CivicOS Governance — Master Compilation

Generated: 2026-02-28 13:46 EST

This file consolidates governance documents, policies, and governance-related site articles into one markdown source.

Included Documents

1. governance/README.md
2. governance/Articles_of_Incorporation_Florida.md
3. governance/01_Bylaws.md
4. governance/02_Conflict_of_Interest_Policy.md
5. governance/03_Delegation_of_Authority_Matrix.md
6. governance/04_Document_Retention_Policy.md
7. governance/05_IP_Licensing_Policy.md
8. governance/06_Data_Security_Policy.md
9. governance/DATA_BOUNDARY_POLICY.md
10. governance/WORKFLOW_CONTROL_PLANES.md
11. tmp/civicos-site/governance.md
12. tmp/civicos-site/governance/articles-of-incorporation.md
13. tmp/civicos-site/governance/board-recruitment.md
14. tmp/civicos-site/governance/bylaws.md
15. tmp/civicos-site/governance/conflict-of-interest-policy.md
16. tmp/civicos-site/governance/data-privacy-security-policy.md
17. tmp/civicos-site/governance/delegation-of-authority.md
18. tmp/civicos-site/governance/document-retention-policy.md
19. tmp/civicos-site/governance/ip-licensing-policy.md

Source: governance/README.md

CIVICOS INSTITUTE

COMPLETE GOVERNANCE DOCUMENTATION PACKAGE

Overview

This package contains comprehensive governance documents for CivicOS Institute, a 501(c)(3) nonprofit organization in formation focused on civic R&D and platform development.

Documents Included

Document Summaries

1. Bylaws

The foundational governance document establishing:

• Organization purpose and limitations
• Board composition (3-9 Directors), election, and terms
• Officer roles (Chair, Secretary, Treasurer)
• Meeting procedures and voting
• Amendment and dissolution procedures

Key Customizations Needed:

• [STATE OF INCORPORATION]
• Board size preferences
• Term lengths (currently 3 years, 2-term limit)
• Meeting frequency (currently 4x/year minimum)

2. Conflict of Interest Policy

IRS-compliant policy ensuring decisions are made in the Organization’s best interest:

• Annual disclosure requirements
• Transactional disclosure obligations
• Recusal procedures
• Investigation and enforcement

Key Customizations Needed:

• Thresholds for gift disclosure (currently $75)
• Key employee compensation threshold (currently $100,000)

3. Delegation of Authority Matrix

Clear authority framework for operational decisions:

• Contract signing authority by amount and type
• Spending approval thresholds
• Hiring and termination authority
• Emergency expenditure authority

Key Customizations Needed:

• Financial thresholds (currently $1K/$10K/$50K/$100K)
• Bank account signatory details
• Specific role titles

4. Document Retention and Records Policy

Systematic records management ensuring legal compliance:

• Retention schedules by record type
• Electronic records handling
• Secure destruction procedures
• Litigation hold protocols

Key Customizations Needed:

• Specific state retention requirements
• Cloud storage vendor details
• Records custodian assignments

5. IP / Licensing Policy

Framework for managing intellectual property:

• Open source first philosophy (MIT License default)
• Contributor License Agreements
• Trademark protection
• Third-party license compliance

Key Customizations Needed:

• Default license selection (currently MIT)
• Patent strategy (currently minimal/defensive)
• Commercial licensing approach

6. Data Protection, Privacy, and Security Policy

Comprehensive data protection framework:

• Privacy by design principles
• Data Subject rights procedures
• Security controls and requirements
• Breach response protocols

Key Customizations Needed:

• Applicable privacy laws (CCPA, GDPR, state)
• Specific contact information
• Security tool specifications

Implementation Checklist

Phase 1: Legal Review (Weeks 1-2)

• Retain nonprofit attorney familiar with [STATE] law
• Review Bylaws against state nonprofit corporation statute
• Review all policies for legal compliance
• Obtain legal sign-off on final versions

Phase 2: Board Adoption (Week 3)

• Draft Board resolution adopting all policies
• Schedule Board meeting for adoption
• Present policies to Board with implementation plan
• Obtain Board votes and signatures
• Record adoption in Board minutes

Phase 3: IRS Filing (Week 4)

• Include Bylaws and Conflict of Interest Policy with Form 1023
• Ensure consistency across all submitted documents
• File Form 1023 or 1023-EZ

Phase 4: Operational Implementation (Weeks 5-8)

• Train Board on governance responsibilities
• Train staff on policies relevant to their roles
• Implement document retention procedures
• Set up secure storage for confidential records
• Establish privacy and security controls
• Configure CLA process for open source contributions
• Publish privacy notice on website

Phase 5: Ongoing Compliance (Ongoing)

• Annual Conflict of Interest disclosures
• Annual policy review
• Regular security assessments
• Quarterly authority matrix review
• Maintain Records of Processing Activities

Key Bracketed Placeholders to Complete

All documents contain [BRACKETED] placeholders that must be customized:

Organization Information

• [CIVICOS INSTITUTE] - Confirm official legal name
• [STATE OF INCORPORATION] - State of incorporation
• [DATE] - Adoption/effective dates

Financial Thresholds

• [$1,000] / [$10,000] / [$50,000] / [$100,000] - Adjust based on budget
• [$75] - Gift disclosure threshold
• [$100,000] - Key employee threshold

Roles and Contacts

• [privacy@civicos.org] - Privacy contact email
• [ORGANIZATION ADDRESS] - Mailing address
• [PHONE NUMBER] - Contact number

Numerical Values

• Board size: [3] minimum, [9] maximum
• Term lengths: [3] years
• Term limits: [2] consecutive terms
• Meeting frequency: [4] per year minimum
• Retention periods: [7] years standard

Governance Best Practices

Board Composition

• Aim for diverse expertise: technology, finance, law, nonprofit management
• Include at least one independent Director with no financial relationship
• Consider staggered terms for continuity
• Establish committee structure: Finance, Governance, Program

Conflict of Interest

• Conduct annual training on disclosure requirements
• Document all conflicts in meeting minutes
• Review related-party transactions annually
• Maintain signed annual statements for all covered persons

Financial Oversight

• Require dual signatures for checks over $10,000
• Review financial statements at every Board meeting
• Conduct annual independent audit
• Establish reserve fund policy (3-6 months operating expenses)

Open Source Governance

• Designate an Open Source Program Office (OSPO) or lead
• Implement automated license scanning
• Maintain clear contribution guidelines
• Build community around key projects

Data Protection

• Conduct Privacy Impact Assessments for new systems
• Maintain cyber liability insurance
• Test incident response plan annually
• Stay current on evolving privacy regulations

Document Relationships

┌─────────────────────────────────────────┐
│           ARTICLES OF INCORPORATION     │
│              (Highest Authority)        │
└─────────────────┬───────────────────────┘
                  │
┌─────────────────▼───────────────────────┐
│                BYLAWS                   │
│    (Board structure, procedures)        │
└─────────────────┬───────────────────────┘
                  │
    ┌─────────────┼─────────────┬─────────────┐
    │             │             │             │
    ▼             ▼             ▼             ▼
┌────────┐   ┌────────┐   ┌────────┐   ┌────────┐
│Conflict│   │Delegation│  │Document│   │  IP/   │
│Interest│   │Authority │  │Retention│   │Licensing│
│ Policy │   │ Matrix  │  │ Policy │   │ Policy │
└────────┘   └────────┘   └────────┘   └────────┘
                                              │
                                       ┌──────┘
                                       ▼
                              ┌────────────────┐
                              │Data/Privacy/   │
                              │Security Policy │
                              └────────────────┘

Next Steps for Director

1. Review all six documents for alignment with vision and values
2. Engage legal counsel for state-specific review
3. Customize bracketed placeholders with organization-specific details
4. Present to founding Board for discussion and adoption
5. File with IRS as part of 501(c)(3) application
6. Implement operational procedures to support policy compliance
7. Schedule annual reviews to keep policies current

Questions for Legal Counsel

Bylaws

1. Do these Bylaws comply with [STATE] nonprofit corporation law?
2. Should we include any specific provisions for virtual meetings?
3. Are the indemnification provisions compliant with state law?

Conflict of Interest

1. Are the disclosure thresholds appropriate for our organization size?
2. Do we need any specific provisions for family members of Directors?
3. How should we handle conflicts involving institutional funders?

Delegation of Authority

1. Are the signing authority limits appropriate for banking relationships?
2. Do we need any specific provisions for grant-funded projects?
3. How should we handle international contracts?

Document Retention

1. Are there any state-specific retention requirements we should add?
2. Do our cloud storage arrangements create any residency issues?
3. Are there specific requirements for grant-funded records?

IP/Licensing

1. Should we pursue any patent protection strategy?
2. How do we handle pre-existing IP from contractors?
3. Are there any conflicts between our open source goals and grant requirements?

Data/Privacy

1. Which privacy laws apply to our operations (CCPA, GDPR, state laws)?
2. Do we need a Data Protection Officer?
3. Are our security controls sufficient for our data types?

Document Version Control

Contact

For questions about this governance package, contact: [Secretary or Executive Director] [EMAIL] [PHONE]

Prepared for CivicOS Institute Draft Date: February 14, 2026 Status: READY FOR LEGAL REVIEW

Source: governance/Articles_of_Incorporation_Florida.md

ARTICLES OF INCORPORATION OF CIVICOS INSTITUTE

ARTICLE I: NAME

The name of the corporation is CivicOS Institute.

ARTICLE II: DURATION

The period of duration is perpetual.

ARTICLE III: PURPOSE

The corporation is organized exclusively for charitable, educational, and scientific purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code of 1986, as amended, or the corresponding section of any future federal tax code. The specific purposes for which the corporation is organized include:

(a) Conducting research and development in civic technology, open data systems, and digital public infrastructure; (b) Developing and maintaining open-source software platforms for civic engagement and governance; (c) Educating the public, policymakers, and technologists on best practices in civic technology; (d) Promoting transparency, accountability, and accessibility in democratic institutions; (e) Collaborating with public sector entities, academic institutions, and civil society organizations to improve civic systems; (f) Building and supporting communities of practice around civic technology and open government; (g) Publishing research, documentation, and educational materials related to civic technology; (h) Hosting conferences, workshops, and educational events related to civic technology and governance; (i) Providing technical assistance and consulting services to government entities and nonprofit organizations working in the public interest; (j) Any other lawful activities consistent with the foregoing purposes that are appropriate for a corporation exempt from federal income tax under Section 501(c)(3).

ARTICLE IV: PROHIBITED ACTIVITIES

Notwithstanding any other provision of these Articles, the corporation shall not:

(a) Engage in activities that do not further its exempt purposes; (b) Carry on propaganda or otherwise attempt to influence legislation, except as permitted by Section 501(h) of the Internal Revenue Code; (c) Participate in or intervene in any political campaign on behalf of or in opposition to any candidate for public office; (d) Allow any part of its net earnings to inure to the benefit of any private shareholder or individual; (e) Operate for the benefit of private interests, except as incidental to its exempt purposes; (f) Discriminate on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, age, or disability.

ARTICLE V: DISSOLUTION

Upon dissolution or winding up of the corporation, after paying or adequately providing for debts and obligations, the remaining assets shall be distributed to one or more qualifying exempt organizations:

(a) Organized and operated exclusively for charitable, educational, or scientific purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code; (b) Qualified as exempt under Section 501(c)(3) of the Internal Revenue Code (or corresponding provisions of future law); (c) Selected by the Board of Directors at or before dissolution.

Under no circumstances shall any assets be distributed to private individuals or for private benefit.

ARTICLE VI: INITIAL REGISTERED AGENT AND OFFICE

The street address of the initial registered office is:

4884 Beresford Circle West Palm Beach, Florida 33417

The name of the initial registered agent at that address is:

Nicholas A. Cerbone

The registered agent has signed below indicating acceptance of this appointment.

