shall constitute presence in person at the meeting.

Section 3.10: Quorum

A majority of the number of Directors fixed by these Bylaws or Board resolution shall constitute a quorum for the transaction of business. If a quorum is not present at any meeting, a majority of the Directors present may adjourn the meeting to a future date.

Section 3.11: Voting

(a) Each Director shall have one vote.

(b) The affirmative vote of a majority of Directors present at a meeting at which a quorum is present shall be the act of the Board, unless these Bylaws or applicable law require a greater vote.

(c) Action may be taken by the Board without a meeting if all Directors consent in writing or by electronic transmission. Such consent shall have the same effect as a unanimous vote at a meeting.

Section 3.12: Compensation

Directors shall not receive compensation for their services as Directors. Directors may be reimbursed for reasonable expenses incurred in the performance of their duties, provided such reimbursement is approved in accordance with Organization policy.

Section 3.13: Committees of the Board

(a) **Executive Committee**: The Board may designate an Executive Committee consisting of at least three (3) Directors, including the Chair, Treasurer, and Secretary. The Executive Committee may exercise such powers as delegated by the Board, except those reserved to the full Board by law or these Bylaws. All actions of the Executive Committee shall be reported to the full Board at the next meeting.

(b) **Other Committees**: The Board may establish such other standing or special committees as it deems necessary or appropriate. Committee members need not be Directors, but any committee exercising Board authority must consist solely of Directors.

(c) **Committee Charters**: Each committee shall operate under a written charter approved by the Board, which shall specify the committee's purpose, composition, authority, and reporting requirements.

---

ARTICLE IV: OFFICERS

Section 4.01: Officers

The officers of the Organization shall be:

(a) Chair of the Board (may also be titled "President");

(b) Secretary;

(d) Such other officers as the Board may from time to time determine.

No individual may hold more than one of the offices of Chair, Secretary, and Treasurer simultaneously.

Section 4.02: Election and Terms

Officers shall be elected annually by the Board from among the Directors at the first regular meeting following the annual meeting of the Board. Each officer shall serve a one-year term or until their successor is elected and qualified. Officers may be re-elected for successive terms without limit.

Section 4.03: Removal and Vacancies

Any officer may be removed, with or without cause, by majority vote of the Directors then in office. Any vacancy in any office may be filled by the Board for the unexpired portion of the term.

Section 4.04: Chair of the Board

The Chair of the Board shall:

(a) Preside at all meetings of the Board and Executive Committee;

(b) Serve as the principal volunteer leader of the Organization;

(d) In coordination with the Executive Director, set agendas for Board meetings;

(e) Perform such other duties as may be prescribed by the Board.

Section 4.05: Secretary

The Secretary shall:

(a) Ensure that accurate minutes are kept of all Board and Executive Committee meetings;

(b) Ensure that all notices are duly given in accordance with these Bylaws;

(d) Maintain a current roster of Directors and officers;

(e) Perform such other duties as may be prescribed by the Board or Chair.

Section 4.06: Treasurer

The Treasurer shall:

(a) Serve as Chair of the Finance Committee, if any;

(b) Oversee the management and investment of Organization funds;

(d) Present financial reports to the Board at each regular meeting;

(e) Ensure that an annual audit or review is conducted by an independent accountant;

(f) Perform such other duties as may be prescribed by the Board or Chair.

The Board may appoint an Assistant Treasurer or delegate day-to-day financial management to the Executive Director or staff, but ultimate oversight responsibility remains with the Treasurer.

Section 4.07: Other Officers

Other officers shall perform such duties as prescribed by the Board or by the officer's job description.

---

ARTICLE V: EXECUTIVE DIRECTOR

Section 5.01: Appointment

The Board shall appoint an Executive Director who shall serve as the chief executive officer of the Organization. The Executive Director need not be a Director, but may serve as an ex-officio, non-voting Director if the Board so determines.

Section 5.02: Responsibilities

The Executive Director shall:

(a) Serve as the chief executive officer responsible for day-to-day operations;

(b) Implement policies and programs established by the Board;

(d) Manage the Organization's budget and resources;

(e) Report regularly to the Board on operations, finances, and strategic matters;

(f) Serve as the primary spokesperson for the Organization;

(g) Execute contracts and agreements within delegated authority limits;

(h) Ensure compliance with all applicable laws and regulations;

(i) Perform such other duties as may be prescribed by the Board.

Section 5.03: Evaluation

The Board shall conduct an annual performance evaluation of the Executive Director. The evaluation shall be conducted by the Chair or a designated committee and shall include review of progress toward organizational goals.

Section 5.04: Removal

The Executive Director may be removed by majority vote of the Directors then in office. The Executive Director shall be given [THIRTY (30)] days' written notice of any proposed removal, unless the Board determines that immediate removal is necessary to protect the Organization's interests.

---

ARTICLE VI: FINANCIAL ADMINISTRATION

Section 6.01: Fiscal Year

The fiscal year of the Organization shall be [JANUARY 1 – DECEMBER 31] unless otherwise determined by the Board.

Section 6.02: Annual Budget

The Executive Director shall prepare and submit to the Board for approval an annual operating budget before the beginning of each fiscal year. The Board may modify the budget as it deems appropriate.

Section 6.03: Budget Administration

The Executive Director is authorized to make expenditures within the approved budget. Expenditures exceeding budget line items by more than [TEN PERCENT (10%)] or [TEN THOUSAND DOLLARS ($10,000)], whichever is less, require prior Board approval.

Section 6.04: Audit

The Board shall cause an annual audit of the Organization's financial statements to be conducted by an independent certified public accountant. The Treasurer shall present the audited financial statements to the Board for approval.

Section 6.05: Financial Controls

The Organization shall maintain adequate internal controls over financial transactions, including:

(a) Segregation of duties among staff handling financial transactions;

(b) Dual authorization for expenditures above specified thresholds;

(d) Protection of assets through appropriate insurance coverage.

---

ARTICLE VII: MEETINGS AND VOTING PROCEDURES

Section 7.01: Notice

(a) Written or electronic notice of all meetings shall be given to each Director at their address or email as shown on Organization records.

(b) Notice shall state the date, time, place (or electronic access information), and, for special meetings, the purpose.

(c) A Director's attendance at a meeting constitutes waiver of notice unless the Director attends solely to object to the transaction of business due to lack of notice.

Section 7.02: Waiver of Notice

(a) Any Director may waive notice of any meeting before or after the meeting.

(b) Such waiver must be in writing or electronic form, signed by the Director entitled to notice, and filed with the minutes or corporate records.

Section 7.03: Quorum

(a) A quorum at any Board meeting shall be a majority of the Directors then in office.

(b) Once a quorum is established, it shall not be broken by the withdrawal of Directors.

Section 7.04: Voting

(a) Each Director shall be entitled to one vote on each matter submitted to a vote.

(b) Voting by proxy is not permitted.

(c) Unless otherwise specified, matters shall be decided by majority vote of Directors present at a meeting at which a quorum exists.

(d) The Chair shall vote only to break a tie, unless otherwise required by law.

Section 7.05: Action Without Meeting

Any action required or permitted to be taken at a meeting may be taken without a meeting if all Directors consent in writing or by electronic transmission. Such consent shall be filed with the minutes and have the same effect as a unanimous vote.

Section 7.06: Minutes

Minutes shall be kept of all Board and committee meetings and shall include:

(a) Date, time, and place of the meeting;

(b) Directors present and absent;

(d) Records of all votes taken;

(e) Any conflicts of interest disclosed and how they were handled.

---

ARTICLE VIII: CONFLICTS OF INTEREST

Section 8.01: Policy Adoption

The Organization shall adopt and maintain a Conflict of Interest Policy consistent with the requirements of the Internal Revenue Service for 501(c)(3) organizations. The current version of such policy is incorporated by reference as if fully set forth herein.

Section 8.02: Duty to Disclose

Each Director, officer, and key employee has a duty to:

(a) Disclose any actual, potential, or apparent conflict of interest;

(b) Abstain from voting on any matter in which they have a conflict;

Section 8.03: Annual Statements

All Directors, officers, and key employees shall complete and sign an annual conflict of interest disclosure statement.

---

ARTICLE IX: INDEMNIFICATION

Section 9.01: General

The Organization shall indemnify any person who was or is a party or is threatened to be made a party to any threatened, pending, or completed action, suit, or proceeding by reason of the fact that such person is or was a Director, officer, employee, or agent of the Organization, to the fullest extent permitted by applicable law.

Section 9.02: Insurance

The Organization may purchase and maintain insurance on behalf of any person who is or was a Director, officer, employee, or agent of the Organization against any liability asserted against such person, whether or not the Organization would have the power to indemnify such person.

---

ARTICLE X: DOCUMENT RETENTION

Section 10.01: Policy Adoption

The Organization shall adopt and maintain a Document Retention and Destruction Policy consistent with applicable legal requirements. The current version of such policy is incorporated by reference.

---

ARTICLE XI: AMENDMENT

Section 11.01: Amendment of Bylaws

These Bylaws may be amended or repealed, and new Bylaws may be adopted, by a two-thirds (2/3) vote of the Directors then in office at any duly convened meeting, provided that notice of the proposed amendment shall have been included in the notice of such meeting or given to all Directors at least [SEVEN (7)] days prior to the meeting.

Section 11.02: Amendment of Articles of Incorporation

The Articles of Incorporation may be amended only by the affirmative vote of at least two-thirds (2/3) of the Directors then in office, subject to approval by the appropriate state authority.

---

ARTICLE XII: DISSOLUTION

Section 12.01: Voluntary Dissolution

The Organization may be dissolved only by a three-fourths (3/4) vote of the Directors then in office at a duly convened meeting called for that purpose.

Section 12.02: Distribution of Assets

Upon dissolution or winding up of the Organization, after paying or adequately providing for debts and obligations, the remaining assets shall be distributed to one or more exempt organizations:

(a) Organized and operated exclusively for charitable, educational, or scientific purposes;

(b) Qualified as exempt under Section 501(c)(3) of the Internal Revenue Code (or corresponding provisions of future law);

Under no circumstances shall any assets be distributed to private individuals or for private benefit.

Section 12.03: Compliance with Law

All dissolution proceedings shall be conducted in accordance with the laws of [STATE OF INCORPORATION] and the Internal Revenue Code.

---

ARTICLE XIII: MISCELLANEOUS

Section 13.01: Corporate Seal

The Organization may, but need not, adopt a corporate seal. If adopted, the seal shall be in such form as the Board may determine.

Section 13.02: Execution of Instruments

Contracts, deeds, and other instruments may be executed on behalf of the Organization by the Executive Director or such other officers or agents as the Board may designate. The Board may authorize the use of facsimile signatures.

Section 13.03: Construction

These Bylaws shall be construed in accordance with the laws of [STATE OF INCORPORATION].

Section 13.04: Severability

If any provision of these Bylaws is held invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions, and these Bylaws shall be construed as if such invalid provision had never been contained herein.

---

CERTIFICATION

These Bylaws were adopted by the Board of Directors of [CIVICOS INSTITUTE] on [DATE], and amended on the dates noted below:

**Adopted**: _____________________ [DATE]

**Amended**: _____________________ [DATE]

_______________________________________

[NAME]

Secretary

---

IMPLEMENTATION NOTES

1. **Filling in Brackets**: Replace all [BRACKETED] placeholders with organization-specific information before adoption.

2. **State Law Compliance**: Have an attorney review these Bylaws against the specific nonprofit corporation statutes of your state of incorporation. State law may require modifications.

3. **IRS Filing**: Submit these Bylaws with your Form 1023 or 1023-EZ application for 501(c)(3) status.

4. **Regular Review**: Schedule a review of these Bylaws every three (3) years or whenever there is a significant change in operations or law.