ARTICLE VII: INITIAL BOARD OF DIRECTORS

The number of directors constituting the initial Board of Directors is 1. The names and addresses of the initial directors are:

1. Nicholas A. Cerbone 4884 Beresford Circle West Palm Beach, Florida 33417

ARTICLE VIII: INCORPORATOR

The name and address of the incorporator is:

Nicholas A. Cerbone 4884 Beresford Circle West Palm Beach, Florida 33417

ARTICLE IX: MEMBERSHIP

The corporation shall have no members. All governance authority is vested in the Board of Directors.

ARTICLE X: LIABILITY LIMITATION

To the fullest extent permitted by Florida law, no director or officer of the corporation shall be personally liable to the corporation or its members for monetary damages for breach of fiduciary duty as a director or officer, except for liability:

(a) For any breach of the director’s or officer’s duty of loyalty to the corporation; (b) For acts or omissions not in good faith or which involve intentional misconduct or a knowing violation of law; (c) Under Section 617.0834, Florida Statutes; or (d) For any transaction from which the director or officer derived an improper personal benefit.

ARTICLE XI: INDEMNIFICATION

The corporation shall indemnify any person who was or is a party or is threatened to be made a party to any threatened, pending, or completed action, suit, or proceeding by reason of the fact that such person is or was a director, officer, employee, or agent of the corporation, to the fullest extent permitted by Florida law.

ARTICLE XII: ADDITIONAL PROVISIONS

1. The corporation shall keep correct and complete books and records of account and shall keep minutes of the proceedings of its Board of Directors and any committees.

2. The corporation shall have a seal, which may be altered at the pleasure of the Board of Directors.

3. These Articles may be amended by the affirmative vote of two-thirds (2/3) of the directors then in office at any duly convened meeting, subject to approval by the appropriate state authority.

4. All references to sections of the Internal Revenue Code shall be to the Internal Revenue Code of 1986, as amended, or to corresponding provisions of subsequent federal tax laws.

5. If any provision of these Articles is held invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions, and these Articles shall be construed as if such invalid provision had never been contained herein.

CERTIFICATION

The undersigned incorporator certifies that he/she has executed these Articles of Incorporation on behalf of the corporation and that the statements contained herein are true and correct.

Nicholas A. Cerbone, Incorporator

Date: ___________

ACCEPTANCE OF APPOINTMENT AS REGISTERED AGENT

I, Nicholas A. Cerbone, hereby accept appointment as Registered Agent for CivicOS Institute and agree to serve as such in accordance with Florida Statutes.

Nicholas A. Cerbone, Registered Agent

Date: ___________

FILING CHECKLIST FOR FLORIDA

Before filing, ensure you have:

□ Completed all [BRACKETED] placeholders □ Registered Agent signature (required in Florida) □ Incorporator signature □ $70 filing fee (online or check/money order if mailing) □ Optional: $35 for name reservation (if you want to secure the name first) □ Optional: $30 for expedited processing (24 hours)

Filing Options:

1. ONLINE (Recommended): https://efile.sunbiz.org
   • Fastest processing (5-10 business days)
   • Immediate confirmation
   • Pay by credit card
2. BY MAIL:
   • Send to: New Filing Section, Division of Corporations, P.O. Box 6327, Tallahassee, FL 32314
   • Include check or money order payable to “Florida Department of State”
   • Processing: 10-15 business days
3. IN PERSON:
   • Clifton Building, 2661 Executive Center Circle, Tallahassee, FL
   • Same day processing available

After Filing: □ Download Certificate of Incorporation from Sunbiz □ Apply for EIN (if not already obtained) at irs.gov □ Open bank account □ File IRS Form 1023 or 1023-EZ for 501(c)(3) status

501(c)(3) COMPLIANCE NOTES

These Articles include all required provisions for 501(c)(3) status:

✓ Specific 501(c)(3) purpose language (Article III) ✓ Prohibition on private inurement (Article IV) ✓ Dissolution clause requiring assets go to other 501(c)(3)s (Article V) ✓ Limitation on legislative activities (Article IV(b)) ✓ Prohibition on political campaign activities (Article IV(c))

These provisions satisfy IRS requirements for tax-exempt status under Section 501(c)(3).

Source: governance/01_Bylaws.md

CIVICOS INSTITUTE BYLAWS

ARTICLE I: NAME AND PURPOSE

Section 1.01: Name

The name of this organization is [CIVICOS INSTITUTE], hereinafter referred to as the “Organization.”

Section 1.02: Existence

The Organization is a nonprofit corporation incorporated under the laws of [STATE OF INCORPORATION]. These Bylaws constitute the code of rules adopted by the Organization for the regulation and management of its affairs.

Section 1.03: Purpose

The Organization is organized exclusively for charitable, educational, and scientific purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code of 1986, as amended, or the corresponding section of any future federal tax code, including:

(a) Conducting research and development in civic technology, open data systems, and digital public infrastructure; (b) Developing and maintaining open-source software platforms for civic engagement and governance; (c) Educating the public, policymakers, and technologists on best practices in civic technology; (d) Promoting transparency, accountability, and accessibility in democratic institutions; (e) Collaborating with public sector entities, academic institutions, and civil society organizations to improve civic systems; (f) Any other lawful activities consistent with the foregoing purposes that are appropriate for a corporation exempt from federal income tax under Section 501(c)(3).

Section 1.04: Limitations

Notwithstanding any other provision of these Bylaws, the Organization shall not:

(a) Engage in activities that do not further its exempt purposes; (b) Carry on propaganda or otherwise attempt to influence legislation, except as permitted by Section 501(h) of the Internal Revenue Code; (c) Participate in or intervene in any political campaign on behalf of or in opposition to any candidate for public office; (d) Allow any part of its net earnings to inure to the benefit of any private shareholder or individual; (e) Operate for the benefit of private interests, except as incidental to its exempt purposes.

Upon dissolution of the Organization, all remaining assets shall be distributed to one or more qualifying exempt organizations selected by the Board of Directors, in accordance with Article XII of these Bylaws.

ARTICLE II: MEMBERSHIP

Section 2.01: Membership Structure

The Organization shall have no voting members. All governance authority is vested in the Board of Directors as described in Article III.

Section 2.02: Non-Voting Affiliates

The Board may establish categories of non-voting affiliates, advisors, or fellows who may participate in Organization activities and provide input to the Board, but who shall have no voting rights in Board matters. The rights, responsibilities, and qualifications of such affiliates shall be determined by Board policy.

ARTICLE III: BOARD OF DIRECTORS

Section 3.01: General Powers

All corporate powers shall be exercised by or under the authority of the Board of Directors. The Board shall oversee the affairs of the Organization, establish strategic direction, approve major policies, and ensure the Organization operates in accordance with its mission and applicable law.

Section 3.02: Number and Composition

The Board of Directors shall consist of no fewer than [THREE (3)] and no more than [NINE (9)] Directors. Within these limits, the Board may fix the exact number of Directors by resolution. The Board shall strive to maintain diverse representation across relevant expertise areas including: technology, civic/government affairs, nonprofit governance, finance, and community organizing.

Section 3.03: Qualifications

Directors must: (a) Be individuals at least eighteen (18) years of age; (b) Demonstrate commitment to the Organization’s mission; (c) Satisfy any additional qualifications established by Board policy; (d) Not be employees of the Organization (with the exception of the Executive Director, who may serve as an ex-officio, non-voting Director if the Board so determines).

Section 3.04: Election and Terms

(a) Initial Directors: The incorporator(s) shall appoint the initial Board of Directors, who shall serve until the first annual meeting or until their successors are elected.

(b) Subsequent Elections: Directors shall be elected by majority vote of the Directors then in office at any duly convened meeting of the Board. The Board shall establish a Nominating Committee responsible for identifying and vetting candidates.

(c) Terms: Each Director shall serve a term of [THREE (3)] years, or until their successor is elected and qualified. Directors may serve up to [TWO (2)] consecutive full terms, after which they must rotate off the Board for at least [ONE (1)] year before becoming eligible for re-election.

(d) Staggered Terms: To ensure continuity, Directors shall be divided into classes with staggered terms as nearly equal in number as possible.

Section 3.05: Resignation and Removal

(a) Resignation: Any Director may resign at any time by delivering written notice to the Chair of the Board, the Secretary, or the Board. Such resignation shall take effect at the time specified therein or, if no time is specified, upon receipt.

(b) Removal: Any Director may be removed, with or without cause, by a two-thirds (2/3) vote of the Directors then in office at a duly convened meeting. A Director who fails to attend [THREE (3)] consecutive regular Board meetings without excuse acceptable to the Board may be deemed to have resigned.

Section 3.06: Vacancies

Any vacancy occurring on the Board by reason of resignation, removal, death, or otherwise may be filled by majority vote of the remaining Directors, even if less than a quorum. A Director elected to fill a vacancy shall serve the unexpired term of their predecessor.

Section 3.07: Regular Meetings

The Board shall hold at least [FOUR (4)] regular meetings per year. The time and place of regular meetings shall be determined by the Board or the Chair. Notice of regular meetings shall be given at least [FIFTEEN (15)] days in advance, unless waived by all Directors.

Section 3.08: Special Meetings

Special meetings of the Board may be called by the Chair, the Executive Director, or by any [TWO (2)] Directors. Notice of special meetings, stating the date, time, place, and purpose, shall be given at least [SEVEN (7)] days in advance, unless waived by all Directors.

Section 3.09: Meeting Participation

Directors may participate in and act at any meeting through the use of conference telephone, video conference, or similar communications equipment by means of which all persons participating in the meeting can hear each other. Participation in such manner shall constitute presence in person at the meeting.

Section 3.10: Quorum

A majority of the number of Directors fixed by these Bylaws or Board resolution shall constitute a quorum for the transaction of business. If a quorum is not present at any meeting, a majority of the Directors present may adjourn the meeting to a future date.

Section 3.11: Voting

(a) Each Director shall have one vote. (b) The affirmative vote of a majority of Directors present at a meeting at which a quorum is present shall be the act of the Board, unless these Bylaws or applicable law require a greater vote. (c) Action may be taken by the Board without a meeting if all Directors consent in writing or by electronic transmission. Such consent shall have the same effect as a unanimous vote at a meeting.

Section 3.12: Compensation

Directors shall not receive compensation for their services as Directors. Directors may be reimbursed for reasonable expenses incurred in the performance of their duties, provided such reimbursement is approved in accordance with Organization policy.

Section 3.13: Committees of the Board

(a) Executive Committee: The Board may designate an Executive Committee consisting of at least three (3) Directors, including the Chair, Treasurer, and Secretary. The Executive Committee may exercise such powers as delegated by the Board, except those reserved to the full Board by law or these Bylaws. All actions of the Executive Committee shall be reported to the full Board at the next meeting.

(b) Other Committees: The Board may establish such other standing or special committees as it deems necessary or appropriate. Committee members need not be Directors, but any committee exercising Board authority must consist solely of Directors.

(c) Committee Charters: Each committee shall operate under a written charter approved by the Board, which shall specify the committee’s purpose, composition, authority, and reporting requirements.

ARTICLE IV: OFFICERS

Section 4.01: Officers

The officers of the Organization shall be: (a) Chair of the Board (may also be titled “President”); (b) Secretary; (c) Treasurer; (d) Such other officers as the Board may from time to time determine.

No individual may hold more than one of the offices of Chair, Secretary, and Treasurer simultaneously.

Section 4.02: Election and Terms

Officers shall be elected annually by the Board from among the Directors at the first regular meeting following the annual meeting of the Board. Each officer shall serve a one-year term or until their successor is elected and qualified. Officers may be re-elected for successive terms without limit.

Section 4.03: Removal and Vacancies

Any officer may be removed, with or without cause, by majority vote of the Directors then in office. Any vacancy in any office may be filled by the Board for the unexpired portion of the term.

Section 4.04: Chair of the Board

The Chair of the Board shall: (a) Preside at all meetings of the Board and Executive Committee; (b) Serve as the principal volunteer leader of the Organization; (c) Serve as an ex-officio member of all committees, unless otherwise provided; (d) In coordination with the Executive Director, set agendas for Board meetings; (e) Perform such other duties as may be prescribed by the Board.

Section 4.05: Secretary

The Secretary shall: (a) Ensure that accurate minutes are kept of all Board and Executive Committee meetings; (b) Ensure that all notices are duly given in accordance with these Bylaws; (c) Be custodian of the corporate records and the seal of the Organization, if any; (d) Maintain a current roster of Directors and officers; (e) Perform such other duties as may be prescribed by the Board or Chair.

Section 4.06: Treasurer

The Treasurer shall: (a) Serve as Chair of the Finance Committee, if any; (b) Oversee the management and investment of Organization funds; (c) Ensure that accurate financial records are maintained; (d) Present financial reports to the Board at each regular meeting; (e) Ensure that an annual audit or review is conducted by an independent accountant; (f) Perform such other duties as may be prescribed by the Board or Chair.

The Board may appoint an Assistant Treasurer or delegate day-to-day financial management to the Executive Director or staff, but ultimate oversight responsibility remains with the Treasurer.

Section 4.07: Other Officers

Other officers shall perform such duties as prescribed by the Board or by the officer’s job description.

ARTICLE V: EXECUTIVE DIRECTOR

Section 5.01: Appointment

The Board shall appoint an Executive Director who shall serve as the chief executive officer of the Organization. The Executive Director need not be a Director, but may serve as an ex-officio, non-voting Director if the Board so determines.

Section 5.02: Responsibilities

The Executive Director shall: (a) Serve as the chief executive officer responsible for day-to-day operations; (b) Implement policies and programs established by the Board; (c) Hire, supervise, and terminate staff and contractors, subject to the Delegation of Authority Matrix; (d) Manage the Organization’s budget and resources; (e) Report regularly to the Board on operations, finances, and strategic matters; (f) Serve as the primary spokesperson for the Organization; (g) Execute contracts and agreements within delegated authority limits; (h) Ensure compliance with all applicable laws and regulations; (i) Perform such other duties as may be prescribed by the Board.

Section 5.03: Evaluation

The Board shall conduct an annual performance evaluation of the Executive Director. The evaluation shall be conducted by the Chair or a designated committee and shall include review of progress toward organizational goals.

Section 5.04: Removal

The Executive Director may be removed by majority vote of the Directors then in office. The Executive Director shall be given [THIRTY (30)] days’ written notice of any proposed removal, unless the Board determines that immediate removal is necessary to protect the Organization’s interests.

ARTICLE VI: FINANCIAL ADMINISTRATION

Section 6.01: Fiscal Year

The fiscal year of the Organization shall be [JANUARY 1 – DECEMBER 31] unless otherwise determined by the Board.

Section 6.02: Annual Budget

The Executive Director shall prepare and submit to the Board for approval an annual operating budget before the beginning of each fiscal year. The Board may modify the budget as it deems appropriate.

Section 6.03: Budget Administration

The Executive Director is authorized to make expenditures within the approved budget. Expenditures exceeding budget line items by more than [TEN PERCENT (10%)] or [TEN THOUSAND DOLLARS ($10,000)], whichever is less, require prior Board approval.

Section 6.04: Audit

The Board shall cause an annual audit of the Organization’s financial statements to be conducted by an independent certified public accountant. The Treasurer shall present the audited financial statements to the Board for approval.

Section 6.05: Financial Controls

The Organization shall maintain adequate internal controls over financial transactions, including: (a) Segregation of duties among staff handling financial transactions; (b) Dual authorization for expenditures above specified thresholds; (c) Regular reconciliation of bank accounts; (d) Protection of assets through appropriate insurance coverage.

ARTICLE VII: MEETINGS AND VOTING PROCEDURES

Section 7.01: Notice

(a) Written or electronic notice of all meetings shall be given to each Director at their address or email as shown on Organization records. (b) Notice shall state the date, time, place (or electronic access information), and, for special meetings, the purpose. (c) A Director’s attendance at a meeting constitutes waiver of notice unless the Director attends solely to object to the transaction of business due to lack of notice.

Section 7.02: Waiver of Notice

(a) Any Director may waive notice of any meeting before or after the meeting. (b) Such waiver must be in writing or electronic form, signed by the Director entitled to notice, and filed with the minutes or corporate records.

Section 7.03: Quorum

(a) A quorum at any Board meeting shall be a majority of the Directors then in office. (b) Once a quorum is established, it shall not be broken by the withdrawal of Directors.

Section 7.04: Voting

(a) Each Director shall be entitled to one vote on each matter submitted to a vote. (b) Voting by proxy is not permitted. (c) Unless otherwise specified, matters shall be decided by majority vote of Directors present at a meeting at which a quorum exists. (d) The Chair shall vote only to break a tie, unless otherwise required by law.

Section 7.05: Action Without Meeting

Any action required or permitted to be taken at a meeting may be taken without a meeting if all Directors consent in writing or by electronic transmission. Such consent shall be filed with the minutes and have the same effect as a unanimous vote.

Section 7.06: Minutes

Minutes shall be kept of all Board and committee meetings and shall include: (a) Date, time, and place of the meeting; (b) Directors present and absent; (c) Principal matters discussed and decisions made; (d) Records of all votes taken; (e) Any conflicts of interest disclosed and how they were handled.

ARTICLE VIII: CONFLICTS OF INTEREST

Section 8.01: Policy Adoption

The Organization shall adopt and maintain a Conflict of Interest Policy consistent with the requirements of the Internal Revenue Service for 501(c)(3) organizations. The current version of such policy is incorporated by reference as if fully set forth herein.

Section 8.02: Duty to Disclose

Each Director, officer, and key employee has a duty to: (a) Disclose any actual, potential, or apparent conflict of interest; (b) Abstain from voting on any matter in which they have a conflict; (c) Recuse themselves from discussion of such matters unless specifically requested to provide information.

Section 8.03: Annual Statements

All Directors, officers, and key employees shall complete and sign an annual conflict of interest disclosure statement.

ARTICLE IX: INDEMNIFICATION

Section 9.01: General

The Organization shall indemnify any person who was or is a party or is threatened to be made a party to any threatened, pending, or completed action, suit, or proceeding by reason of the fact that such person is or was a Director, officer, employee, or agent of the Organization, to the fullest extent permitted by applicable law.

Section 9.02: Insurance

The Organization may purchase and maintain insurance on behalf of any person who is or was a Director, officer, employee, or agent of the Organization against any liability asserted against such person, whether or not the Organization would have the power to indemnify such person.

ARTICLE X: DOCUMENT RETENTION

Section 10.01: Policy Adoption

The Organization shall adopt and maintain a Document Retention and Destruction Policy consistent with applicable legal requirements. The current version of such policy is incorporated by reference.

ARTICLE XI: AMENDMENT

Section 11.01: Amendment of Bylaws

These Bylaws may be amended or repealed, and new Bylaws may be adopted, by a two-thirds (2/3) vote of the Directors then in office at any duly convened meeting, provided that notice of the proposed amendment shall have been included in the notice of such meeting or given to all Directors at least [SEVEN (7)] days prior to the meeting.

Section 11.02: Amendment of Articles of Incorporation

The Articles of Incorporation may be amended only by the affirmative vote of at least two-thirds (2/3) of the Directors then in office, subject to approval by the appropriate state authority.

ARTICLE XII: DISSOLUTION

Section 12.01: Voluntary Dissolution

The Organization may be dissolved only by a three-fourths (3/4) vote of the Directors then in office at a duly convened meeting called for that purpose.

Section 12.02: Distribution of Assets

Upon dissolution or winding up of the Organization, after paying or adequately providing for debts and obligations, the remaining assets shall be distributed to one or more exempt organizations: (a) Organized and operated exclusively for charitable, educational, or scientific purposes; (b) Qualified as exempt under Section 501(c)(3) of the Internal Revenue Code (or corresponding provisions of future law); (c) Selected by the Board of Directors at or before dissolution.

Under no circumstances shall any assets be distributed to private individuals or for private benefit.

Section 12.03: Compliance with Law

All dissolution proceedings shall be conducted in accordance with the laws of [STATE OF INCORPORATION] and the Internal Revenue Code.

ARTICLE XIII: MISCELLANEOUS

Section 13.01: Corporate Seal

The Organization may, but need not, adopt a corporate seal. If adopted, the seal shall be in such form as the Board may determine.

Section 13.02: Execution of Instruments

Contracts, deeds, and other instruments may be executed on behalf of the Organization by the Executive Director or such other officers or agents as the Board may designate. The Board may authorize the use of facsimile signatures.

Section 13.03: Construction

These Bylaws shall be construed in accordance with the laws of [STATE OF INCORPORATION].

Section 13.04: Severability

If any provision of these Bylaws is held invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions, and these Bylaws shall be construed as if such invalid provision had never been contained herein.

CERTIFICATION

These Bylaws were adopted by the Board of Directors of [CIVICOS INSTITUTE] on [DATE], and amended on the dates noted below:

Adopted: _________ [DATE]

Amended: _________ [DATE]

Amended: _________ [DATE]

Amended: _________ [DATE]

[NAME] Secretary

IMPLEMENTATION NOTES

1. Filling in Brackets: Replace all [BRACKETED] placeholders with organization-specific information before adoption.

2. State Law Compliance: Have an attorney review these Bylaws against the specific nonprofit corporation statutes of your state of incorporation. State law may require modifications.

3. IRS Filing: Submit these Bylaws with your Form 1023 or 1023-EZ application for 501(c)(3) status.

4. Regular Review: Schedule a review of these Bylaws every three (3) years or whenever there is a significant change in operations or law.

5. Committee Charters: Develop detailed charters for each Board committee referenced in Article III, Section 3.13.

6. Policies: Develop supporting policies referenced herein (Conflict of Interest, Document Retention, Delegation of Authority, etc.) concurrently with Bylaws adoption.

Source: governance/02_Conflict_of_Interest_Policy.md

CIVICOS INSTITUTE

CONFLICT OF INTEREST POLICY

PURPOSE

This Conflict of Interest Policy (“Policy”) is designed to ensure that the interests of CivicOS Institute (the “Organization”) are protected and advanced at all times, and that decisions made by Directors, officers, and key employees are made in the best interest of the Organization, free from any personal, financial, or other conflicting interests.

This Policy is adopted in compliance with the requirements of Section 501(c)(3) of the Internal Revenue Code of 1986, as amended, and the regulations promulgated thereunder. Compliance with this Policy is a condition of service as a Director, officer, or key employee of the Organization.

SECTION 1: DEFINITIONS

1.1 Conflict of Interest

A “Conflict of Interest” exists when a person’s personal, financial, professional, or other interests conflict—or appear to conflict—with the interests of the Organization. Conflicts may be:

(a) Actual: A direct conflict between personal interests and organizational interests; (b) Potential: A situation that could develop into an actual conflict; (c) Apparent: A situation that would appear to a reasonable observer to create a conflict, whether or not an actual conflict exists.

1.2 Interested Person

An “Interested Person” is any Director, officer, or key employee of the Organization who has a direct or indirect financial interest, as defined below, or any other interest that could conflict with the interests of the Organization.

1.3 Financial Interest

A person has a “Financial Interest” if they have, directly or indirectly, through business, investment, or family:

(a) An ownership or investment interest in any entity with which the Organization has a transaction or arrangement; (b) A compensation arrangement with the Organization or with any entity with which the Organization has a transaction or arrangement; (c) A potential ownership or investment interest in, or compensation arrangement with, any entity with which the Organization is negotiating a transaction or arrangement; (d) A family member who has any of the interests described above. “Family member” includes a spouse, domestic partner, parent, child, sibling, or any relative sharing the same household.

1.4 Key Employee

“Key Employee” means any employee or contractor who: (a) Has responsibilities that allow them to exercise substantial influence over the Organization’s affairs; (b) Receives total compensation exceeding [ONE HUNDRED THOUSAND DOLLARS ($100,000)] annually; (c) Is designated as a key employee by the Board of Directors.