5. **Committee Charters**: Develop detailed charters for each Board committee referenced in Article III, Section 3.13.

6. **Policies**: Develop supporting policies referenced herein (Conflict of Interest, Document Retention, Delegation of Authority, etc.) concurrently with Bylaws adoption.

Layer 3 — Download

Download PDF Download DOCX

Conflict of Interest Policy

DRAFT

Layer 1 — At a glance

Ensures that decisions made by Board members, officers, and key employees are made in the best interest of CivicOS Institute — not personal or financial interests. IRS-required for 501(c)(3) organizations. All covered persons sign an annual disclosure statement.

Covers: Directors, officers, key employeesAnnual disclosure: Required within 30 days of fiscal year startGift limit: $75 per occurrence; $25 reporting thresholdEnforcement: Up to and including removal from service

Last reviewed: Not yet reviewed

Layer 2 — Full text

CIVICOS INSTITUTE

CONFLICT OF INTEREST POLICY

PURPOSE

This Conflict of Interest Policy ("Policy") is designed to ensure that the interests of CivicOS Institute (the "Organization") are protected and advanced at all times, and that decisions made by Directors, officers, and key employees are made in the best interest of the Organization, free from any personal, financial, or other conflicting interests.

This Policy is adopted in compliance with the requirements of Section 501(c)(3) of the Internal Revenue Code of 1986, as amended, and the regulations promulgated thereunder. Compliance with this Policy is a condition of service as a Director, officer, or key employee of the Organization.

---

SECTION 1: DEFINITIONS

1.1 Conflict of Interest

A "Conflict of Interest" exists when a person's personal, financial, professional, or other interests conflict—or appear to conflict—with the interests of the Organization. Conflicts may be:

(a) **Actual**: A direct conflict between personal interests and organizational interests;

(b) **Potential**: A situation that could develop into an actual conflict;

(c) **Apparent**: A situation that would appear to a reasonable observer to create a conflict, whether or not an actual conflict exists.

1.2 Interested Person

An "Interested Person" is any Director, officer, or key employee of the Organization who has a direct or indirect financial interest, as defined below, or any other interest that could conflict with the interests of the Organization.

1.3 Financial Interest

A person has a "Financial Interest" if they have, directly or indirectly, through business, investment, or family:

(a) An ownership or investment interest in any entity with which the Organization has a transaction or arrangement;

(b) A compensation arrangement with the Organization or with any entity with which the Organization has a transaction or arrangement;

(c) A potential ownership or investment interest in, or compensation arrangement with, any entity with which the Organization is negotiating a transaction or arrangement;

(d) A family member who has any of the interests described above. "Family member" includes a spouse, domestic partner, parent, child, sibling, or any relative sharing the same household.

1.4 Key Employee

"Key Employee" means any employee or contractor who:

(a) Has responsibilities that allow them to exercise substantial influence over the Organization's affairs;

(b) Receives total compensation exceeding [ONE HUNDRED THOUSAND DOLLARS ($100,000)] annually;

1.5 Non-Financial Interest

A "Non-Financial Interest" includes personal relationships, organizational affiliations, or other interests that could influence or appear to influence a person's objectivity, even if no money is involved.

---

SECTION 2: DUTY OF LOYALTY

2.1 Fiduciary Duty

Directors, officers, and key employees owe a fiduciary duty of loyalty to the Organization. This duty requires that they:

(a) Act in good faith and in the best interests of the Organization;

(b) Place the interests of the Organization above personal interests;

(d) Avoid situations that create actual, potential, or apparent conflicts of interest.

2.2 Duty of Care

Directors, officers, and key employees shall exercise the care an ordinarily prudent person would exercise in similar circumstances, including:

(a) Being informed about matters before the Board or relevant to their responsibilities;

(b) Participating actively in deliberations;

(d) Making decisions based on all relevant information reasonably available.

2.3 Duty of Obedience

Directors, officers, and key employees shall ensure the Organization operates within its mission and in compliance with all applicable laws and regulations.

---

SECTION 3: DISCLOSURE REQUIREMENTS

3.1 Annual Disclosure

Each Director, officer, and key employee shall complete and sign the Organization's Annual Conflict of Interest Disclosure Statement within thirty (30) days of:

(a) Beginning service with the Organization;

(b) The start of each fiscal year thereafter;

3.2 Contents of Annual Statement

The Annual Disclosure Statement shall require disclosure of:

(a) All entities in which the person has an ownership or investment interest of more than [FIVE PERCENT (5%)];

(b) All compensation arrangements with the Organization;

(d) All family members' interests as defined in Section 1.3(d);

(e) Any other facts or circumstances that could create a conflict of interest;

(f) Any positions held with other organizations that might create conflicts.

3.3 Transactional Disclosure

In addition to annual disclosure, each Director, officer, and key employee must disclose any actual or potential conflict of interest:

(a) Immediately upon becoming aware of the conflict;

(b) Before participating in any discussion or vote related to the matter;

3.4 Gifts and Gratuities

Directors, officers, and key employees must disclose:

(a) Any gifts or gratuities received from vendors, contractors, donors, or others doing business with the Organization valued at more than [SEVENTY-FIVE DOLLARS ($75)];

(b) Any entertainment or hospitality that is excessive or could reasonably be perceived as intended to influence official action;

---

SECTION 4: PROCEDURES FOR ADDRESSING CONFLICTS

4.1 Identification of Conflict

When a potential conflict is disclosed or identified:

(a) The Interested Person shall disclose all material facts;

(b) The Board or relevant committee shall determine whether a conflict exists;

4.2 Recusal Requirements

When a Director, officer, or key employee has a conflict of interest with respect to a matter:

(a) They shall leave the meeting during discussion of the matter, unless specifically requested to provide information;

(b) They shall not vote on the matter;

(d) They shall not be counted for quorum purposes for that matter;

(e) Their absence and recusal shall be recorded in the minutes.

4.3 Independent Review

Before approving any transaction involving a conflict of interest:

(a) The disinterested Directors shall review the material facts;

(b) Appropriate due diligence shall be conducted;

(d) The transaction shall be determined to be fair and reasonable to the Organization;

(e) The transaction shall be determined to be in the best interests of the Organization.

4.4 Documentation

All proceedings related to conflicts of interest shall be documented in the minutes, including:

(a) The nature of the disclosed conflict;

(b) The name of the Interested Person;

(d) The individuals present during discussion;

(e) The content of the discussion;

(f) Any comparisons to market rates or other due diligence;

(g) The vote taken and the result;

(h) The determination that the transaction is fair and reasonable.

4.5 Arm's Length Terms

Any transaction with an Interested Person shall be conducted on arm's length terms no less favorable to the Organization than would be available from an unrelated party. The Board must specifically approve any compensation or contractual terms.

---

SECTION 5: PROHIBITED TRANSACTIONS

5.1 Prohibited Arrangements

The following are prohibited without prior approval by the Board after full disclosure:

(a) Loans to Directors, officers, or key employees;

(b) Guarantees of personal obligations of Directors, officers, or key employees;

(d) Purchase of property from an Interested Person;

(e) Compensation arrangements with family members of Directors or officers, unless following an open competitive process;

(f) Any other transaction that would result in private inurement or excess benefit.

5.2 Excess Benefit Transactions

No Director, officer, or key employee shall receive any benefit from the Organization that is excessive or unreasonable compared to benefits provided by similar organizations for similar services or property.

5.3 Political Activities

No Organization resources shall be used to support or oppose any candidate for public office or any political party, and no Director, officer, or key employee shall use their position to engage in partisan political activities.

---

SECTION 6: COMMON CONFLICT SCENARIOS

6.1 Compensation Decisions

When determining compensation for an Interested Person:

(a) The person shall recuse themselves from discussion and voting;

(b) The Board shall use appropriate comparability data;

(d) Independent Directors shall approve the compensation.

6.2 Business Relationships

If an Interested Person or their business has a relationship with a vendor, grantee, or contractor:

(a) Full disclosure is required;

(b) Competitive bidding should be used when practicable;

(d) The Board must approve the relationship after recusal.

6.3 Board Service on Other Organizations

Service on multiple boards can create conflicts:

(a) Directors shall disclose board memberships;

(b) Potential conflicts arising from dual service must be disclosed;

(d) Directors shall recuse themselves when organizations have competing interests.

6.4 Employment of Family Members

Employment or contracting with family members requires:

(a) Prior Board approval;

(b) Disclosure of the relationship;

(d) Documentation that the arrangement is in the best interest of the Organization;

(e) No reporting relationship between family members.

---

SECTION 7: INVESTIGATION AND ENFORCEMENT

7.1 Duty to Report

All Directors, officers, and key employees have a duty to report suspected violations of this Policy to the Chair of the Board or, if the Chair is involved, to another Director.

7.2 Investigation

Upon receipt of a report of a potential violation:

(a) The Chair (or designated Director) shall review the allegation;

(b) If warranted, an investigation shall be conducted;

(d) The results shall be reported to the Board or Executive Committee;

(e) The Interested Person shall have an opportunity to respond.

7.3 Corrective Actions

If a violation of this Policy is confirmed, the Board may take appropriate corrective action, including:

(a) Requiring additional disclosure;

(b) Requiring recusal from specific matters;

(d) Suspension of the person from their position;

(e) Removal from the Board or termination of employment;

(f) Legal action to recover damages;

(g) Reporting to appropriate authorities if laws were violated.

7.4 No Retaliation

The Organization prohibits retaliation against any person who reports a potential conflict in good faith, even if the report is later determined to be unsubstantiated.

---

SECTION 8: EDUCATION AND TRAINING

8.1 Orientation

All new Directors, officers, and key employees shall receive a copy of this Policy and complete an orientation on their duties and responsibilities within thirty (30) days of assuming their position.

8.2 Annual Review

All Directors, officers, and key employees shall review this Policy annually and acknowledge in writing their understanding and agreement to comply.

8.3 Ongoing Education

The Organization shall provide periodic training on conflict of interest issues, including:

(a) Recognition of potential conflicts;

(b) Proper disclosure procedures;

(d) Documentation requirements.

---

SECTION 9: RECORD KEEPING

9.1 Confidentiality

Disclosure statements and related documents shall be treated as confidential and shall be:

(a) Maintained by the Secretary or designee;

(b) Accessible only to the Board, auditors, and legal counsel;

(d) Retained for [SEVEN (7)] years after the person's service ends.

9.2 Access

Directors may review their own disclosure statements upon request. Access to others' statements requires a majority vote of the Board with a legitimate need to know.

---

SECTION 10: ANNUAL CERTIFICATION

Each Director, officer, and key employee shall annually sign and return the following certification:

---

**ANNUAL CONFLICT OF INTEREST CERTIFICATION**

I, _________________________________, certify that:

1. I have received and read the Conflict of Interest Policy of CivicOS Institute;

2. I understand my obligations under this Policy;

3. I have disclosed all actual and potential conflicts of interest as required;

4. I agree to comply with this Policy and promptly disclose any future conflicts;

5. I understand that failure to comply may result in removal from my position.

I have the following interests to disclose (attach additional sheets if necessary):

_____________________________________________________________________________

Signature: ___________________________ Date: _________________

Print Name: __________________________

Position: ____________________________

---

SECTION 11: REVIEW AND AMENDMENT

This Policy shall be reviewed annually by the Board and amended as necessary to ensure compliance with applicable law and best practices. Any amendments must be approved by the Board of Directors.

---

SECTION 12: EFFECTIVE DATE

This Conflict of Interest Policy is effective as of [DATE] and supersedes all prior policies on this subject.

---

**ADOPTED BY THE BOARD OF DIRECTORS:**

Date: ___________________

_________________________________

[NAME], Secretary

---

APPENDIX A: COMMON EXAMPLES OF CONFLICTS OF INTEREST

The following are examples of situations that may create conflicts of interest. This list is illustrative, not exhaustive:

1. **Compensation Arrangements**

- Voting on one's own salary or benefits

- Influencing the compensation of a family member

- Receiving payments from Organization vendors

2. **Business Relationships**

- Selling goods or services to the Organization

- Purchasing goods or services from the Organization below market rates

- Having an ownership interest in an Organization vendor or competitor

3. **Governance Conflicts**

- Serving on the board of a competing organization

- Using Organization resources for personal benefit

- Disclosing confidential information for personal advantage

4. **Gift Relationships**

- Accepting substantial gifts from vendors or grantees

- Receiving entertainment that could influence decision-making

- Offering preferential treatment to gift-givers

5. **Employment Conflicts**

- Hiring or supervising family members

- Influencing the hiring of friends or associates

- Making personnel decisions affecting someone with whom one has a personal relationship

---

APPENDIX B: DISCLOSURE STATEMENT TEMPLATE

**CONFLICT OF INTEREST DISCLOSURE STATEMENT**

**Personal Information**

Name: ________________________________

Position: ____________________________

Date: ________________________________

Fiscal Year: _________________________

**Employment and Compensation**

1. Do you receive compensation from the Organization? ☐ Yes ☐ No

If yes, describe: ___________________

2. Do any family members receive compensation from the Organization? ☐ Yes ☐ No

If yes, describe: ___________________

**Business Interests**

3. Do you have an ownership interest (>5%) in any entity that does business with the Organization?

☐ Yes ☐ No

If yes, describe: ___________________

4. Do you serve on the board of or have a fiduciary duty to any organization that does business with or competes with the Organization?

☐ Yes ☐ No

If yes, describe: ___________________

**Financial Relationships**

5. Do you have any financial relationship with any Organization vendor, grantee, or contractor?

☐ Yes ☐ No

If yes, describe: ___________________

6. Are you negotiating any transaction or arrangement with the Organization?

☐ Yes ☐ No

If yes, describe: ___________________

**Gifts and Gratuities**

7. Have you received any gifts or gratuities from Organization-related parties valued over $75?

☐ Yes ☐ No

If yes, describe: ___________________

**Other Potential Conflicts**

8. Are you aware of any other circumstances that could create a conflict of interest?

☐ Yes ☐ No

If yes, describe: ___________________

**Certification**

I certify that the information provided above is true and complete to the best of my knowledge.

Signature: ___________________________ Date: _________________

---

IMPLEMENTATION CHECKLIST

[ ] Board formally adopts Policy
[ ] Policy distributed to all Directors, officers, and key employees
[ ] Initial disclosure statements collected from all covered persons
[ ] Orientation/training conducted
[ ] Annual review process established
[ ] Documentation procedures implemented
[ ] Secure storage system established for disclosure statements
[ ] Process for handling conflicts communicated to all stakeholders

Layer 3 — Download

Download PDF Download DOCX

Delegation of Authority Matrix

DRAFT

Layer 1 — At a glance

Defines exactly who has the power to sign contracts, commit funds, hire personnel, and make binding organizational decisions — and at what dollar thresholds. Prevents unauthorized commitments and ensures appropriate oversight scales with the size of the decision.

Board approval required: Contracts above $100,000Dual signature required: Checks and wires above $10,000ED emergency authority: Up to $25,000Annual review: Required by Board

Last reviewed: Not yet reviewed

Layer 2 — Full text

CIVICOS INSTITUTE

DELEGATION OF AUTHORITY MATRIX

PURPOSE

This Delegation of Authority Matrix ("Matrix") establishes clear boundaries for decision-making authority within CivicOS Institute (the "Organization"). It defines who has the power to:

Sign contracts and legal documents
Commit organizational funds
Make binding commitments on behalf of the Organization
Hire, manage, and terminate personnel
Approve expenditures at various thresholds

This Matrix is a living document that shall be reviewed annually and updated as needed.

---

SECTION 1: DEFINITIONS

1.1 Authority Levels

| Level | Description |

|-------|-------------|

| **Board** | Requires formal vote of the Board of Directors |

| **Executive Committee** | Requires approval by the Executive Committee |

| **Chair** | Chair of the Board, acting within delegated limits |

| **ED** | Executive Director, with full operational authority |

| **Director-Level** | Department or program directors |

| **Manager-Level** | Managers or senior staff |

| **Staff** | Regular employees (limited authority) |

1.2 Financial Thresholds

| Tier | Annual Amount | Description |

|------|---------------|-------------|

| **Minor** | Up to $[1,000] | Routine operational expenses |

| **Moderate** | $[1,001] – $[10,000] | Standard contracts and purchases |

| **Significant** | $[10,001] – $[50,000] | Major contracts and commitments |

| **Material** | $[50,001] – $[100,000] | Significant financial commitments |

| **Major** | Above $[100,000] | Board-level decisions required |

1.3 Contract Types

**Standard Contract**: Routine agreements using Organization templates (e.g., standard NDAs, simple vendor agreements)
**Non-Standard Contract**: Agreements with custom terms or significant liability exposure
**Strategic Contract**: Multi-year agreements, partnership MOUs, major vendor relationships
**Employment Contract**: Individual employment agreements
**Grant Agreement**: Funding agreements with donors or recipients

---

SECTION 2: SIGNING AUTHORITY

2.1 Contract Signing Authority

|-----------------|-------|-------|-----|----------|-------|

| **Articles of Incorporation/Bylaw Amendments** | ✓ Required | — | — | — | Must follow Bylaw procedures |

| **Real Estate Purchase/Sale** | ✓ Required | — | — | — | 2/3 vote; legal review required |

| **Real Estate Lease (> 1 year)** | ✓ Required | — | — | — | Legal review required |

| **Real Estate Lease (≤ 1 year)** | — | ✓ | ✓ | — | Up to $[50,000]/year |

| **Major Contracts (>$100K)** | ✓ Required | — | — | — | Board vote required |

| **Material Contracts ($50K-$100K)** | — | ✓ | ✓ | — | Chair or ED; legal review |

| **Significant Contracts ($10K-$50K)** | — | — | ✓ | ✓* | ED or designated Director |

| **Standard Contracts (<$10K)** | — | — | ✓ | ✓ | Template agreements only |

| **Employment Contracts (ED)** | ✓ Required | — | — | — | Executive Committee negotiation |

| **Employment Contracts (Staff)** | — | — | ✓ | — | Within budget and policy |

| **Grant Agreements (Incoming)** | — | ✓ | ✓ | — | Chair or ED; $50K+ Board notice |

| **Grant Agreements (Outgoing)** | — | — | ✓ | ✓* | ED or program director |

| **Intellectual Property Licenses** | — | ✓ | ✓ | — | Strategic licenses to Board |

| **Settlement Agreements** | ✓* | — | — | — | Board approval if >$[25,000] |

*With specific written delegation from ED

2.2 Financial Document Signing Authority

|--------------|-------|-------|-----------|-----|-------|

| **Loans/Credit Facilities** | ✓ Required | — | — | — | Board vote; legal review |

| **Investment Agreements** | ✓ Required | — | — | — | Within investment policy |

| **Tax Returns (Form 990)** | — | ✓ | ✓ | — | Chair and Treasurer |

| **Banking Resolutions** | ✓ Required | — | — | — | Board authorization |

| **Bank Account Opening** | — | ✓ | ✓ | — | Chair or Treasurer |

| **Checks >$10,000** | — | — | ✓* | ✓ | Dual signature required |

| **Wire Transfers >$10,000** | — | — | ✓* | ✓ | Dual authorization required |

| **Audit Engagement Letter** | — | ✓ | ✓ | — | Chair or Treasurer |

| **Insurance Policies** | — | — | ✓ | ✓ | Within approved coverage |

*Primary signatory

2.3 Legal Document Signing Authority

|--------------|-------|-------|-----|---------------|-------|

| **Litigation Settlement** | ✓* | — | — | ✓ | Board if >$[25,000] |

| **Filing Lawsuit** | — | ✓ | ✓ | ✓ | With legal counsel approval |

| **Appeals of Adverse Decisions** | — | ✓ | ✓ | ✓ | With legal counsel approval |

| **IRS/Regulatory Filings** | — | — | ✓ | — | ED or designated staff |

| **Trademark/Patent Applications** | — | — | ✓ | ✓ | Within IP policy |

| **Subpoena Responses** | — | — | ✓ | ✓ | With legal review |

---

SECTION 3: SPENDING AUTHORITY

3.1 Expenditure Approval Matrix

|----------|--------------|---------------------|------------------------|-----------------------|----------------|

| **Personnel Costs** | ED | ED | ED* | Board (notice) | Board (approval) |

| **Professional Services** | ED | ED | ED | Chair or ED | Board |

| **Grants to Others** | — | ED | ED | Chair or ED | Board |

| **Equipment (>5yr life)** | — | ED | ED | Chair or ED | Board |

*New position creation requires Board notice; salary bands established by Board

3.2 Recurring vs. One-Time Expenses

| Type | Authority |

|------|-----------|

| **Recurring Operating Expenses** (utilities, subscriptions, routine services) | ED up to $[50,000]/year total; Director up to $[5,000]/year per budget line |

| **One-Time Capital Expenditures** | Per threshold matrix above |

| **Multi-Year Commitments** | Board approval if total value exceeds $[50,000] |

3.3 Emergency Expenditure Authority

In emergency situations where delay would harm the Organization:

| Role | Emergency Spending Limit | Conditions |

|------|-------------------------|------------|

| **Board Chair** | Up to $[50,000] | Immediate threat to operations, safety, or legal compliance |

| **Executive Director** | Up to $[25,000] | Immediate threat to operations or compliance |

| **Treasurer** | Up to $[10,000] | Financial emergency only |

**Emergency Expenditure Requirements:**

Must be necessary to prevent significant harm
Must be documented within 24 hours
Must be reported to Board at next meeting
Retroactive Board ratification required for amounts over $[25,000]
May not be used to circumvent normal approval processes

---

SECTION 4: PERSONNEL AUTHORITY

4.1 Hiring Authority

|----------------|----------|-----------|--------------|------------------|----------------|

4.2 Compensation Authority

|--------|-------|-----|----------|-----|-------|

| **ED Compensation** | ✓ | — | — | — | Independent compensation committee |

| **Hire within Band** | — | ✓ | — | Advised | Following HR policy |

| **Promotion within Band** | — | ✓ | ✓* | Advised | *With ED approval |

| **Promotion exceeding Band** | — | ✓ | — | Advised | ED approval required |

| **Merit Increases (standard)** | — | ✓ | ✓* | Advised | Within budget |

| **Merit Increases (exceptional)** | — | ✓ | — | Advised | >10% requires ED |

| **Bonus/Variable Comp** | ✓ | — | — | — | Board-approved plan only |

4.3 Termination Authority

|--------|-------|-------|-----|----------|-------|

| **Terminate ED** | ✓ | — | — | — | 30 days notice; immediate if cause |

| **Terminate Direct Reports to ED** | — | ✓* | ✓ | — | *If ED conflict |

| **Terminate Management** | — | — | ✓ | Recommended | With HR consultation |

| **Terminate Staff** | — | — | ✓ | ✓* | *Within policy |

| **Layoffs/Reduction in Force** | ✓ | — | Recommended | — | Board approval required |

| **Eliminate Position** | — | — | ✓ | Recommended | Budget permitting |

---

SECTION 5: OPERATIONAL COMMITMENTS

5.1 Commitment Authority

| Type of Commitment | Authority Level | Notes |

|-------------------|-----------------|-------|

| **Strategic Partnerships** | Board | MOUs, multi-year collaborations |

| **Speaking/Representation** | ED | Official Organizational positions |

| **Public Statements** | ED/Communications | Policy positions, press releases |

| **Social Media** | Designated Staff | Within approved messaging |

| **Research Collaboration** | ED | Institutional partnerships |

| **Data Sharing Agreements** | ED | With privacy officer review |

| **Open Source Contributions** | ED/Tech Lead | Within IP policy |

| **Trademark Use (3rd party)** | ED | Legal review required |

| **Event Sponsorship** | ED | Up to $[25,000] |

| **Event Hosting** | Director | Within budget |

5.2 Obligation Limits

No individual may commit the Organization to:

Obligations exceeding their spending authority
Multi-year commitments without appropriate approval
Personal guarantees or surety obligations
Unlimited liability or indemnification

---

SECTION 6: DELEGATION PROCEDURES

6.1 Formal Delegation

Authority may be formally delegated as follows:

|------|-----|---------|--------|

6.2 Documentation of Delegation

All formal delegations must include:

Scope of authority granted
Financial limits, if applicable
Duration of delegation
Reporting requirements
Conditions for revocation
Signature of delegating authority

6.3 Revocation of Delegation

Delegation may be revoked by:

The authority that granted it, at any time
The Board, in its sole discretion
Automatic revocation upon termination of employment
Automatic revocation upon expiration of term

Revocation must be in writing and effective immediately upon notice.