1.5 Non-Financial Interest

A “Non-Financial Interest” includes personal relationships, organizational affiliations, or other interests that could influence or appear to influence a person’s objectivity, even if no money is involved.

SECTION 2: DUTY OF LOYALTY

2.1 Fiduciary Duty

Directors, officers, and key employees owe a fiduciary duty of loyalty to the Organization. This duty requires that they:

(a) Act in good faith and in the best interests of the Organization; (b) Place the interests of the Organization above personal interests; (c) Exercise independent judgment free from outside influence; (d) Avoid situations that create actual, potential, or apparent conflicts of interest.

2.2 Duty of Care

Directors, officers, and key employees shall exercise the care an ordinarily prudent person would exercise in similar circumstances, including:

(a) Being informed about matters before the Board or relevant to their responsibilities; (b) Participating actively in deliberations; (c) Seeking independent advice when appropriate; (d) Making decisions based on all relevant information reasonably available.

2.3 Duty of Obedience

Directors, officers, and key employees shall ensure the Organization operates within its mission and in compliance with all applicable laws and regulations.

SECTION 3: DISCLOSURE REQUIREMENTS

3.1 Annual Disclosure

Each Director, officer, and key employee shall complete and sign the Organization’s Annual Conflict of Interest Disclosure Statement within thirty (30) days of: (a) Beginning service with the Organization; (b) The start of each fiscal year thereafter; (c) Whenever their circumstances change materially.

3.2 Contents of Annual Statement

The Annual Disclosure Statement shall require disclosure of:

(a) All entities in which the person has an ownership or investment interest of more than [FIVE PERCENT (5%)]; (b) All compensation arrangements with the Organization; (c) All business relationships with entities that do business with or compete with the Organization; (d) All family members’ interests as defined in Section 1.3(d); (e) Any other facts or circumstances that could create a conflict of interest; (f) Any positions held with other organizations that might create conflicts.

3.3 Transactional Disclosure

In addition to annual disclosure, each Director, officer, and key employee must disclose any actual or potential conflict of interest:

(a) Immediately upon becoming aware of the conflict; (b) Before participating in any discussion or vote related to the matter; (c) In writing or verbally at the beginning of the relevant meeting, to be recorded in the minutes.

3.4 Gifts and Gratuities

Directors, officers, and key employees must disclose:

(a) Any gifts or gratuities received from vendors, contractors, donors, or others doing business with the Organization valued at more than [SEVENTY-FIVE DOLLARS ($75)]; (b) Any entertainment or hospitality that is excessive or could reasonably be perceived as intended to influence official action; (c) Gifts or benefits provided to family members as described above.

SECTION 4: PROCEDURES FOR ADDRESSING CONFLICTS

4.1 Identification of Conflict

When a potential conflict is disclosed or identified:

(a) The Interested Person shall disclose all material facts; (b) The Board or relevant committee shall determine whether a conflict exists; (c) The determination shall be documented in the meeting minutes.

4.2 Recusal Requirements

When a Director, officer, or key employee has a conflict of interest with respect to a matter:

(a) They shall leave the meeting during discussion of the matter, unless specifically requested to provide information; (b) They shall not vote on the matter; (c) They shall not attempt to influence the vote outside the meeting; (d) They shall not be counted for quorum purposes for that matter; (e) Their absence and recusal shall be recorded in the minutes.

4.3 Independent Review

Before approving any transaction involving a conflict of interest:

(a) The disinterested Directors shall review the material facts; (b) Appropriate due diligence shall be conducted; (c) Comparable market data shall be obtained when relevant; (d) The transaction shall be determined to be fair and reasonable to the Organization; (e) The transaction shall be determined to be in the best interests of the Organization.

4.4 Documentation

All proceedings related to conflicts of interest shall be documented in the minutes, including:

(a) The nature of the disclosed conflict; (b) The name of the Interested Person; (c) The determination that a conflict exists; (d) The individuals present during discussion; (e) The content of the discussion; (f) Any comparisons to market rates or other due diligence; (g) The vote taken and the result; (h) The determination that the transaction is fair and reasonable.

4.5 Arm’s Length Terms

Any transaction with an Interested Person shall be conducted on arm’s length terms no less favorable to the Organization than would be available from an unrelated party. The Board must specifically approve any compensation or contractual terms.

SECTION 5: PROHIBITED TRANSACTIONS

5.1 Prohibited Arrangements

The following are prohibited without prior approval by the Board after full disclosure:

(a) Loans to Directors, officers, or key employees; (b) Guarantees of personal obligations of Directors, officers, or key employees; (c) Sale, lease, or exchange of Organization property to an Interested Person; (d) Purchase of property from an Interested Person; (e) Compensation arrangements with family members of Directors or officers, unless following an open competitive process; (f) Any other transaction that would result in private inurement or excess benefit.

5.2 Excess Benefit Transactions

No Director, officer, or key employee shall receive any benefit from the Organization that is excessive or unreasonable compared to benefits provided by similar organizations for similar services or property.

5.3 Political Activities

No Organization resources shall be used to support or oppose any candidate for public office or any political party, and no Director, officer, or key employee shall use their position to engage in partisan political activities.

SECTION 6: COMMON CONFLICT SCENARIOS

6.1 Compensation Decisions

When determining compensation for an Interested Person:

(a) The person shall recuse themselves from discussion and voting; (b) The Board shall use appropriate comparability data; (c) The decision shall be documented; (d) Independent Directors shall approve the compensation.

6.2 Business Relationships

If an Interested Person or their business has a relationship with a vendor, grantee, or contractor:

(a) Full disclosure is required; (b) Competitive bidding should be used when practicable; (c) The relationship must be demonstrably fair to the Organization; (d) The Board must approve the relationship after recusal.

6.3 Board Service on Other Organizations

Service on multiple boards can create conflicts:

(a) Directors shall disclose board memberships; (b) Potential conflicts arising from dual service must be disclosed; (c) Directors shall not share confidential information between organizations; (d) Directors shall recuse themselves when organizations have competing interests.

6.4 Employment of Family Members

Employment or contracting with family members requires:

(a) Prior Board approval; (b) Disclosure of the relationship; (c) Compliance with all Organization employment policies; (d) Documentation that the arrangement is in the best interest of the Organization; (e) No reporting relationship between family members.

SECTION 7: INVESTIGATION AND ENFORCEMENT

7.1 Duty to Report

All Directors, officers, and key employees have a duty to report suspected violations of this Policy to the Chair of the Board or, if the Chair is involved, to another Director.

7.2 Investigation

Upon receipt of a report of a potential violation:

(a) The Chair (or designated Director) shall review the allegation; (b) If warranted, an investigation shall be conducted; (c) The investigation shall be documented; (d) The results shall be reported to the Board or Executive Committee; (e) The Interested Person shall have an opportunity to respond.

7.3 Corrective Actions

If a violation of this Policy is confirmed, the Board may take appropriate corrective action, including:

(a) Requiring additional disclosure; (b) Requiring recusal from specific matters; (c) Requiring divestment of conflicting interests; (d) Suspension of the person from their position; (e) Removal from the Board or termination of employment; (f) Legal action to recover damages; (g) Reporting to appropriate authorities if laws were violated.

7.4 No Retaliation

The Organization prohibits retaliation against any person who reports a potential conflict in good faith, even if the report is later determined to be unsubstantiated.

SECTION 8: EDUCATION AND TRAINING

8.1 Orientation

All new Directors, officers, and key employees shall receive a copy of this Policy and complete an orientation on their duties and responsibilities within thirty (30) days of assuming their position.

8.2 Annual Review

All Directors, officers, and key employees shall review this Policy annually and acknowledge in writing their understanding and agreement to comply.

8.3 Ongoing Education

The Organization shall provide periodic training on conflict of interest issues, including: (a) Recognition of potential conflicts; (b) Proper disclosure procedures; (c) Recusal requirements; (d) Documentation requirements.

SECTION 9: RECORD KEEPING

9.1 Confidentiality

Disclosure statements and related documents shall be treated as confidential and shall be: (a) Maintained by the Secretary or designee; (b) Accessible only to the Board, auditors, and legal counsel; (c) Stored securely with appropriate access controls; (d) Retained for [SEVEN (7)] years after the person’s service ends.

9.2 Access

Directors may review their own disclosure statements upon request. Access to others’ statements requires a majority vote of the Board with a legitimate need to know.

SECTION 10: ANNUAL CERTIFICATION

Each Director, officer, and key employee shall annually sign and return the following certification:

ANNUAL CONFLICT OF INTEREST CERTIFICATION

I, _____________, certify that:

1. I have received and read the Conflict of Interest Policy of CivicOS Institute;
2. I understand my obligations under this Policy;
3. I have disclosed all actual and potential conflicts of interest as required;
4. I agree to comply with this Policy and promptly disclose any future conflicts;
5. I understand that failure to comply may result in removal from my position.

I have the following interests to disclose (attach additional sheets if necessary):

Signature: _________ Date: _______

Print Name: __________

Position: __________

SECTION 11: REVIEW AND AMENDMENT

This Policy shall be reviewed annually by the Board and amended as necessary to ensure compliance with applicable law and best practices. Any amendments must be approved by the Board of Directors.

SECTION 12: EFFECTIVE DATE

This Conflict of Interest Policy is effective as of [DATE] and supersedes all prior policies on this subject.

ADOPTED BY THE BOARD OF DIRECTORS:

Date: _______

[NAME], Secretary

APPENDIX A: COMMON EXAMPLES OF CONFLICTS OF INTEREST

The following are examples of situations that may create conflicts of interest. This list is illustrative, not exhaustive:

1. Compensation Arrangements
   • Voting on one’s own salary or benefits
   • Influencing the compensation of a family member
   • Receiving payments from Organization vendors
2. Business Relationships
   • Selling goods or services to the Organization
   • Purchasing goods or services from the Organization below market rates
   • Having an ownership interest in an Organization vendor or competitor
3. Governance Conflicts
   • Serving on the board of a competing organization
   • Using Organization resources for personal benefit
   • Disclosing confidential information for personal advantage
4. Gift Relationships
   • Accepting substantial gifts from vendors or grantees
   • Receiving entertainment that could influence decision-making
   • Offering preferential treatment to gift-givers
5. Employment Conflicts
   • Hiring or supervising family members
   • Influencing the hiring of friends or associates
   • Making personnel decisions affecting someone with whom one has a personal relationship

APPENDIX B: DISCLOSURE STATEMENT TEMPLATE

CONFLICT OF INTEREST DISCLOSURE STATEMENT

Personal Information Name: ____________ Position: __________ Date: ____________ Fiscal Year: ___________

Employment and Compensation

1. Do you receive compensation from the Organization? ☐ Yes ☐ No If yes, describe: _______

2. Do any family members receive compensation from the Organization? ☐ Yes ☐ No If yes, describe: _______

Business Interests

1. Do you have an ownership interest (>5%) in any entity that does business with the Organization? ☐ Yes ☐ No If yes, describe: _______

2. Do you serve on the board of or have a fiduciary duty to any organization that does business with or competes with the Organization? ☐ Yes ☐ No If yes, describe: _______

Financial Relationships

1. Do you have any financial relationship with any Organization vendor, grantee, or contractor? ☐ Yes ☐ No If yes, describe: _______

2. Are you negotiating any transaction or arrangement with the Organization? ☐ Yes ☐ No If yes, describe: _______

Gifts and Gratuities

1. Have you received any gifts or gratuities from Organization-related parties valued over $75? ☐ Yes ☐ No If yes, describe: _______

Other Potential Conflicts

1. Are you aware of any other circumstances that could create a conflict of interest? ☐ Yes ☐ No If yes, describe: _______

Certification I certify that the information provided above is true and complete to the best of my knowledge.