---

SECTION 7: ACCOUNTABILITY AND REPORTING

7.1 Monthly Reporting

The Executive Director shall provide monthly reports to the Board including:

Contracts executed (summary)
Expenditures exceeding $[10,000]
Personnel changes
Emergency expenditures

7.2 Quarterly Reporting

The Treasurer shall provide quarterly reports including:

All contracts exceeding $[25,000]
Budget variance analysis
Commitments and obligations outstanding
Compliance with spending authority limits

7.3 Annual Review

The Board shall annually review:

This Delegation Matrix
Effectiveness of delegation structure
Any proposed changes to authority levels
Compliance and exceptions

7.4 Documentation Requirements

All delegations of authority must be documented:

Contracts: Retained per Document Retention Policy
Approvals: Evidence of approval attached to expenditure
Delegations: Written documentation on file
Reports: Minutes or written summaries

---

SECTION 8: PROHIBITED ACTIONS

The following actions are prohibited regardless of authority level:

1. **Self-Dealing**: No individual may approve a transaction in which they have a personal financial interest

2. **Splitting Transactions**: Breaking a single transaction into multiple smaller ones to circumvent authority limits

3. **Retroactive Approval**: Seeking approval after a commitment has been made, except in genuine emergencies

4. **Conditional Commitments**: Making commitments "subject to Board approval" without prior Board indication

5. **Personal Liability**: Committing to personal liability on behalf of the Organization

6. **Gift Restrictions**: Accepting gifts with conditions that violate Organization policy or law

7. **Political Activity**: Authorizing partisan political activities or campaign intervention

---

SECTION 9: EXCEPTIONS AND OVERRIDE

9.1 Board Override

The Board retains ultimate authority and may:

Override any delegated decision
Require additional approvals for specific matters
Modify authority levels for specific transactions
Suspend delegation in extraordinary circumstances

9.2 Conflict Resolution

If there is uncertainty about authority:

1. The matter shall be escalated to the next higher authority level

2. Legal counsel may be consulted

3. The conservative interpretation shall prevail pending resolution

4. The Board shall be notified of material ambiguities

---

SECTION 10: AMENDMENT

This Delegation of Authority Matrix may be amended by:

Board resolution for changes to Board-level authority
Board resolution for changes to ED-level authority
ED with Board notice for administrative clarifications

---

APPENDIX A: SIGNATORY CARD TEMPLATE

BANK SIGNATORY AUTHORIZATION

**Authorized Signatories for Account #[ACCOUNT NUMBER]**

|------|-------|-----------|-----------------|----------------|

**Dual Signature Required For:** Amounts exceeding $[10,000]

---

APPENDIX B: DELEGATION CERTIFICATE TEMPLATE

CERTIFICATE OF DELEGATION

I, _________________________________, [TITLE], delegate to:

Name: ________________________________

Title: ________________________________

the following authority:

☐ Contract signing up to $___________

☐ Expenditure approval up to $___________

☐ Hiring authority for positions up to: _______________

☐ Other: ___________________________________________

**Conditions:**

_________________________________________________________________

**Duration:** ☐ Ongoing ☐ Until: _______________ ☐ Revocable at will

**Reporting Requirements:**

_________________________________________________________________

This delegation does not include authority to further delegate without written consent.

Delegating Authority: _________________________ Date: ___________

Accepting Authority: __________________________ Date: ___________

---

APPENDIX C: QUICK REFERENCE CHART

WHO CAN APPROVE WHAT?

| If you need to... | Ask... | Notes |

|-------------------|--------|-------|

| Sign any contract over $100K | Board | Vote required |

| Sign a contract $50K-$100K | Chair or ED | Legal review recommended |

| Hire a new staff member | ED (within budget) | HR process required |

| Change someone's salary | Per compensation matrix | Must be within bands |

| Spend $25K on a project | ED | Within approved budget |

| Buy equipment over $10K | ED | Capital asset tracking |

| Sign a grant agreement | ED | Over $50K notify Board |

| Commit to multi-year contract | Board | If total >$50K |

| Authorize emergency spending | Chair (up to $50K) | Document immediately |

| Sign a lease over 1 year | Board | |

| Sign a lease under 1 year | Chair or ED | Under $50K/year |

| Approve a consultant | Per contract value | See matrix |

---

IMPLEMENTATION NOTES

1. **Customize Thresholds**: Adjust all bracketed dollar amounts based on Organization budget size and risk tolerance

2. **Bank Documentation**: Provide this Matrix to all banking institutions holding Organization funds

3. **Training**: Train all authorized signatories on their responsibilities

4. **Insurance**: Ensure appropriate Directors & Officers (D&O) and fidelity bond coverage

5. **Annual Review**: Review and update this Matrix as part of annual governance review

6. **Legal Review**: Have an attorney review to ensure compliance with state law and banking requirements

Layer 3 — Download

Download PDF Download DOCX

Document Retention & Records Policy

DRAFT

Layer 1 — At a glance

Establishes how long CivicOS Institute retains different categories of records and how they are securely destroyed when retention periods expire. Ensures legal compliance, supports audits, and protects against liability from both over-retention and premature destruction.

Permanent: Corporate governance, tax status, board minutes7 years: Financial records, grants, personnel files3 years: Email, project files, routine correspondenceLitigation hold: Suspends all automatic deletion

Last reviewed: Not yet reviewed

Layer 2 — Full text

Document Retention & Records Policy

**Document Number:** 04

**Version:** 1.0

**Effective Date:** [DATE]

**Last Reviewed:** [DATE]

**Approved By:** [BOARD/EXECUTIVE BODY]

---

1. Purpose and Scope

1.1 Purpose

This Document Retention & Records Policy establishes consistent guidelines for the creation, retention, storage, and destruction of organizational records for [ORGANIZATION NAME] ("Organization"). This policy ensures compliance with legal and regulatory requirements, supports operational efficiency, and protects the Organization from liability associated with improper records management.

1.2 Scope

This policy applies to:

**All Personnel:** Board members, officers, employees, volunteers, contractors, and agents
**All Records:** Regardless of format (paper, electronic, audio, video, photographic)
**All Locations:** Physical offices, remote work environments, cloud storage, and third-party services
**All Activities:** Past, present, and future organizational operations

---

2. Records Classification and Retention Requirements

2.1 Permanent Retention (Indefinite)

The following records must be retained permanently:

| Record Category | Examples |

|-----------------|----------|

| **Corporate Governance** | Articles of Incorporation, Bylaws, amendments, corporate resolutions |

| **Board Records** | Meeting minutes, official correspondence, consent resolutions |

| **Tax Status** | IRS determination letters, tax-exemption applications, Form 1023/1024 |

| **Major Contracts** | Real estate purchases, perpetual license agreements, endowment documents |

| **Intellectual Property** | Trademark registrations, patent filings, original copyright registrations |

| **Strategic Documents** | Mission/vision statements, strategic plans, major policy decisions |

**Storage:** Fireproof safe or secure offsite facility with climate control. Digital copies in redundant, encrypted cloud storage with geographic distribution.

2.2 Financial Records (7 Years)

The following financial records must be retained for seven (7) years:

| Record Category | Examples |

|-----------------|----------|

| **General Ledger** | Chart of accounts, journal entries, general ledgers |

| **Banking** | Bank statements, canceled checks, deposit slips, reconciliation reports |

| **Tax Returns** | Federal, state, and local tax returns with all supporting schedules |

| **Payroll** | Payroll registers, W-2s, W-4s, 1099s, payroll tax returns |

| **Donor Records** | Contribution receipts, donor acknowledgment letters, pledge records |

| **Expenses** | Accounts payable, vendor invoices, expense reports, credit card statements |

| **Grants** | Grant applications, award letters, financial reports, audit reports |

| **Audits** | Independent audit reports, management letters, working papers (7 years from audit date) |

**Storage:** Secure filing system with limited access. Digital records encrypted with role-based access controls.

2.3 Operational Records (3-7 Years)

| Record Category | Retention Period | Examples |

|-----------------|------------------|----------|

| **Personnel Files** | 7 years post-termination | Applications, performance reviews, disciplinary actions, benefits records |

| **Insurance Policies** | 7 years post-expiration | Policies, claims, correspondence with insurers |

| **Contracts** | 7 years post-termination | Service agreements, vendor contracts, consulting agreements |

| **Project Files** | 3-5 years post-completion | Project plans, deliverables, client correspondence |

| **Email Communications** | 3 years* | General business correspondence, operational communications |

| **Website Content** | 3 years | Published content, version history, analytics reports |

*Exception: Emails related to litigation, regulatory matters, or permanent retention categories must be retained according to those categories.

2.4 Short-Term Retention (1-3 Years)

| Record Category | Retention Period | Examples |

|-----------------|------------------|----------|

| **Routine Correspondence** | 1 year | Internal memos, non-substantive communications |

| **Draft Documents** | Until finalization | Drafts of policies, reports, presentations |

| **Travel & Expense** | 3 years | Travel itineraries, per diem records |

| **Routine Procurement** | 3 years | Purchase orders, receiving documents, routine invoices |

2.5 Immediate Destruction (Upon Processing)

The following may be destroyed immediately after processing:

Junk mail and spam
Duplicate copies (unless serving a specific purpose)
Transitory communications (meeting scheduling, lunch orders)
Superseded drafts with no historical value
Convenience copies of official records

---

3. Electronic Records Management

3.1 Electronic Storage Standards

**Cloud Storage Requirements:**

Use Organization-approved cloud providers only: [PROVIDER NAMES]
Minimum encryption: AES-256 at rest, TLS 1.3 in transit
Geographic redundancy: Data replicated across minimum [NUMBER] regions
Access logging enabled for all repositories
Version history maintained for [DURATION]

**Prohibited Storage:**

Personal cloud accounts (Dropbox personal, Google Drive personal, etc.)
Unencrypted removable media (USB drives, external hard drives)
Personal email accounts for Organization business
Public file-sharing services without password protection and expiration dates

3.2 Backup Procedures

|--------|-----------------|------------------|----------|

3.3 Email Retention

**Automatic Archival:**

All emails retained in searchable archive for 3 years
Litigation hold suspends automatic deletion
Users may not manually delete emails subject to hold

**Mailbox Management:**

Active mailbox size limit: [SIZE] per user
Auto-archival to compliant storage after [TIME PERIOD]
Personal folders must sync to approved cloud storage

---

4. Records Destruction Procedures

4.1 Destruction Authorization

No records may be destroyed without proper authorization:

1. **Department Head Review:** Identifies records eligible for destruction

2. **Legal/Compliance Review:** Confirms no litigation holds or regulatory requirements

3. **Approval:** [DESIGNATED OFFICIAL] authorizes destruction

4. **Execution:** Approved destruction method applied

5. **Certificate of Destruction:** Documentation maintained per retention schedule

4.2 Destruction Methods

| Record Type | Approved Methods | Requirements |

|-------------|-----------------|-------------- |

| **Paper - Confidential** | Cross-cut shredding (minimum DIN P-4) or secure pulping | Witnessed destruction for bulk quantities |

| **Paper - Non-confidential** | Strip shredding or recycling bin | Standard office disposal |

| **Hard Drives/SSDs** | Physical destruction (shredding/degaussing) or NIST 800-88 compliant wiping | Certificate of destruction required |

| **Optical Media** | Physical destruction (shredding/incineration) | Complete data layer destruction |

| **Mobile Devices** | Factory reset + data overwrite + physical destruction | Certificate required |

| **Cloud Data** | Secure deletion with cryptographic erasure | Verification of non-recoverability |

4.3 Destruction Schedule

**Quarterly Review:**

Records eligible for destruction identified
Hold verification conducted
Destruction batch approved

**Annual Certification:**

Complete inventory of destroyed records
Certificates of destruction filed
Policy compliance attestation to Board

---

5. Litigation Hold Procedures

5.1 Triggering Events

A litigation hold ("legal hold") must be implemented upon:

Receipt of subpoena, discovery request, or other legal process
Threatened or pending litigation (internal or external)
Regulatory investigation or audit notice
Internal investigation where records may be relevant
Reasonable anticipation of legal action

5.2 Hold Implementation

**Step 1: Notice (Within 24 Hours)**

[DESIGNATED LEGAL COUNSEL] issues litigation hold notice
Notice distributed to all relevant personnel
IT/Systems Administrator implements technical holds

**Step 2: Identification**

Identify all custodians with potentially relevant records
Map all relevant systems, devices, and storage locations
Document scope of relevant time period and subject matter

**Step 3: Preservation**

Suspend automatic deletion protocols
Preserve records in native format with metadata
Create forensic images when necessary
Prevent custodian self-collection

**Step 4: Monitoring**

Quarterly reminders to custodians
Updated notices as litigation scope changes
New employee onboarding to hold obligations

5.3 Hold Release

Hold released only upon written authorization from [DESIGNATED LEGAL COUNSEL]
Release documented with date, scope, and authorization
Normal retention resumes for non-hold records
Hold-related records retained per litigation outcome

5.4 Hold Documentation

Maintain for duration of litigation plus 7 years:

Original hold notice and all updates
Custodian acknowledgment receipts
Hold compliance certifications
Records produced in litigation

---

6. Roles and Responsibilities

6.1 Board of Directors

Approve Document Retention & Records Policy
Review annual compliance reports
Authorize exceptions in extraordinary circumstances

6.2 Executive Director / CEO

Overall accountability for policy implementation
Appoint Records Management Officer
Approve destruction of significant record categories

6.3 Records Management Officer

**Designated Officer:** [NAME/TITLE]

Day-to-day administration of retention program
Develop and maintain retention schedules
Coordinate litigation hold implementation
Conduct training and awareness programs
Maintain certificates of destruction

6.4 Department Heads

Implement department-specific retention procedures
Identify records eligible for destruction
Ensure staff compliance with retention requirements
Report suspected violations

6.5 All Personnel

Comply with all retention and destruction requirements
Maintain records in approved systems only
Report litigation triggers immediately
Complete required training

6.6 IT / Systems Administrator

Implement technical controls for retention
Execute secure deletion procedures
Maintain backup and archival systems
Support litigation hold technical requirements

---

7. Privacy and Confidentiality

7.1 Confidential Records

Records containing the following require enhanced handling:

Personally identifiable information (PII)
Protected health information (PHI)
Financial account numbers
Social Security Numbers
Donor financial information
Personnel medical information
Attorney-client privileged communications

7.2 Handling Requirements

**Access Control:**

Role-based access on need-to-know basis
Multi-factor authentication for sensitive repositories
Access logging and quarterly review

**Transmission:**

Encryption required for all external transmission
Secure file transfer for files exceeding [SIZE]
Password-protected documents with separate password delivery

**Disposal:**

Immediate shredding for paper documents
Cryptographic erasure for electronic files
Certificate of destruction for bulk disposal

---

8. Compliance and Monitoring

8.1 Training Requirements

| Audience | Training | Frequency |

|----------|----------|-----------|

| All Staff | General records awareness | Annually |

| Managers | Retention requirements + litigation hold | Annually |

| IT Staff | Technical implementation | Annually |

| New Hires | Policy overview | Within 30 days |

8.2 Audit and Review

**Annual Internal Audit:**

Random sample of record categories
Compliance with retention schedules
Secure destruction verification
Litigation hold compliance

**Policy Review:**

Full policy review every [NUMBER] years
Ad hoc updates for legal/regulatory changes
Board approval for material amendments

8.3 Violations and Remedies

**Policy Violations:**

Failure to follow retention schedules
Unauthorized destruction of records
Storage in non-approved systems
Failure to report litigation triggers

**Consequences:**

First occurrence: Remedial training
Repeated occurrences: Disciplinary action up to and including termination
Legal violations: Referral to legal counsel

---

9. Implementation Notes

9.1 Immediate Actions (0-30 Days)

[ ] Designate Records Management Officer
[ ] Inventory existing record categories
[ ] Identify and contract with secure destruction vendor
[ ] Implement litigation hold notification procedures
[ ] Deploy records management training for all staff

9.2 Short-Term Actions (30-90 Days)

[ ] Audit current storage systems for compliance
[ ] Migrate non-compliant records to approved systems
[ ] Establish backup verification procedures
[ ] Create department-specific retention guides
[ ] Implement access control reviews

9.3 Ongoing Actions

[ ] Quarterly destruction batch processing
[ ] Annual policy training refresh
[ ] Annual compliance audit
[ ] Regular review of retention schedules against legal requirements

9.4 Template Forms

The following supporting documents should be developed:

Records Destruction Request Form
Certificate of Destruction Template
Litigation Hold Notice Template
Hold Release Authorization Form
Quarterly Compliance Report Template

---

10. Policy Exceptions

Exceptions to this policy require:

1. Written request with business justification

2. Legal counsel review and approval

3. [DESIGNATED EXECUTIVE] authorization

4. Documentation of exception and duration

5. Annual review of ongoing exceptions

No exceptions may circumvent legal or regulatory retention requirements.

---

Document Control

|---------|------|--------|---------|

---

**Acknowledgment**

I have received, read, and understood the Document Retention & Records Policy. I agree to comply with its requirements and understand that violations may result in disciplinary action.

Employee Name: _________________________

Signature: _________________________

Date: _________________________

Layer 3 — Download

Download PDF Download DOCX

Intellectual Property & Licensing Policy

DRAFT

Layer 1 — At a glance

Governs how CivicOS Institute creates, protects, and shares its intellectual property. We default to open licenses — MIT for software, CC BY for content — because our mission is public benefit, not proprietary lock-in. This policy also covers contributor agreements, trademark protection, and third-party code usage.

Default software license: MITDefault content license: CC BY 4.0External contributors: CLA required before contributions acceptedTrademark: CivicOS Institute name and logo are protected

Last reviewed: Not yet reviewed

Layer 2 — Full text

Intellectual Property & Licensing Policy

**Document Number:** 05

**Version:** 1.0

**Effective Date:** [DATE]

**Last Reviewed:** [DATE]

**Approved By:** [BOARD/EXECUTIVE BODY]

---

1. Purpose and Scope

1.1 Purpose

This Intellectual Property & Licensing Policy establishes guidelines for the creation, protection, management, and licensing of intellectual property assets for [ORGANIZATION NAME] ("Organization"). This policy ensures that IP assets are properly identified, protected, and leveraged to advance the Organization's mission while respecting the rights of others and complying with open source community norms.

1.2 Scope

This policy applies to:

**All Personnel:** Board members, officers, employees, volunteers, contractors, interns, and contributors
**All IP Types:** Copyrights, trademarks, patents, trade secrets, and proprietary information
**All Activities:** Research, development, content creation, software development, and collaboration
**All Works:** Created during organizational activities, using organizational resources, or within scope of engagement

---

2. IP Ownership Framework

2.1 Work-for-Hire and Assignment

**Employee-Created IP:**

All intellectual property created by employees within the scope of their employment is the exclusive property of the Organization. This includes, but is not limited to:

Software code and documentation
Research findings and publications
Educational materials and curricula
Designs, graphics, and multimedia content
Processes, methodologies, and know-how
Data sets and databases

**Contractor-Created IP:**

All contractor engagements must include explicit IP assignment clauses ensuring Organization ownership of deliverables. Standard contract language requires:

Assignment of all IP rights in deliverables
License to underlying pre-existing IP incorporated into deliverables
Waiver of moral rights where applicable
Cooperation in registration and enforcement

**Volunteer and Contributor IP:**

Volunteers and external contributors must execute a Contributor License Agreement (CLA) or equivalent assignment before contributions are accepted. See Section 6 for CLA requirements.

2.2 Pre-Existing IP

Personnel retain ownership of IP developed:

Prior to engagement with Organization
Outside scope of employment/engagement
Without use of organizational resources
Unrelated to organizational mission or activities

Personnel must disclose pre-existing IP that may relate to organizational work to avoid conflicts.

2.3 Joint Development

When IP is developed jointly with third parties:

Execute joint development agreement before work commences
Define ownership splits, licensing rights, and commercialization
Establish decision-making authority for enforcement and licensing
Document each party's contributions

---

3. Open Source Licensing Policy

3.1 Philosophy and Preferences

The Organization is committed to open source principles and supports broad access to its innovations. Our licensing philosophy prioritizes:

1. **Mission advancement** over commercial restrictions

2. **Adoption and impact** through permissive terms

3. **Community collaboration** through standard licenses

4. **Attribution** to recognize contributions

3.2 License Selection Framework

**Tier 1: Preferred Licenses (Default)**

| License | Use Case | Requirements |

|---------|----------|--------------|

| **MIT** | Software libraries, tools, standalone applications | Attribution only |

| **Apache 2.0** | Larger software projects, enterprise-grade tools | Attribution + patent grant |

| **CC BY 4.0** | Documentation, educational content, research | Attribution only |

| **CC0** | Data sets, reference implementations, where attribution impractical | No requirements (public domain dedication) |

**Tier 2: Acceptable with Justification**

| License | Use Case | Considerations |

|---------|----------|----------------|

| **BSD 2/3-Clause** | Software | Similar to MIT; acceptable alternative |

| **GPL v3** | Software requiring copyleft derivatives | Requires legal review; contagion risk assessment |

| **LGPL** | Libraries where copyleft of derivatives desired | Linking exceptions acceptable |

| **CC BY-SA** | Content requiring share-alike derivatives | For community content projects |

| **ODbL** | Open databases | For collaboratively maintained data |

**Tier 3: Prohibited or Restricted**

| License | Status | Rationale |

|---------|--------|-----------|

| **GPL v2 only** | Avoid | No patent protection; compatibility issues |

| **AGPL** | Prohibited | Network use triggers copyleft; mission conflict |

| **Proprietary** | Prohibited | Organizational commitment to open source |

| **CC BY-NC / -ND** | Discouraged | Non-commercial restrictions limit mission impact |

| **Custom licenses** | Requires approval | Complexity and incompatibility risks |