Signature: _________ Date: _______

IMPLEMENTATION CHECKLIST

• Board formally adopts Policy
• Policy distributed to all Directors, officers, and key employees
• Initial disclosure statements collected from all covered persons
• Orientation/training conducted
• Annual review process established
• Documentation procedures implemented
• Secure storage system established for disclosure statements
• Process for handling conflicts communicated to all stakeholders

Source: governance/03_Delegation_of_Authority_Matrix.md

CIVICOS INSTITUTE

DELEGATION OF AUTHORITY MATRIX

PURPOSE

This Delegation of Authority Matrix (“Matrix”) establishes clear boundaries for decision-making authority within CivicOS Institute (the “Organization”). It defines who has the power to:

• Sign contracts and legal documents
• Commit organizational funds
• Make binding commitments on behalf of the Organization
• Hire, manage, and terminate personnel
• Approve expenditures at various thresholds

This Matrix is a living document that shall be reviewed annually and updated as needed.

SECTION 1: DEFINITIONS

1.1 Authority Levels

1.2 Financial Thresholds

1.3 Contract Types

• Standard Contract: Routine agreements using Organization templates (e.g., standard NDAs, simple vendor agreements)
• Non-Standard Contract: Agreements with custom terms or significant liability exposure
• Strategic Contract: Multi-year agreements, partnership MOUs, major vendor relationships
• Employment Contract: Individual employment agreements
• Grant Agreement: Funding agreements with donors or recipients

SECTION 2: SIGNING AUTHORITY

2.1 Contract Signing Authority

*With specific written delegation from ED

2.2 Financial Document Signing Authority

*Primary signatory

2.3 Legal Document Signing Authority

SECTION 3: SPENDING AUTHORITY

3.1 Expenditure Approval Matrix

*New position creation requires Board notice; salary bands established by Board

3.2 Recurring vs. One-Time Expenses

3.3 Emergency Expenditure Authority

In emergency situations where delay would harm the Organization:

Emergency Expenditure Requirements:

• Must be necessary to prevent significant harm
• Must be documented within 24 hours
• Must be reported to Board at next meeting
• Retroactive Board ratification required for amounts over $[25,000]
• May not be used to circumvent normal approval processes

SECTION 4: PERSONNEL AUTHORITY

4.1 Hiring Authority

4.2 Compensation Authority

4.3 Termination Authority

SECTION 5: OPERATIONAL COMMITMENTS

5.1 Commitment Authority

5.2 Obligation Limits

No individual may commit the Organization to:

• Obligations exceeding their spending authority
• Multi-year commitments without appropriate approval
• Personal guarantees or surety obligations
• Unlimited liability or indemnification

SECTION 6: DELEGATION PROCEDURES

6.1 Formal Delegation

Authority may be formally delegated as follows:

6.2 Documentation of Delegation

All formal delegations must include:

• Scope of authority granted
• Financial limits, if applicable
• Duration of delegation
• Reporting requirements
• Conditions for revocation
• Signature of delegating authority

6.3 Revocation of Delegation

Delegation may be revoked by:

• The authority that granted it, at any time
• The Board, in its sole discretion
• Automatic revocation upon termination of employment
• Automatic revocation upon expiration of term

Revocation must be in writing and effective immediately upon notice.

SECTION 7: ACCOUNTABILITY AND REPORTING

7.1 Monthly Reporting

The Executive Director shall provide monthly reports to the Board including:

• Contracts executed (summary)
• Expenditures exceeding $[10,000]
• Personnel changes
• Emergency expenditures

7.2 Quarterly Reporting

The Treasurer shall provide quarterly reports including:

• All contracts exceeding $[25,000]
• Budget variance analysis
• Commitments and obligations outstanding
• Compliance with spending authority limits

7.3 Annual Review

The Board shall annually review:

• This Delegation Matrix
• Effectiveness of delegation structure
• Any proposed changes to authority levels
• Compliance and exceptions

7.4 Documentation Requirements

All delegations of authority must be documented:

• Contracts: Retained per Document Retention Policy
• Approvals: Evidence of approval attached to expenditure
• Delegations: Written documentation on file
• Reports: Minutes or written summaries

SECTION 8: PROHIBITED ACTIONS

The following actions are prohibited regardless of authority level:

1. Self-Dealing: No individual may approve a transaction in which they have a personal financial interest
2. Splitting Transactions: Breaking a single transaction into multiple smaller ones to circumvent authority limits
3. Retroactive Approval: Seeking approval after a commitment has been made, except in genuine emergencies
4. Conditional Commitments: Making commitments “subject to Board approval” without prior Board indication
5. Personal Liability: Committing to personal liability on behalf of the Organization
6. Gift Restrictions: Accepting gifts with conditions that violate Organization policy or law
7. Political Activity: Authorizing partisan political activities or campaign intervention

SECTION 9: EXCEPTIONS AND OVERRIDE

9.1 Board Override

The Board retains ultimate authority and may:

• Override any delegated decision
• Require additional approvals for specific matters
• Modify authority levels for specific transactions
• Suspend delegation in extraordinary circumstances

9.2 Conflict Resolution

If there is uncertainty about authority:

1. The matter shall be escalated to the next higher authority level
2. Legal counsel may be consulted
3. The conservative interpretation shall prevail pending resolution
4. The Board shall be notified of material ambiguities

SECTION 10: AMENDMENT

This Delegation of Authority Matrix may be amended by:

• Board resolution for changes to Board-level authority
• Board resolution for changes to ED-level authority
• ED with Board notice for administrative clarifications

APPENDIX A: SIGNATORY CARD TEMPLATE

BANK SIGNATORY AUTHORIZATION

Authorized Signatories for Account #[ACCOUNT NUMBER]

Dual Signature Required For: Amounts exceeding $[10,000]

APPENDIX B: DELEGATION CERTIFICATE TEMPLATE

CERTIFICATE OF DELEGATION

I, _____________, [TITLE], delegate to:

Name: ____________ Title: ____________

the following authority:

☐ Contract signing up to $_____ ☐ Expenditure approval up to $___ ☐ Hiring authority for positions up to: _______ ☐ Other: _________________

Conditions: _________________________

Duration: ☐ Ongoing ☐ Until: _______ ☐ Revocable at will

Reporting Requirements: _________________________

This delegation does not include authority to further delegate without written consent.

Delegating Authority: _________ Date: _______

Accepting Authority: __________ Date: _______

APPENDIX C: QUICK REFERENCE CHART

WHO CAN APPROVE WHAT?

IMPLEMENTATION NOTES

1. Customize Thresholds: Adjust all bracketed dollar amounts based on Organization budget size and risk tolerance
2. Bank Documentation: Provide this Matrix to all banking institutions holding Organization funds
3. Training: Train all authorized signatories on their responsibilities
4. Insurance: Ensure appropriate Directors & Officers (D&O) and fidelity bond coverage
5. Annual Review: Review and update this Matrix as part of annual governance review
6. Legal Review: Have an attorney review to ensure compliance with state law and banking requirements

Source: governance/04_Document_Retention_Policy.md

Document Retention & Records Policy

Document Number: 04
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Approved By: [BOARD/EXECUTIVE BODY]

1. Purpose and Scope

1.1 Purpose

This Document Retention & Records Policy establishes consistent guidelines for the creation, retention, storage, and destruction of organizational records for [ORGANIZATION NAME] (“Organization”). This policy ensures compliance with legal and regulatory requirements, supports operational efficiency, and protects the Organization from liability associated with improper records management.

1.2 Scope

This policy applies to:

• All Personnel: Board members, officers, employees, volunteers, contractors, and agents
• All Records: Regardless of format (paper, electronic, audio, video, photographic)
• All Locations: Physical offices, remote work environments, cloud storage, and third-party services
• All Activities: Past, present, and future organizational operations

2. Records Classification and Retention Requirements

2.1 Permanent Retention (Indefinite)

The following records must be retained permanently:

Storage: Fireproof safe or secure offsite facility with climate control. Digital copies in redundant, encrypted cloud storage with geographic distribution.

2.2 Financial Records (7 Years)

The following financial records must be retained for seven (7) years:

Storage: Secure filing system with limited access. Digital records encrypted with role-based access controls.

2.3 Operational Records (3-7 Years)

*Exception: Emails related to litigation, regulatory matters, or permanent retention categories must be retained according to those categories.

2.4 Short-Term Retention (1-3 Years)

2.5 Immediate Destruction (Upon Processing)

The following may be destroyed immediately after processing:

• Junk mail and spam
• Duplicate copies (unless serving a specific purpose)
• Transitory communications (meeting scheduling, lunch orders)
• Superseded drafts with no historical value
• Convenience copies of official records

3. Electronic Records Management

3.1 Electronic Storage Standards

Cloud Storage Requirements:

• Use Organization-approved cloud providers only: [PROVIDER NAMES]
• Minimum encryption: AES-256 at rest, TLS 1.3 in transit
• Geographic redundancy: Data replicated across minimum [NUMBER] regions
• Access logging enabled for all repositories
• Version history maintained for [DURATION]

Prohibited Storage:

• Personal cloud accounts (Dropbox personal, Google Drive personal, etc.)
• Unencrypted removable media (USB drives, external hard drives)
• Personal email accounts for Organization business
• Public file-sharing services without password protection and expiration dates

3.2 Backup Procedures

3.3 Email Retention

Automatic Archival:

• All emails retained in searchable archive for 3 years
• Litigation hold suspends automatic deletion
• Users may not manually delete emails subject to hold

Mailbox Management:

• Active mailbox size limit: [SIZE] per user
• Auto-archival to compliant storage after [TIME PERIOD]
• Personal folders must sync to approved cloud storage

4. Records Destruction Procedures

4.1 Destruction Authorization

No records may be destroyed without proper authorization:

1. Department Head Review: Identifies records eligible for destruction
2. Legal/Compliance Review: Confirms no litigation holds or regulatory requirements
3. Approval: [DESIGNATED OFFICIAL] authorizes destruction
4. Execution: Approved destruction method applied
5. Certificate of Destruction: Documentation maintained per retention schedule

4.2 Destruction Methods

4.3 Destruction Schedule

Quarterly Review:

• Records eligible for destruction identified
• Hold verification conducted
• Destruction batch approved

Annual Certification:

• Complete inventory of destroyed records
• Certificates of destruction filed
• Policy compliance attestation to Board

5. Litigation Hold Procedures

5.1 Triggering Events

A litigation hold (“legal hold”) must be implemented upon:

• Receipt of subpoena, discovery request, or other legal process
• Threatened or pending litigation (internal or external)
• Regulatory investigation or audit notice
• Internal investigation where records may be relevant
• Reasonable anticipation of legal action

5.2 Hold Implementation

Step 1: Notice (Within 24 Hours)

• DESIGNATED LEGAL COUNSEL issues litigation hold notice
• Notice distributed to all relevant personnel
• IT/Systems Administrator implements technical holds

Step 2: Identification

• Identify all custodians with potentially relevant records
• Map all relevant systems, devices, and storage locations
• Document scope of relevant time period and subject matter

Step 3: Preservation

• Suspend automatic deletion protocols
• Preserve records in native format with metadata
• Create forensic images when necessary
• Prevent custodian self-collection

Step 4: Monitoring

• Quarterly reminders to custodians
• Updated notices as litigation scope changes
• New employee onboarding to hold obligations

5.3 Hold Release

• Hold released only upon written authorization from DESIGNATED LEGAL COUNSEL
• Release documented with date, scope, and authorization
• Normal retention resumes for non-hold records
• Hold-related records retained per litigation outcome

5.4 Hold Documentation

Maintain for duration of litigation plus 7 years:

• Original hold notice and all updates
• Custodian acknowledgment receipts
• Hold compliance certifications
• Records produced in litigation

6. Roles and Responsibilities

6.1 Board of Directors

• Approve Document Retention & Records Policy
• Review annual compliance reports
• Authorize exceptions in extraordinary circumstances

6.2 Executive Director / CEO

• Overall accountability for policy implementation
• Appoint Records Management Officer
• Approve destruction of significant record categories

6.3 Records Management Officer

Designated Officer: [NAME/TITLE]

• Day-to-day administration of retention program
• Develop and maintain retention schedules
• Coordinate litigation hold implementation
• Conduct training and awareness programs
• Maintain certificates of destruction

6.4 Department Heads

• Implement department-specific retention procedures
• Identify records eligible for destruction
• Ensure staff compliance with retention requirements
• Report suspected violations

6.5 All Personnel

• Comply with all retention and destruction requirements
• Maintain records in approved systems only
• Report litigation triggers immediately
• Complete required training

6.6 IT / Systems Administrator

• Implement technical controls for retention
• Execute secure deletion procedures
• Maintain backup and archival systems
• Support litigation hold technical requirements

7. Privacy and Confidentiality

7.1 Confidential Records

Records containing the following require enhanced handling:

• Personally identifiable information (PII)
• Protected health information (PHI)
• Financial account numbers
• Social Security Numbers
• Donor financial information
• Personnel medical information
• Attorney-client privileged communications

7.2 Handling Requirements

Access Control:

• Role-based access on need-to-know basis
• Multi-factor authentication for sensitive repositories
• Access logging and quarterly review

Transmission:

• Encryption required for all external transmission
• Secure file transfer for files exceeding [SIZE]
• Password-protected documents with separate password delivery

Disposal:

• Immediate shredding for paper documents
• Cryptographic erasure for electronic files
• Certificate of destruction for bulk disposal

8. Compliance and Monitoring

8.1 Training Requirements

8.2 Audit and Review

Annual Internal Audit:

• Random sample of record categories
• Compliance with retention schedules
• Secure destruction verification
• Litigation hold compliance

Policy Review:

• Full policy review every [NUMBER] years
• Ad hoc updates for legal/regulatory changes
• Board approval for material amendments

8.3 Violations and Remedies

Policy Violations:

• Failure to follow retention schedules
• Unauthorized destruction of records
• Storage in non-approved systems
• Failure to report litigation triggers

Consequences:

• First occurrence: Remedial training
• Repeated occurrences: Disciplinary action up to and including termination
• Legal violations: Referral to legal counsel

9. Implementation Notes

9.1 Immediate Actions (0-30 Days)

• Designate Records Management Officer
• Inventory existing record categories
• Identify and contract with secure destruction vendor
• Implement litigation hold notification procedures
• Deploy records management training for all staff

9.2 Short-Term Actions (30-90 Days)

• Audit current storage systems for compliance
• Migrate non-compliant records to approved systems
• Establish backup verification procedures
• Create department-specific retention guides
• Implement access control reviews

9.3 Ongoing Actions

• Quarterly destruction batch processing
• Annual policy training refresh
• Annual compliance audit
• Regular review of retention schedules against legal requirements

9.4 Template Forms

The following supporting documents should be developed:

• Records Destruction Request Form
• Certificate of Destruction Template
• Litigation Hold Notice Template
• Hold Release Authorization Form
• Quarterly Compliance Report Template

10. Policy Exceptions

Exceptions to this policy require:

1. Written request with business justification
2. Legal counsel review and approval
3. [DESIGNATED EXECUTIVE] authorization
4. Documentation of exception and duration
5. Annual review of ongoing exceptions

No exceptions may circumvent legal or regulatory retention requirements.

Document Control

Acknowledgment

I have received, read, and understood the Document Retention & Records Policy. I agree to comply with its requirements and understand that violations may result in disciplinary action.

Employee Name: _________
Signature: _________
Date: _________

Source: governance/05_IP_Licensing_Policy.md

Intellectual Property & Licensing Policy

Document Number: 05
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Approved By: [BOARD/EXECUTIVE BODY]

1. Purpose and Scope

1.1 Purpose

This Intellectual Property & Licensing Policy establishes guidelines for the creation, protection, management, and licensing of intellectual property assets for [ORGANIZATION NAME] (“Organization”). This policy ensures that IP assets are properly identified, protected, and leveraged to advance the Organization’s mission while respecting the rights of others and complying with open source community norms.

1.2 Scope

This policy applies to:

• All Personnel: Board members, officers, employees, volunteers, contractors, interns, and contributors
• All IP Types: Copyrights, trademarks, patents, trade secrets, and proprietary information
• All Activities: Research, development, content creation, software development, and collaboration
• All Works: Created during organizational activities, using organizational resources, or within scope of engagement

2. IP Ownership Framework

2.1 Work-for-Hire and Assignment

Employee-Created IP: All intellectual property created by employees within the scope of their employment is the exclusive property of the Organization. This includes, but is not limited to:

• Software code and documentation
• Research findings and publications
• Educational materials and curricula
• Designs, graphics, and multimedia content
• Processes, methodologies, and know-how
• Data sets and databases

Contractor-Created IP: All contractor engagements must include explicit IP assignment clauses ensuring Organization ownership of deliverables. Standard contract language requires:

• Assignment of all IP rights in deliverables
• License to underlying pre-existing IP incorporated into deliverables
• Waiver of moral rights where applicable
• Cooperation in registration and enforcement

Volunteer and Contributor IP: Volunteers and external contributors must execute a Contributor License Agreement (CLA) or equivalent assignment before contributions are accepted. See Section 6 for CLA requirements.

2.2 Pre-Existing IP

Personnel retain ownership of IP developed:

• Prior to engagement with Organization
• Outside scope of employment/engagement
• Without use of organizational resources
• Unrelated to organizational mission or activities

Personnel must disclose pre-existing IP that may relate to organizational work to avoid conflicts.

2.3 Joint Development

When IP is developed jointly with third parties:

• Execute joint development agreement before work commences
• Define ownership splits, licensing rights, and commercialization
• Establish decision-making authority for enforcement and licensing
• Document each party’s contributions

3. Open Source Licensing Policy

3.1 Philosophy and Preferences

The Organization is committed to open source principles and supports broad access to its innovations. Our licensing philosophy prioritizes:

1. Mission advancement over commercial restrictions
2. Adoption and impact through permissive terms
3. Community collaboration through standard licenses
4. Attribution to recognize contributions

3.2 License Selection Framework

Tier 1: Preferred Licenses (Default)

Tier 2: Acceptable with Justification

Tier 3: Prohibited or Restricted

3.3 License Selection Process

Default Path (No Legal Review Required):

1. Evaluate whether Tier 1 license meets needs
2. If yes, apply MIT (software) or CC BY 4.0 (content)
3. Document license choice in project README

Escalation Path (Requires Legal Review):

1. Tier 2 license under consideration
2. Multiple license types in single project
3. Mixed proprietary/open source components
4. Third-party code with conflicting licenses

Approval Authority:

• Board of Directors: Tier 3 licenses or exceptions

3.4 Dual Licensing

Dual licensing (offering same code under multiple licenses) requires:

• Legal counsel review of compatibility
• Board approval for commercial licensing track
• Clear documentation of terms for each license
• Contributor consent for dual-licensed contributions

3.5 License Application Requirements

Every open source release must include:

1. LICENSE file with full license text
2. Copyright notice in README and source headers
3. NOTICE file for Apache 2.0 or attribution-required licenses
4. CONTRIBUTING.md with CLA requirements
5. Code of Conduct reference

Standard Copyright Header:

Copyright [YEAR] [ORGANIZATION NAME]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

4. Proprietary IP Protection

4.1 Trademark Policy

Trademark Portfolio: The Organization protects its brand through trademark registration and proper use guidelines.

Permitted Use (by Others):

• Reference to Organization in factual, non-trademark manner
• Nominative fair use in comparative or descriptive contexts
• Use under express license or partnership agreement

Prohibited Use:

• Use likely to cause confusion with Organization
• Use implying endorsement not granted
• Use in domain names without authorization
• Use of confusingly similar marks

Trademark Licensing:

• License agreements required for trademark use
• Quality control provisions required
• Termination for breach or brand harm
• Geographic and scope limitations

4.2 Patent Policy

Patent Strategy: The Organization generally avoids patenting innovations, preferring publication and open source release to establish prior art. Patent applications require Board approval and are only pursued when:

• Significant defensive value against patent trolls
• Strategic partnership requires patent protection
• Commercial licensing strategy approved

Patent Pledge: Any Organization patents are licensed royalty-free for:

• Open source implementations
• Non-commercial research and education
• Products furthering Organization mission

Invention Disclosure: Personnel must disclose potentially patentable inventions to [DESIGNATED IP OFFICER] within 30 days of conception.

4.3 Trade Secret Protection

Protected Information:

• Donor lists and contact information
• Fundraising strategies and donor research
• Unpublished research findings
• Proprietary methodologies (if not open sourced)
• Financial projections and strategic plans
• Personnel records

Protection Measures:

• Marking: “CONFIDENTIAL - [ORGANIZATION NAME]”
• Access controls: Role-based, need-to-know
• NDAs required for external disclosure
• Secure storage and transmission
• Annual trade secret inventory

Duration: Trade secrets protected indefinitely while maintaining confidentiality. Upon public disclosure, protection terminates.

5. Commercial Use Guidelines

5.1 Philosophy

The Organization encourages commercial use of its open source outputs to maximize mission impact. Commercial users are welcome and supported.

5.2 Permitted Commercial Use

Without restriction, commercial entities may:

• Use Organization software in commercial products
• Integrate Organization content into commercial offerings
• Modify and redistribute under applicable license terms
• Build consulting or support businesses around Organization projects
• Create proprietary derivative works (under permissive licenses)

5.3 Commercial Use with Attribution Requirements

Commercial users must:

• Provide attribution as required by license
• Not remove copyright notices
• Include license text in distributions
• Not use Organization trademarks without authorization
• Comply with notice requirements (Apache 2.0)

5.4 Prohibited Commercial Activities

Commercial entities may NOT:

• Use Organization trademarks as their own
• Imply Organization endorsement without written consent
• Remove or alter attribution requirements
• Violate terms of copyleft licenses (GPL family)
• Use Organization content in ways violating moral rights

5.5 Commercial Partnership Framework

Organizations seeking deeper collaboration may:

• Sponsor specific projects or features
• Enter trademark license agreements
• Participate in advisory councils
• Jointly develop under partnership agreements

Contact: [PARTNERSHIP EMAIL]

6. Contributor License Agreements

6.1 CLA Requirement

All substantial contributions to Organization projects require a signed Contributor License Agreement. “Substantial” means:

• Code contributions exceeding [NUMBER] lines
• Documentation contributions exceeding [NUMBER] words
• Design or creative contributions
• Any contribution not clearly de minimis

Exceptions:

• De minimis contributions (typo fixes, minor corrections)
• Contributions from employees (covered by employment agreement)
• Contributions under existing partnership agreements

6.2 CLA Types

Individual CLA (ICLA):

• For individual contributors
• Grants license and patent rights to Organization
• Warranties contribution is original and rights held
• Covers all contributions to all Organization projects

Corporate CLA (CCLA):

• For employees contributing on behalf of employer
• Employer grants license and patent rights
• Lists authorized contributors
• Covers contributions during employment

6.3 CLA Content Requirements

CLA must include:

• Grant of copyright license (perpetual, worldwide, royalty-free)
• Grant of patent license (if applicable)
• Representation of authority to grant
• Warranty of originality
• Acknowledgment no compensation expected
• Agreement to follow project Code of Conduct

6.4 CLA Administration

Process:

1. CLA sent to prospective contributor
2. Signed CLA returned (electronic signature acceptable)
3. CLA recorded in [DESIGNATED SYSTEM]
4. Contributor added to authorized contributors list
5. CLA verification automated in CI/CD pipeline

Records:

• CLAs retained for duration of copyright plus [NUMBER] years
• Annual audit of CLA compliance
• Quarterly reconciliation with project contributors

7. Third-Party Code Usage

7.1 Policy Principles

• Respect open source licenses
• Comply with all license obligations
• Maintain accurate inventory of third-party code
• Prohibit use of code with incompatible licenses
• Document all third-party dependencies