3.3 License Selection Process

**Default Path (No Legal Review Required):**

1. Evaluate whether Tier 1 license meets needs

2. If yes, apply MIT (software) or CC BY 4.0 (content)

3. Document license choice in project README

**Escalation Path (Requires Legal Review):**

1. Tier 2 license under consideration

2. Multiple license types in single project

3. Mixed proprietary/open source components

4. Third-party code with conflicting licenses

**Approval Authority:**

[DESIGNATED TECHNICAL LEAD]: Tier 1 licenses
[DESIGNATED LEGAL COUNSEL]: Tier 2 licenses
Board of Directors: Tier 3 licenses or exceptions

3.4 Dual Licensing

Dual licensing (offering same code under multiple licenses) requires:

Legal counsel review of compatibility
Board approval for commercial licensing track
Clear documentation of terms for each license
Contributor consent for dual-licensed contributions

3.5 License Application Requirements

Every open source release must include:

```

1. LICENSE file with full license text

2. Copyright notice in README and source headers

3. NOTICE file for Apache 2.0 or attribution-required licenses

4. CONTRIBUTING.md with CLA requirements

5. Code of Conduct reference

```

**Standard Copyright Header:**

```

Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

```

---

4. Proprietary IP Protection

4.1 Trademark Policy

**Trademark Portfolio:**

The Organization protects its brand through trademark registration and proper use guidelines.

| Element | Status | Registration |

|---------|--------|--------------|

| [ORGANIZATION NAME] | [Primary mark] | [JURISDICTIONS] |

| [LOGO] | [Visual mark] | [JURISDICTIONS] |

| [PRODUCT NAMES] | [Product marks] | [STATUS] |

**Permitted Use (by Others):**

Reference to Organization in factual, non-trademark manner
Nominative fair use in comparative or descriptive contexts
Use under express license or partnership agreement

**Prohibited Use:**

Use likely to cause confusion with Organization
Use implying endorsement not granted
Use in domain names without authorization
Use of confusingly similar marks

**Trademark Licensing:**

License agreements required for trademark use
Quality control provisions required
Termination for breach or brand harm
Geographic and scope limitations

4.2 Patent Policy

**Patent Strategy:**

The Organization generally avoids patenting innovations, preferring publication and open source release to establish prior art. Patent applications require Board approval and are only pursued when:

Significant defensive value against patent trolls
Strategic partnership requires patent protection
Commercial licensing strategy approved

**Patent Pledge:**

Any Organization patents are licensed royalty-free for:

Open source implementations
Non-commercial research and education
Products furthering Organization mission

**Invention Disclosure:**

Personnel must disclose potentially patentable inventions to [DESIGNATED IP OFFICER] within 30 days of conception.

4.3 Trade Secret Protection

**Protected Information:**

Donor lists and contact information
Fundraising strategies and donor research
Unpublished research findings
Proprietary methodologies (if not open sourced)
Financial projections and strategic plans
Personnel records

**Protection Measures:**

Marking: "CONFIDENTIAL - [ORGANIZATION NAME]"
Access controls: Role-based, need-to-know
NDAs required for external disclosure
Secure storage and transmission
Annual trade secret inventory

**Duration:**

Trade secrets protected indefinitely while maintaining confidentiality. Upon public disclosure, protection terminates.

---

5. Commercial Use Guidelines

5.1 Philosophy

The Organization encourages commercial use of its open source outputs to maximize mission impact. Commercial users are welcome and supported.

5.2 Permitted Commercial Use

Without restriction, commercial entities may:

Use Organization software in commercial products
Integrate Organization content into commercial offerings
Modify and redistribute under applicable license terms
Build consulting or support businesses around Organization projects
Create proprietary derivative works (under permissive licenses)

5.3 Commercial Use with Attribution Requirements

Commercial users must:

Provide attribution as required by license
Not remove copyright notices
Include license text in distributions
Not use Organization trademarks without authorization
Comply with notice requirements (Apache 2.0)

5.4 Prohibited Commercial Activities

Commercial entities may NOT:

Use Organization trademarks as their own
Imply Organization endorsement without written consent
Remove or alter attribution requirements
Violate terms of copyleft licenses (GPL family)
Use Organization content in ways violating moral rights

5.5 Commercial Partnership Framework

Organizations seeking deeper collaboration may:

Sponsor specific projects or features
Enter trademark license agreements
Participate in advisory councils
Jointly develop under partnership agreements

Contact: [PARTNERSHIP EMAIL]

---

6. Contributor License Agreements

6.1 CLA Requirement

All substantial contributions to Organization projects require a signed Contributor License Agreement. "Substantial" means:

Code contributions exceeding [NUMBER] lines
Documentation contributions exceeding [NUMBER] words
Design or creative contributions
Any contribution not clearly de minimis

**Exceptions:**

De minimis contributions (typo fixes, minor corrections)
Contributions from employees (covered by employment agreement)
Contributions under existing partnership agreements

6.2 CLA Types

**Individual CLA (ICLA):**

For individual contributors
Grants license and patent rights to Organization
Warranties contribution is original and rights held
Covers all contributions to all Organization projects

**Corporate CLA (CCLA):**

For employees contributing on behalf of employer
Employer grants license and patent rights
Lists authorized contributors
Covers contributions during employment

6.3 CLA Content Requirements

CLA must include:

Grant of copyright license (perpetual, worldwide, royalty-free)
Grant of patent license (if applicable)
Representation of authority to grant
Warranty of originality
Acknowledgment no compensation expected
Agreement to follow project Code of Conduct

6.4 CLA Administration

**Process:**

1. CLA sent to prospective contributor

2. Signed CLA returned (electronic signature acceptable)

3. CLA recorded in [DESIGNATED SYSTEM]

4. Contributor added to authorized contributors list

5. CLA verification automated in CI/CD pipeline

**Records:**

CLAs retained for duration of copyright plus [NUMBER] years
Annual audit of CLA compliance
Quarterly reconciliation with project contributors

---

7. Third-Party Code Usage

7.1 Policy Principles

Respect open source licenses
Comply with all license obligations
Maintain accurate inventory of third-party code
Prohibit use of code with incompatible licenses
Document all third-party dependencies

7.2 Approved License Categories

| Category | Licenses | Use |

|----------|----------|-----|

| **Permissive** | MIT, BSD, Apache 2.0 | Any use, including proprietary |

| **Weak Copyleft** | LGPL, MPL | Dynamic linking allowed in proprietary |

| **Strong Copyleft** | GPL, AGPL | Only in compatible open source projects |

| **Documentation** | CC BY, CC0, GFDL | Content and documentation |

7.3 License Compliance Requirements

**For All Third-Party Code:**

1. **Inventory:** Maintain Software Bill of Materials (SBOM)

2. **Verification:** Confirm license compatibility with project license

3. **Documentation:** Include in NOTICES or LICENSE file

4. **Attribution:** Preserve all copyright notices

5. **Source:** Make source available when required by copyleft

**Apache 2.0 Compliance:**

Include NOTICE file if provided
State modifications made
Preserve patent grant

**GPL Compliance:**

Source code offer for distributed binaries
License text inclusion
Written offer valid for 3 years

7.4 Prohibited Code

Do NOT use code with:

Unknown or unclear licenses
"Research only" or "non-commercial" restrictions
GPL-incompatible licenses in GPL projects
Proprietary licenses without express authorization
Copyleft code in proprietary products (without compliance)

7.5 Security Considerations

Third-party code must also meet:

Security review for critical dependencies
Maintenance status verification (not abandoned)
Vulnerability scanning in CI/CD
Approved source only (no unverified packages)

---

8. Attribution Requirements

8.1 Internal Attribution

Organization projects must properly attribute:

Individual contributors (in CONTRIBUTORS file)
Funding sources (in ACKNOWLEDGMENTS)
Partner organizations
Third-party code (in NOTICES)

8.2 External Attribution

Users of Organization IP must provide:

**Software:**

```

This product includes software developed by [ORGANIZATION NAME].

[License text or reference]

```

**Content:**

```

[Title] by [ORGANIZATION NAME] is licensed under CC BY 4.0

[Link to original]

```

8.3 Moral Rights

The Organization respects moral rights of creators where applicable:

Right of attribution (paternity)
Right of integrity (no derogatory treatment)
Right to anonymity (if requested)

---

9. IP Enforcement

9.1 Infringement Monitoring

The Organization monitors for:

Unauthorized trademark use
License violations (failure to attribute, etc.)
Plagiarism of content
Patent infringement claims against Organization

9.2 Enforcement Priorities

**High Priority:**

Trademark confusion harming Organization reputation
Willful license violations
Commercial exploitation without attribution

**Medium Priority:**

Innocent attribution failures (educational response)
Non-commercial violations

**Low Priority:**

Technical violations with no harm
De minimis uses

9.3 Enforcement Process

1. **Documentation:** Gather evidence of violation

2. **Evaluation:** Assess priority and best resolution

3. **Contact:** Initial outreach seeking compliance

4. **Escalation:** Formal notice if needed

5. **Resolution:** Compliance or legal action

**Preferred Resolution:**

Always prefer education over enforcement
Seek compliance, not damages
Preserve relationships where possible

9.4 Defensive Response

If Organization accused of infringement:

1. Immediate legal counsel consultation

2. Document review and analysis

3. Good faith investigation

4. Remediation if substantiated

5. Defense if unsubstantiated

---

10. Education and Compliance

10.1 Training Requirements

| Audience | Training Content | Frequency |

|----------|-----------------|-----------|

| All Staff | IP basics, confidentiality | Annually |

| Developers | Open source licensing, CLA process | Annually |

| Managers | Third-party code approval, enforcement | Annually |

| New Hires | IP ownership, disclosure obligations | Within 30 days |

10.2 Resources

**Internal Resources:**

IP policy portal: [URL]
License decision tree: [URL]
Approved vendor list: [URL]
CLA submission system: [URL]

**External Resources:**

Open Source Initiative: https://opensource.org/licenses
Choose a License: https://choosealicense.com
Creative Commons: https://creativecommons.org/choose

10.3 Compliance Review

**Quarterly:**

CLA compliance check
Trademark usage audit
Third-party code inventory update

**Annually:**

Full IP policy review
Training completion verification
External IP landscape assessment

---

11. Implementation Notes

11.1 Immediate Actions (0-30 Days)

[ ] Inventory existing IP assets
[ ] Register core trademarks
[ ] Implement CLA collection system
[ ] Create license decision tree for developers
[ ] Audit third-party dependencies in all projects

11.2 Short-Term Actions (30-90 Days)

[ ] Standardize licenses on existing projects
[ ] Create SBOM for all active projects
[ ] Develop trademark usage guidelines
[ ] Establish IP enforcement procedures
[ ] Deploy training program

11.3 Ongoing Actions

[ ] Quarterly IP audits
[ ] Annual policy review
[ ] Continuous CLA processing
[ ] Trademark monitoring
[ ] License compliance in CI/CD

11.4 Key Contacts

| Role | Name/Email | Responsibilities |

|------|------------|-----------------|

| IP Officer | [EMAIL] | Strategy, enforcement, trademarks |

| Open Source Lead | [EMAIL] | License selection, CLA process |

| Legal Counsel | [EMAIL] | Complex licensing, disputes |

| Compliance Officer | [EMAIL] | Training, audits, policy |

---

Document Control

|---------|------|--------|---------|

---

**Acknowledgment**

I have received, read, and understood the Intellectual Property & Licensing Policy. I agree to comply with its requirements and understand that violations may result in disciplinary action.

Employee Name: _________________________

Signature: _________________________

Date: _________________________

Layer 3 — Download

Download PDF Download DOCX

Data, Privacy & Security Policy

DRAFT

Layer 1 — At a glance

Establishes how CivicOS Institute collects, processes, stores, and protects personal data. Privacy by design is a founding principle — we collect only what we need, use it only as stated, and protect it with appropriate technical and organizational controls. Compliant with GDPR and CCPA.

Principle: Privacy by design, data minimizationData subject rights: Access, rectification, erasure, portabilityBreach notification: Regulatory notice within 72 hoursAI data handling: Personal data not submitted to external AI models

Last reviewed: Not yet reviewed

Layer 2 — Full text

Data, Privacy & Security Policy

**Document Number:** 06

**Version:** 1.0

**Effective Date:** [DATE]

**Last Reviewed:** [DATE]

**Approved By:** [BOARD/EXECUTIVE BODY]

---

1. Purpose and Scope

1.1 Purpose

This Data, Privacy & Security Policy establishes comprehensive standards for the collection, processing, storage, and protection of data by [ORGANIZATION NAME] ("Organization"). This policy reflects our commitment to respecting individual privacy, maintaining data security, and complying with applicable privacy regulations including GDPR, CCPA, and other relevant frameworks.

1.2 Scope

This policy applies to:

**All Personnel:** Board members, officers, employees, volunteers, contractors, and agents
**All Data:** Personal data, organizational data, and third-party data in our custody
**All Systems:** Information technology systems, cloud services, and third-party processors
**All Activities:** Data collection, processing, storage, transmission, and destruction
**All Locations:** Physical offices, remote work, cloud environments, and partner systems

1.3 Policy Principles

1. **Data Minimization:** Collect only what is necessary

2. **Purpose Limitation:** Use data only for stated purposes

3. **Privacy by Design:** Build privacy into systems and processes

4. **Security First:** Protect data with appropriate safeguards

5. **Transparency:** Be clear about data practices

6. **Individual Rights:** Respect and enable data subject rights

---

2. Data Collection Principles

2.1 Lawful Basis for Processing

All data collection must have a lawful basis under applicable privacy law:

| Basis | Use Case | Documentation Required |

|-------|----------|----------------------|

| **Consent** | Marketing, optional communications | Clear opt-in, granular, revocable |

| **Contract** | Service delivery, membership | Contract terms reference |

| **Legal Obligation** | Tax reporting, regulatory compliance | Legal citation |

| **Vital Interests** | Emergency contact, health/safety | Incident documentation |

| **Public Interest** | Research in public benefit | Research ethics approval |

| **Legitimate Interests** | Internal analytics, fraud prevention | Legitimate Interest Assessment |

2.2 Data Minimization

**Principle:** Collect only data that is directly necessary for the specific purpose identified.

**Requirements:**

Document the specific purpose for each data element collected
Review collections annually for continued necessity
Delete data when purpose is fulfilled (unless retention required)
Do not collect "nice to have" data without explicit justification

**Examples:**

| Purpose | Required Data | Not Required |

|---------|--------------|--------------|

| Email newsletter | Email address | Phone, address, demographics |

| Event registration | Name, email, dietary restrictions | SSN, full address (unless shipping) |

| Donation processing | Payment info, name, tax ID (for receipts) | Employer, occupation (unless legally required) |

| Research participation | Consent, relevant responses | Identifying info (use pseudonymization) |

2.3 Purpose Limitation

**Principle:** Use data only for the purpose for which it was collected, unless compatible additional purpose or new consent obtained.

**Compatible Purposes (generally permitted):**

Archiving in public interest
Scientific or historical research
Statistical analysis (anonymized)
Internal operational improvements

**Incompatible Purposes (require new basis):**

Marketing to non-consented individuals
Selling or sharing with third parties
Uses materially different from original purpose
New data controller relationship

2.4 Collection Methods

**Direct Collection:**

Web forms with clear privacy notices
In-person with informed consent
Phone with verbal privacy notice

**Automated Collection:**

Website analytics (cookie consent required)
System logs (anonymized where possible)
Public sources (disclosed in privacy notice)

**Third-Party Collection:**

Processor agreements required
Verify third-party compliance
Disclose source in privacy notice

---

3. Privacy Commitments

3.1 Core Privacy Pledge

The Organization commits to:

**We Will NOT:**

Sell personal data to third parties
Share data with third parties for their marketing
Use data for purposes beyond those disclosed
Retain data longer than necessary
Collect data from children under 13 without parental consent
Discriminate against individuals exercising privacy rights

**We Will:**

Be transparent about data practices
Provide meaningful privacy choices
Protect data with appropriate security
Honor data subject rights promptly
Notify of breaches as required by law
Regularly review and improve privacy practices

3.2 Privacy Notice Requirements

All collection points must include a privacy notice containing:

1. **Identity:** Who is collecting the data

2. **Contact:** Data protection officer contact

3. **Purpose:** Why data is being collected

4. **Legal Basis:** Lawful basis for processing

5. **Recipients:** Who data will be shared with

6. **Transfers:** International transfer safeguards

7. **Retention:** How long data will be kept

8. **Rights:** Data subject rights and how to exercise

9. **Complaints:** How to lodge complaints with authorities

10. **Automated Decisions:** Existence of profiling (if any)

3.3 Special Categories of Data

The following "special category" data receives enhanced protection:

| Category | Examples | Requirements |

|----------|----------|--------------|

| **Racial/Ethnic Origin** | Race, ethnicity | Explicit consent or substantial public interest |

| **Political Opinions** | Party affiliation, voting | Explicit consent or substantial public interest |

| **Religious Beliefs** | Religion, denomination | Explicit consent or substantial public interest |

| **Health Data** | Medical conditions, disabilities | Explicit consent or health/social care purpose |

| **Biometric** | Fingerprints, facial recognition | Explicit consent, Data Protection Impact Assessment |

| **Genetic** | DNA, genetic markers | Explicit consent, DPIA, specialized security |

| **Sexual Orientation** | LGBTQ+ status | Explicit consent |

| **Criminal History** | Convictions, offenses | Official authority or substantial public interest |

**Collection of special category data requires:**

Data Protection Impact Assessment (DPIA)
Enhanced security measures
Explicit opt-in consent (if consent basis)
Documentation of lawful basis
Limited access and strict need-to-know

3.4 Children's Data

**COPPA/GDPR Requirements:**

No collection from children under 13 without verifiable parental consent
For 13-16: Informational notice sufficient (opt-out)
Clear age gating on websites and services
No behavioral advertising to children
Enhanced security for children's data

**Verifiable Consent Methods:**

Credit card verification
Signed consent form
Video conference with parent
Phone call with trained staff

---

4. Data Subject Rights

4.1 Rights Overview

Data subjects have the following rights:

| Right | Description | Response Time |

|-------|-------------|---------------|

| **Access** | Obtain copy of personal data | 30 days |

| **Rectification** | Correct inaccurate data | 30 days |

| **Erasure** | Delete data ("right to be forgotten") | 30 days |

| **Restriction** | Limit processing | 30 days |

| **Portability** | Receive data in machine-readable format | 30 days |

| **Objection** | Object to processing | Immediate effect |

| **Automated Decision** | Human review of automated decisions | 30 days |

4.2 Request Handling Procedures

**Receipt:**

Acknowledge request within 72 hours
Verify identity of requestor
Log request in tracking system

**Processing:**

Gather relevant data across systems
Review for legal exemptions (e.g., legal obligation to retain)
Prepare response in accessible format
Quality assurance review

**Response:**

Provide data or explanation of action taken
Explain any exemptions applied
Include information on appeal process
Document completion

**Extensions:**

Complex requests: May extend to 60 days with notification
High volume: May extend with notification
Must explain basis for extension

4.3 Exemptions and Limitations

**Requests May Be Denied When:**

| Situation | Rationale |

|-----------|-----------|

| Legal obligation to retain | Tax, employment law requirements |

| Legal proceedings | Litigation hold or defense |

| Public interest | Research, public health, journalism |

| Manifestly unfounded | Harassment, excessive requests |

| Excessive requests | Repetitive, unreasonable burden |

| Others' rights | Would disclose another person's data |

**Partial Response:**

When portions must be withheld, provide:

Redacted version with explanation
Basis for withholding (legal citation)
Appeal rights

---

5. Security Baseline

5.1 Security Governance

**Security Officer:** [NAME/TITLE]

**Responsibilities:**

Security policy development and enforcement
Risk assessment and management
Incident response coordination
Security awareness training
Vendor security evaluation

**Security Committee:**

Cross-functional representation (IT, Legal, Operations)
Monthly security reviews
Incident post-mortems
Policy approval authority

5.2 Access Controls

**Principle of Least Privilege:**

Access granted on need-to-know basis
Role-based access control (RBAC)
Regular access reviews (quarterly)
Immediate revocation upon termination

**Authentication Requirements:**

| System Type | Minimum Requirement |

|-------------|---------------------|

| Standard systems | Strong password + MFA |

| Administrative systems | Strong password + hardware MFA |

| Critical infrastructure | Certificate-based + MFA |

| External access | VPN + MFA |

**Password Policy:**

Minimum 12 characters
Complexity required (upper, lower, number, special)
No dictionary words or personal info
Changed immediately if suspected compromise
Password manager required

5.3 Encryption Standards

**Data at Rest:**

Full disk encryption on all devices
Database encryption (AES-256)
Encrypted backups
Secure key management (HSM or KMS)

**Data in Transit:**

TLS 1.3 minimum for web traffic
VPN for remote access
SFTP/FTPS for file transfers
Encrypted email for sensitive data

**Key Management:**

Keys stored in hardware security module or cloud KMS
Key rotation annually or on compromise
Separation of duties for key access
Key escrow for business continuity

5.4 Network Security

**Perimeter Protection:**

Next-generation firewall with IDS/IPS
DDoS protection
Web application firewall (WAF)
Regular penetration testing (annual)

**Network Segmentation:**

VLAN separation by function
Critical systems isolated
Guest network separate from production
Zero-trust architecture for remote access

**Monitoring:**

24/7 security monitoring
SIEM for log aggregation and analysis
Anomaly detection
Threat intelligence feeds

5.5 Endpoint Security

**Device Requirements:**

Organization-approved devices for work data
MDM enrollment for all mobile devices
EDR (Endpoint Detection and Response) on all endpoints
Automatic updates and patching

**Prohibited:**

Personal email for work data
Unapproved cloud storage
Unencrypted removable media
Jailbroken/rooted devices

**Remote Work:**

VPN required for system access
Home network security recommendations
Dedicated workspace guidance
No work in public spaces with visible screens

5.6 Application Security

**Development:**

Secure coding standards
Code review requirements
Dependency vulnerability scanning
Static and dynamic security testing (SAST/DAST)

**Production:**

Regular vulnerability scanning
Patch management (critical: 24 hours, high: 7 days)
Change management process
Segregated production access

**Third-Party:**

Security assessment before procurement
Annual security review
Right to audit clauses
Incident notification requirements

5.7 Physical Security

**Office Security:**

Badge access control
Visitor escort required
Clean desk policy
Secure disposal (shredding)

**Data Center / Server Room:**

Multi-factor physical access
Environmental controls
CCTV monitoring
Fire suppression systems

**Remote Work:**

Secure home office setup
Privacy screens for laptops
Safe storage of devices
No unattended devices in public

---

6. Incident Response

6.1 Incident Classification

|----------|------------|----------|---------------|

6.2 Incident Response Team

**Core Team:**

Security Officer (Incident Commander)
IT/Systems Administrator
Legal Counsel
Communications Lead
Executive Sponsor

**Extended Team (as needed):**

HR (personnel incidents)
External forensics
Law enforcement liaison
Insurance carrier
Affected system owners

6.3 Response Procedures

**Phase 1: Detection and Analysis (0-1 hour)**

1. Identify and confirm incident

2. Assign severity classification

3. Activate response team

4. Preserve evidence

5. Document timeline

**Phase 2: Containment (1-4 hours)**

1. Isolate affected systems

2. Block attack vectors

3. Prevent data exfiltration

4. Maintain business continuity where safe

**Phase 3: Eradication (4-24 hours)**

1. Remove attacker access

2. Patch vulnerabilities

3. Clean compromised systems

4. Verify integrity

**Phase 4: Recovery (24-72 hours)**

1. Restore from clean backups

2. Verify system integrity

3. Return to normal operations

4. Enhanced monitoring

**Phase 5: Post-Incident (1-4 weeks)**

1. Complete forensic analysis

2. Document lessons learned

3. Update security controls

4. Conduct post-mortem

6.4 Breach Notification

**Legal Notification Requirements:**

|--------------|---------|----------|------------|

**Internal Notification:**

Board Chair: Within 4 hours for Critical/High
Full Board: Within 24 hours
Insurance carrier: Within policy timeframe

**External Communication:**

Draft by Legal and Communications
Board approval required
Transparent but legally protective
Offer credit monitoring if SSN/financial involved

6.5 Documentation Requirements

Maintain for duration of litigation plus 7 years:

Incident timeline
All communications
Forensic analysis
Response actions taken
Notification records
Post-incident report
Lessons learned

---

7. Third-Party Processors

7.1 Due Diligence

**Before Engagement:**

Security questionnaire
SOC 2 Type II or equivalent review
Data Processing Agreement (DPA) execution
Privacy Shield or SCCs for international transfers

**Minimum Security Requirements:**

Encryption at rest and in transit
Access controls and MFA
Incident response capabilities
Annual penetration testing
Business continuity plan

7.2 Data Processing Agreements

All processors must sign DPA containing:

Processing instructions and limitations
Subprocessor authorization and notification
Security measures and audits
Breach notification (24-48 hours)
Data subject rights assistance
Return/destruction of data upon termination
Audit rights

7.3 Ongoing Monitoring

**Annual Review:**

Security certification renewal
Incident history review
Compliance attestation
Contract compliance verification

**Continuous Monitoring:**

Threat intelligence on processors
News and breach monitoring
Performance and availability

---

8. International Data Transfers

8.1 Transfer Mechanisms

**From EU/EEA:**

Standard Contractual Clauses (SCCs) - mandatory
Adequacy decisions (UK, limited others)
Binding Corporate Rules (if applicable)

**From UK:**

UK Addendum to SCCs
UK adequacy regulations

**From Other Jurisdictions:**

Local law compliance
Contractual safeguards
Data localization requirements

8.2 Transfer Impact Assessment (TIA)

Required before international transfers:

1. Document laws in destination country

2. Assess impact on data subject rights

3. Identify supplementary measures if needed

4. Implement additional safeguards

5. Periodic re-assessment

8.3 Supplementary Measures

When destination laws may impede data subject rights:

Enhanced encryption (data encrypted with keys held in origin country)
Pseudonymization before transfer
Strict purpose limitation
Enhanced monitoring

---

9. Compliance and Governance

9.1 Privacy by Design

All new projects and systems must undergo:

**Privacy Impact Assessment (PIA) for:**

New data collections
New processing activities
Significant system changes
New vendor relationships

**Data Protection Impact Assessment (DPIA) for:**

Systematic monitoring
Large-scale special category processing
Automated decision-making with significant effects
New technologies (AI, biometrics)

9.2 Training and Awareness

| Audience | Training | Frequency |

|----------|----------|-----------|

| All Staff | General security and privacy awareness | Annually |

| Developers | Secure coding, privacy engineering | Annually |

| Managers | Data handling, incident reporting | Annually |

| New Hires | Security and privacy basics | Within 30 days |

| High-Risk Roles | Specialized training | Semi-annually |

9.3 Audits and Assessments

**Annual Activities:**

Security risk assessment
Privacy compliance audit
Penetration testing
Vulnerability scanning
Third-party security reviews

**Quarterly Activities:**

Access reviews
Policy compliance spot checks
Incident metrics review
Security metrics review

9.4 Record Keeping

Maintain for compliance:

Processing activities records (ROPA)
Consent records
Data subject request logs
DPIAs and PIAs
Security assessments
Incident reports
Training records
Processor agreements

Retention: Duration of processing plus [NUMBER] years

---

10. Implementation Notes

10.1 Immediate Actions (0-30 Days)

[ ] Appoint Data Protection Officer / Privacy Officer
[ ] Inventory all data processing activities (ROPA)
[ ] Map all data flows and international transfers
[ ] Review and update privacy notices
[ ] Implement consent management platform
[ ] Establish data subject request intake process

10.2 Short-Term Actions (30-90 Days)

[ ] Complete DPIAs for high-risk processing
[ ] Audit third-party processors for DPA compliance
[ ] Deploy data subject rights request management system
[ ] Conduct security risk assessment
[ ] Implement security monitoring and alerting
[ ] Develop incident response playbooks

10.3 Ongoing Actions

[ ] Monthly security metrics review
[ ] Quarterly access reviews
[ ] Quarterly privacy compliance checks
[ ] Annual penetration testing
[ ] Annual policy and training refresh
[ ] Annual ROPA update
[ ] Continuous consent and preference management

10.4 Key Contacts

| Role | Name/Email | Responsibilities |

|------|------------|-----------------|

| Data Protection Officer | [EMAIL] | GDPR compliance, data subject rights |

| Security Officer | [EMAIL] | Security program, incident response |

| Privacy Counsel | [EMAIL] | Legal compliance, regulatory matters |

| IT Security Lead | [EMAIL] | Technical security implementation |

---

11. Regulatory Compliance Summary

11.1 GDPR (General Data Protection Regulation)

**Applicability:** Processing personal data of EU residents

**Key Requirements:**

Lawful basis for processing
Data subject rights
Privacy by design
Breach notification (72 hours)
DPO (if required by scale/sensitivity)
Records of processing activities

11.2 CCPA/CPRA (California)

**Applicability:** For-profit or non-profit with >$25M revenue or >100K CA residents' data

**Key Requirements:**

Privacy notice at collection
Right to know, delete, opt-out
Do not sell/share (opt-out link)
Service provider contracts
Consumer request fulfillment

11.3 Other State Laws

Monitor compliance requirements for:

Virginia CDPA
Colorado CPA
Connecticut CTDPA
Utah UCPA
Emerging state privacy laws

11.4 Industry-Specific

**If Applicable:**

HIPAA (health information)
FERPA (educational records)
GLBA (financial information)
COPPA (children's online privacy)

---

Document Control

|---------|------|--------|---------|

---

**Acknowledgment**

I have received, read, and understood the Data, Privacy & Security Policy. I agree to comply with its requirements and understand that violations may result in disciplinary action.

Employee Name: _________________________

Signature: _________________________

Date: _________________________

Layer 3 — Download

Download PDF Download DOCX

Board Member Agreement

DRAFT

Layer 1 — At a glance

The individual commitment document signed by each director at seating. Covers fiduciary duties, governance alignment, participation expectations, conflict of interest obligations, confidentiality, and conduct standards. Supports both standard 3-year terms and provisional 12-month appointments.

Signed individually by each director at seatingCovers: Standard (3-year) and Provisional (12-month) service typesAttendance commitment: Minimum 3 of 4 annual meetingsConfidentiality survives board service

Last reviewed: Not yet reviewed

Layer 2 — Full text

Board Member Agreement (Doc 07)

Purpose

This agreement is signed by each director at seating and records fiduciary, governance, participation, confidentiality, and conduct commitments.

Service Type

Standard Term — 3 years per Bylaws Article III Section 3.03
Provisional Term — 12 months per Bylaws Article III Section 3.04

Core Commitments

Duty of care, loyalty, and obedience
Governance policy alignment across AOI + Docs 01–09
Attendance floor: at least 3 of 4 required annual meetings
COI disclosure and recusal compliance
Confidentiality survives service, subject to whistleblower protections and legally compelled disclosure

Provisional Service Conditions

If provisional service is selected:

term max is 12 months
conversion to standard term requires majority board vote
if not converted by term end, service concludes without further action

Internal Use Checklist

Orientation completed
COI disclosure received
Security/privacy onboarding completed
Agreement filed
Term end date calendared with Board Secretary
Service type marked (Standard/Provisional)
If provisional: conversion vote calendared (Yes/No/N/A)

Layer 3 — Download

Download PDF Download DOCX

Whistleblower Policy

DRAFT

Layer 1 — At a glance

Protects individuals who report suspected misconduct in good faith from retaliation. Establishes clear reporting channels including an anonymous option, defines investigation timelines, and ensures Board-level oversight. Required for IRS Form 990 governance disclosures.

Anonymous reporting: whistleblower@civicos-institute.orgNon-retaliation: Strictly enforced; violations treated as separate offenseInvestigation target: 30 days; hard limit: 90 daysBoard oversight: Annual reporting at fiscal year-end meeting

Last reviewed: Not yet reviewed

Layer 2 — Full text

Whistleblower Policy (Doc 08)

Purpose

Protect good-faith reporting of suspected misconduct and prohibit retaliation.

Reporting Channels

Executive Director
Board Chair
Designated board committee/independent director
Anonymous channel: whistleblower@civicos-institute.org (routed to Board Chair + one designated independent director)

Non-Retaliation

Retaliation against good-faith reporting is prohibited and treated as a separate violation.

Intake + Investigation Timelines

intake acknowledgment target: 5 business days where contact is available
anonymous reports are logged and reviewed but may not receive acknowledgment
investigation target: 30 calendar days
hard limit: no investigation exceeds 90 calendar days without written Board Chair notification and revised completion date

Oversight

Board oversight reporting occurs no less than annually, at or before the fiscal year-end board meeting.

Board Member Misconduct Track

If substantiated against a sitting board member, corrective action follows Bylaws Article III Section 3.05 with mandatory recusal of subject director.

Layer 3 — Download

Download PDF Download DOCX

Compensation Review Policy

DRAFT

Layer 1 — At a glance

Establishes the formal process for determining and documenting compensation for the Executive Director, officers, and key employees. Follows IRS rebuttable presumption procedures — independent approval, comparable market data, contemporaneous documentation — to ensure compensation is reasonable and defensible.

Standard: IRS rebuttable presumption of reasonablenessRequires: Independent approval, comparability data, written documentationAnnual review: Required; aligned to budget and fiscal year cycleED self-review: Must be initiated in writing to Board Chair

Last reviewed: Not yet reviewed

Layer 2 — Full text

Compensation Review Policy (Doc 09)

Purpose

Define compensation governance for Executive Director, officers, and key employees using IRS rebuttable presumption controls.

Required Elements

1. Independent authorized approval body

2. Appropriate comparability data

3. Contemporaneous written documentation

Annual + Mid-Cycle Reviews

annual review required and aligned to budget/fiscal cycle
mid-cycle adjustments allowed with full controls
ED self-initiated review request must be submitted in writing to Board Chair, who convenes independent review

Excess Benefit Prevention

Potential excess benefit cases are escalated for corrective action and counsel review.

Note for legal review: Excess benefit transactions under IRC 4958 may carry excise tax exposure on the disqualified person. Counsel should determine whether explicit statutory citation should remain in-policy or in separate legal guidance.

Board Member Compensation

Any board-member compensation action requires disinterested review and documented reasonableness determination.

Note for legal review: Confirm whether Florida nonprofit law imposes additional constraints on director compensation beyond bylaws provisions.

Layer 3 — Download

Download PDF Download DOCX

Transparency Statement

CivicOS Institute is committed to proactive transparency in governance, finances, operations, and program delivery. These documents are not compliance artifacts — they are the operating commitments of an organization that teaches civic literacy and must model it. All governance documents are publicly accessible in full. Authenticated stakeholder dashboards provide real-time visibility into organizational performance.

Downloads

Open downloads center