7.2 Approved License Categories

7.3 License Compliance Requirements

For All Third-Party Code:

1. Inventory: Maintain Software Bill of Materials (SBOM)
2. Verification: Confirm license compatibility with project license
3. Documentation: Include in NOTICES or LICENSE file
4. Attribution: Preserve all copyright notices
5. Source: Make source available when required by copyleft

Apache 2.0 Compliance:

• Include NOTICE file if provided
• State modifications made
• Preserve patent grant

GPL Compliance:

• Source code offer for distributed binaries
• License text inclusion
• Written offer valid for 3 years

7.4 Prohibited Code

Do NOT use code with:

• Unknown or unclear licenses
• “Research only” or “non-commercial” restrictions
• GPL-incompatible licenses in GPL projects
• Proprietary licenses without express authorization
• Copyleft code in proprietary products (without compliance)

7.5 Security Considerations

Third-party code must also meet:

• Security review for critical dependencies
• Maintenance status verification (not abandoned)
• Vulnerability scanning in CI/CD
• Approved source only (no unverified packages)

8. Attribution Requirements

8.1 Internal Attribution

Organization projects must properly attribute:

• Individual contributors (in CONTRIBUTORS file)
• Funding sources (in ACKNOWLEDGMENTS)
• Partner organizations
• Third-party code (in NOTICES)

8.2 External Attribution

Users of Organization IP must provide:

Software:

This product includes software developed by [ORGANIZATION NAME].
[License text or reference]

Content:

[Title] by [ORGANIZATION NAME] is licensed under CC BY 4.0
[Link to original]

8.3 Moral Rights

The Organization respects moral rights of creators where applicable:

• Right of attribution (paternity)
• Right of integrity (no derogatory treatment)
• Right to anonymity (if requested)

9. IP Enforcement

9.1 Infringement Monitoring

The Organization monitors for:

• Unauthorized trademark use
• License violations (failure to attribute, etc.)
• Plagiarism of content
• Patent infringement claims against Organization

9.2 Enforcement Priorities

High Priority:

• Trademark confusion harming Organization reputation
• Willful license violations
• Commercial exploitation without attribution

Medium Priority:

• Innocent attribution failures (educational response)
• Non-commercial violations

Low Priority:

• Technical violations with no harm
• De minimis uses

9.3 Enforcement Process

1. Documentation: Gather evidence of violation
2. Evaluation: Assess priority and best resolution
3. Contact: Initial outreach seeking compliance
4. Escalation: Formal notice if needed
5. Resolution: Compliance or legal action

Preferred Resolution:

• Always prefer education over enforcement
• Seek compliance, not damages
• Preserve relationships where possible

9.4 Defensive Response

If Organization accused of infringement:

1. Immediate legal counsel consultation
2. Document review and analysis
3. Good faith investigation
4. Remediation if substantiated
5. Defense if unsubstantiated

10. Education and Compliance

10.1 Training Requirements

10.2 Resources

Internal Resources:

• IP policy portal: [URL]
• License decision tree: [URL]
• Approved vendor list: [URL]
• CLA submission system: [URL]

External Resources:

• Open Source Initiative: https://opensource.org/licenses
• Choose a License: https://choosealicense.com
• Creative Commons: https://creativecommons.org/choose

10.3 Compliance Review

Quarterly:

• CLA compliance check
• Trademark usage audit
• Third-party code inventory update

Annually:

• Full IP policy review
• Training completion verification
• External IP landscape assessment

11. Implementation Notes

11.1 Immediate Actions (0-30 Days)

• Inventory existing IP assets
• Register core trademarks
• Implement CLA collection system
• Create license decision tree for developers
• Audit third-party dependencies in all projects

11.2 Short-Term Actions (30-90 Days)

• Standardize licenses on existing projects
• Create SBOM for all active projects
• Develop trademark usage guidelines
• Establish IP enforcement procedures
• Deploy training program

11.3 Ongoing Actions

• Quarterly IP audits
• Annual policy review
• Continuous CLA processing
• Trademark monitoring
• License compliance in CI/CD

11.4 Key Contacts

Document Control

Acknowledgment

I have received, read, and understood the Intellectual Property & Licensing Policy. I agree to comply with its requirements and understand that violations may result in disciplinary action.

Employee Name: _________
Signature: _________
Date: _________

Source: governance/06_Data_Security_Policy.md

Data, Privacy & Security Policy

Document Number: 06
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Approved By: [BOARD/EXECUTIVE BODY]

1. Purpose and Scope

1.1 Purpose

This Data, Privacy & Security Policy establishes comprehensive standards for the collection, processing, storage, and protection of data by [ORGANIZATION NAME] (“Organization”). This policy reflects our commitment to respecting individual privacy, maintaining data security, and complying with applicable privacy regulations including GDPR, CCPA, and other relevant frameworks.

1.2 Scope

This policy applies to:

• All Personnel: Board members, officers, employees, volunteers, contractors, and agents
• All Data: Personal data, organizational data, and third-party data in our custody
• All Systems: Information technology systems, cloud services, and third-party processors
• All Activities: Data collection, processing, storage, transmission, and destruction
• All Locations: Physical offices, remote work, cloud environments, and partner systems

1.3 Policy Principles

1. Data Minimization: Collect only what is necessary
2. Purpose Limitation: Use data only for stated purposes
3. Privacy by Design: Build privacy into systems and processes
4. Security First: Protect data with appropriate safeguards
5. Transparency: Be clear about data practices
6. Individual Rights: Respect and enable data subject rights

2. Data Collection Principles

2.1 Lawful Basis for Processing

All data collection must have a lawful basis under applicable privacy law:

2.2 Data Minimization

Principle: Collect only data that is directly necessary for the specific purpose identified.

Requirements:

• Document the specific purpose for each data element collected
• Review collections annually for continued necessity
• Delete data when purpose is fulfilled (unless retention required)
• Do not collect “nice to have” data without explicit justification

Examples:

2.3 Purpose Limitation

Principle: Use data only for the purpose for which it was collected, unless compatible additional purpose or new consent obtained.

Compatible Purposes (generally permitted):

• Archiving in public interest
• Scientific or historical research
• Statistical analysis (anonymized)
• Internal operational improvements

Incompatible Purposes (require new basis):

• Marketing to non-consented individuals
• Selling or sharing with third parties
• Uses materially different from original purpose
• New data controller relationship

2.4 Collection Methods

Direct Collection:

• Web forms with clear privacy notices
• In-person with informed consent
• Phone with verbal privacy notice

Automated Collection:

• Website analytics (cookie consent required)
• System logs (anonymized where possible)
• Public sources (disclosed in privacy notice)

Third-Party Collection:

• Processor agreements required
• Verify third-party compliance
• Disclose source in privacy notice

3. Privacy Commitments

3.1 Core Privacy Pledge

The Organization commits to:

We Will NOT:

• Sell personal data to third parties
• Share data with third parties for their marketing
• Use data for purposes beyond those disclosed
• Retain data longer than necessary
• Collect data from children under 13 without parental consent
• Discriminate against individuals exercising privacy rights

We Will:

• Be transparent about data practices
• Provide meaningful privacy choices
• Protect data with appropriate security
• Honor data subject rights promptly
• Notify of breaches as required by law
• Regularly review and improve privacy practices

3.2 Privacy Notice Requirements

All collection points must include a privacy notice containing:

1. Identity: Who is collecting the data
2. Contact: Data protection officer contact
3. Purpose: Why data is being collected
4. Legal Basis: Lawful basis for processing
5. Recipients: Who data will be shared with
6. Transfers: International transfer safeguards
7. Retention: How long data will be kept
8. Rights: Data subject rights and how to exercise
9. Complaints: How to lodge complaints with authorities
10. Automated Decisions: Existence of profiling (if any)

3.3 Special Categories of Data

The following “special category” data receives enhanced protection:

Collection of special category data requires:

• Data Protection Impact Assessment (DPIA)
• Enhanced security measures
• Explicit opt-in consent (if consent basis)
• Documentation of lawful basis
• Limited access and strict need-to-know

3.4 Children’s Data

COPPA/GDPR Requirements:

• No collection from children under 13 without verifiable parental consent
• For 13-16: Informational notice sufficient (opt-out)
• Clear age gating on websites and services
• No behavioral advertising to children
• Enhanced security for children’s data

Verifiable Consent Methods:

• Credit card verification
• Signed consent form
• Video conference with parent
• Phone call with trained staff

4. Data Subject Rights

4.1 Rights Overview

Data subjects have the following rights:

4.2 Request Handling Procedures

Receipt:

• Acknowledge request within 72 hours
• Verify identity of requestor
• Log request in tracking system

Processing:

• Gather relevant data across systems
• Review for legal exemptions (e.g., legal obligation to retain)
• Prepare response in accessible format
• Quality assurance review

Response:

• Provide data or explanation of action taken
• Explain any exemptions applied
• Include information on appeal process
• Document completion

Extensions:

• Complex requests: May extend to 60 days with notification
• High volume: May extend with notification
• Must explain basis for extension

4.3 Exemptions and Limitations

Requests May Be Denied When:

Partial Response: When portions must be withheld, provide:

• Redacted version with explanation
• Basis for withholding (legal citation)
• Appeal rights

5. Security Baseline

5.1 Security Governance

Security Officer: [NAME/TITLE]
Responsibilities:

• Security policy development and enforcement
• Risk assessment and management
• Incident response coordination
• Security awareness training
• Vendor security evaluation

Security Committee:

• Cross-functional representation (IT, Legal, Operations)
• Monthly security reviews
• Incident post-mortems
• Policy approval authority

5.2 Access Controls

Principle of Least Privilege:

• Access granted on need-to-know basis
• Role-based access control (RBAC)
• Regular access reviews (quarterly)
• Immediate revocation upon termination

Authentication Requirements:

Password Policy:

• Minimum 12 characters
• Complexity required (upper, lower, number, special)
• No dictionary words or personal info
• Changed immediately if suspected compromise
• Password manager required

5.3 Encryption Standards

Data at Rest:

• Full disk encryption on all devices
• Database encryption (AES-256)
• Encrypted backups
• Secure key management (HSM or KMS)

Data in Transit:

• TLS 1.3 minimum for web traffic
• VPN for remote access
• SFTP/FTPS for file transfers
• Encrypted email for sensitive data

Key Management:

• Keys stored in hardware security module or cloud KMS
• Key rotation annually or on compromise
• Separation of duties for key access
• Key escrow for business continuity

5.4 Network Security

Perimeter Protection:

• Next-generation firewall with IDS/IPS
• DDoS protection
• Web application firewall (WAF)
• Regular penetration testing (annual)

Network Segmentation:

• VLAN separation by function
• Critical systems isolated
• Guest network separate from production
• Zero-trust architecture for remote access

Monitoring:

• 24/7 security monitoring
• SIEM for log aggregation and analysis
• Anomaly detection
• Threat intelligence feeds

5.5 Endpoint Security

Device Requirements:

• Organization-approved devices for work data
• MDM enrollment for all mobile devices
• EDR (Endpoint Detection and Response) on all endpoints
• Automatic updates and patching

Prohibited:

• Personal email for work data
• Unapproved cloud storage
• Unencrypted removable media
• Jailbroken/rooted devices

Remote Work:

• VPN required for system access
• Home network security recommendations
• Dedicated workspace guidance
• No work in public spaces with visible screens

5.6 Application Security

Development:

• Secure coding standards
• Code review requirements
• Dependency vulnerability scanning
• Static and dynamic security testing (SAST/DAST)

Production:

• Regular vulnerability scanning
• Patch management (critical: 24 hours, high: 7 days)
• Change management process
• Segregated production access

Third-Party:

• Security assessment before procurement
• Annual security review
• Right to audit clauses
• Incident notification requirements

5.7 Physical Security

Office Security:

• Badge access control
• Visitor escort required
• Clean desk policy
• Secure disposal (shredding)

Data Center / Server Room:

• Multi-factor physical access
• Environmental controls
• CCTV monitoring
• Fire suppression systems

Remote Work:

• Secure home office setup
• Privacy screens for laptops
• Safe storage of devices
• No unattended devices in public

6. Incident Response

6.1 Incident Classification

6.2 Incident Response Team

Core Team:

• Security Officer (Incident Commander)
• IT/Systems Administrator
• Legal Counsel
• Communications Lead
• Executive Sponsor

Extended Team (as needed):

• HR (personnel incidents)
• External forensics
• Law enforcement liaison
• Insurance carrier
• Affected system owners

6.3 Response Procedures

Phase 1: Detection and Analysis (0-1 hour)

1. Identify and confirm incident
2. Assign severity classification
3. Activate response team
4. Preserve evidence
5. Document timeline

Phase 2: Containment (1-4 hours)

1. Isolate affected systems
2. Block attack vectors
3. Prevent data exfiltration
4. Maintain business continuity where safe

Phase 3: Eradication (4-24 hours)

1. Remove attacker access
2. Patch vulnerabilities
3. Clean compromised systems
4. Verify integrity

Phase 4: Recovery (24-72 hours)

1. Restore from clean backups
2. Verify system integrity
3. Return to normal operations
4. Enhanced monitoring

Phase 5: Post-Incident (1-4 weeks)

1. Complete forensic analysis
2. Document lessons learned
3. Update security controls
4. Conduct post-mortem

6.4 Breach Notification

Legal Notification Requirements:

Internal Notification:

• Board Chair: Within 4 hours for Critical/High
• Full Board: Within 24 hours
• Insurance carrier: Within policy timeframe

External Communication:

• Draft by Legal and Communications
• Board approval required
• Transparent but legally protective
• Offer credit monitoring if SSN/financial involved

6.5 Documentation Requirements

Maintain for duration of litigation plus 7 years:

• Incident timeline
• All communications
• Forensic analysis
• Response actions taken
• Notification records
• Post-incident report
• Lessons learned

7. Third-Party Processors

7.1 Due Diligence

Before Engagement:

• Security questionnaire
• SOC 2 Type II or equivalent review
• Data Processing Agreement (DPA) execution
• Privacy Shield or SCCs for international transfers

Minimum Security Requirements:

• Encryption at rest and in transit
• Access controls and MFA
• Incident response capabilities
• Annual penetration testing
• Business continuity plan

7.2 Data Processing Agreements

All processors must sign DPA containing:

• Processing instructions and limitations
• Subprocessor authorization and notification
• Security measures and audits
• Breach notification (24-48 hours)
• Data subject rights assistance
• Return/destruction of data upon termination
• Audit rights

7.3 Ongoing Monitoring

Annual Review:

• Security certification renewal
• Incident history review
• Compliance attestation
• Contract compliance verification

Continuous Monitoring:

• Threat intelligence on processors
• News and breach monitoring
• Performance and availability

8. International Data Transfers

8.1 Transfer Mechanisms

From EU/EEA:

• Standard Contractual Clauses (SCCs) - mandatory
• Adequacy decisions (UK, limited others)
• Binding Corporate Rules (if applicable)

From UK:

• UK Addendum to SCCs
• UK adequacy regulations

From Other Jurisdictions:

• Local law compliance
• Contractual safeguards
• Data localization requirements

8.2 Transfer Impact Assessment (TIA)

Required before international transfers:

1. Document laws in destination country
2. Assess impact on data subject rights
3. Identify supplementary measures if needed
4. Implement additional safeguards
5. Periodic re-assessment

8.3 Supplementary Measures

When destination laws may impede data subject rights:

• Enhanced encryption (data encrypted with keys held in origin country)
• Pseudonymization before transfer
• Strict purpose limitation
• Enhanced monitoring

9. Compliance and Governance

9.1 Privacy by Design

All new projects and systems must undergo:

Privacy Impact Assessment (PIA) for:

• New data collections
• New processing activities
• Significant system changes
• New vendor relationships

Data Protection Impact Assessment (DPIA) for:

• Systematic monitoring
• Large-scale special category processing
• Automated decision-making with significant effects
• New technologies (AI, biometrics)

9.2 Training and Awareness

9.3 Audits and Assessments

Annual Activities:

• Security risk assessment
• Privacy compliance audit
• Penetration testing
• Vulnerability scanning
• Third-party security reviews

Quarterly Activities:

• Access reviews
• Policy compliance spot checks
• Incident metrics review
• Security metrics review

9.4 Record Keeping

Maintain for compliance:

• Processing activities records (ROPA)
• Consent records
• Data subject request logs
• DPIAs and PIAs
• Security assessments
• Incident reports
• Training records
• Processor agreements

Retention: Duration of processing plus [NUMBER] years

10. Implementation Notes

10.1 Immediate Actions (0-30 Days)

• Appoint Data Protection Officer / Privacy Officer
• Inventory all data processing activities (ROPA)
• Map all data flows and international transfers
• Review and update privacy notices
• Implement consent management platform
• Establish data subject request intake process

10.2 Short-Term Actions (30-90 Days)

• Complete DPIAs for high-risk processing
• Audit third-party processors for DPA compliance
• Deploy data subject rights request management system
• Conduct security risk assessment
• Implement security monitoring and alerting
• Develop incident response playbooks

10.3 Ongoing Actions

• Monthly security metrics review
• Quarterly access reviews
• Quarterly privacy compliance checks
• Annual penetration testing
• Annual policy and training refresh
• Annual ROPA update
• Continuous consent and preference management

10.4 Key Contacts

11. Regulatory Compliance Summary

11.1 GDPR (General Data Protection Regulation)

Applicability: Processing personal data of EU residents
Key Requirements:

• Lawful basis for processing
• Data subject rights
• Privacy by design
• Breach notification (72 hours)
• DPO (if required by scale/sensitivity)
• Records of processing activities

11.2 CCPA/CPRA (California)

Applicability: For-profit or non-profit with >$25M revenue or >100K CA residents’ data
Key Requirements:

• Privacy notice at collection
• Right to know, delete, opt-out
• Do not sell/share (opt-out link)
• Service provider contracts
• Consumer request fulfillment

11.3 Other State Laws

Monitor compliance requirements for:

• Virginia CDPA
• Colorado CPA
• Connecticut CTDPA
• Utah UCPA
• Emerging state privacy laws

11.4 Industry-Specific

If Applicable:

• HIPAA (health information)
• FERPA (educational records)
• GLBA (financial information)
• COPPA (children’s online privacy)

Document Control

Acknowledgment

I have received, read, and understood the Data, Privacy & Security Policy. I agree to comply with its requirements and understand that violations may result in disciplinary action.

Employee Name: _________
Signature: _________
Date: _________

Source: governance/DATA_BOUNDARY_POLICY.md

Data Boundary Policy (Personal vs Org)

Status: Active Date: 2026-02-26

Classification tags (mandatory)

• org-only: CivicOS institutional operations.
• personal-only: personal/private workflows.
• mixed-prohibited: workflows must not blend both without explicit approval.

Rules

1. Production workflows in this repo default to org-only.
2. personal-only data cannot be used in org-only prompts/reports.
3. Any cross-boundary transfer requires explicit Director approval and audit note.
4. Logs/artifacts must include classification when practical.

Enforcement guidance

• Include data_boundary field in workflow outputs where feasible.
• Treat unknown boundary as mixed-prohibited until classified.

Source: governance/WORKFLOW_CONTROL_PLANES.md

Workflow Control Planes

Status: Active Date: 2026-02-26

Each production workflow must have a control plane entry.

1) grant_daily_local_scan

• Owner: Grants Ops
• Lane: prod-critical
• Inputs: web source snapshots
• Output: generated/grants/grant-scan-*.md
• Idempotency: timestamped outputs + atomic latest pointer
• Retry/Fallback: local queue -> API fallback
• Escalation: queue failures >1 day => architecture alert

2) donor_stewardship_runner

• Owner: Donor Ops
• Lane: prod-critical
• Inputs: CRM/mock donor data
• Output: generated JSON + queue markdown artifacts
• Idempotency: deterministic IDs by donor/date
• Retry/Fallback: safe-mode dry-run by default
• Escalation: unresolved donor queue >24h

3) ops_morning_brief

• Owner: Ops
• Lane: prod-critical
• Inputs: task DB + automation health + social queue
• Output: generated/ops_morning_brief_*.md
• Idempotency: daily timestamp + atomic latest pointer
• Retry/Fallback: N/A (non-model)
• Escalation: missing output by 07:00 local

4) local_model_toolcall_probe

• Owner: Platform Ops
• Lane: prod-critical
• Inputs: model route list
• Output: probe JSON latest
• Idempotency: timestamped outputs + latest pointer
• Retry/Fallback: local queue -> API fallback
• Escalation: schema pass <95%

5) workflow_slo_rollup / workflow_slo_alert / weekly_digest

• Owner: Platform Ops
• Lane: prod-critical
• Inputs: queue logs + generated artifacts
• Output: SLO reports + alerts
• Idempotency: timestamped outputs + latest pointers
• Retry/Fallback: best-effort (non-model)
• Escalation: two consecutive days target fail

Source: tmp/civicos-site/governance.md

layout: default title: Governance permalink: /governance/ —

Governance & Transparency

CivicOS Institute is committed to transparent, accountable governance. As a nonprofit organization in formation, we believe that how we operate is as important as what we build. Our governance documents are publicly available to demonstrate our commitment to ethical operation and public accountability.

Founding Documents

Articles of Incorporation

The legal document establishing CivicOS Institute as a Florida nonprofit corporation, filed with the Florida Department of State on February 10, 2026.

View Articles of Incorporation

Status: Filed and active
State: Florida
Registered Agent: Nicholas A. Cerbone
Principal Address: 4884 Beresford Circle, West Palm Beach, FL 33417

Bylaws

Our bylaws establish the rules for how CivicOS Institute governs itself, including Board structure, officer roles, meeting procedures, and decision-making processes.

View Bylaws

Key Provisions:

• Board of 3-9 Directors
• No voting members (governance by Board only)
• Annual Board elections
• 501(c)(3) compliance requirements
• Conflict of interest protocols

Policies

Conflict of Interest Policy

Establishes procedures for identifying, disclosing, and managing conflicts of interest to ensure decisions are made in the organization’s best interest, not for private benefit.

View Conflict of Interest Policy

Key Elements:

• Annual disclosure requirements
• Recusal procedures
• Documented abstentions
• Review and enforcement mechanisms

Delegation of Authority Matrix

Defines who has authority to make various types of decisions and commitments on behalf of CivicOS Institute, from routine operations to major strategic commitments.

View Delegation of Authority

Document Retention Policy

Establishes how long different types of organizational records must be kept and procedures for secure destruction when retention periods expire.

View Document Retention Policy

Intellectual Property & Licensing Policy

Governs how CivicOS Institute manages intellectual property, including open-source licensing requirements, copyright, and trademark protections.

View IP & Licensing Policy

Key Principles:

• Open-source by default
• Public benefit licensing
• Contributor license agreements
• Trademark protection

Data Privacy & Security Policy

Establishes how CivicOS Institute protects sensitive data, ensures privacy compliance, and maintains information security.

View Data Privacy & Security Policy

Current Governance Package (Desktop Source Alignment)

The website governance set mirrors the current governance package maintained in our working folders:

• Articles of Incorporation
• Bylaws
• Delegation of Authority Matrix
• Conflict of Interest Policy
• Document Retention Policy
• IP & Licensing Policy
• Data Privacy & Security Policy

Board of Directors

Current Board Members

Nicholas A. Cerbone
President & Founder
Contact

Additional founding board seats are currently being filled.

Board Composition Timeline:

• February 2026: Incorporation complete; board recruitment initiated
• May 2026: Target: Add first independent Director
• December 2027: Target: Expand to 5-member Board with independent majority

View Board Recruitment Process

Transparency Commitments

What We Publish

• ✅ Governance documents (this page)
• ✅ Research and publications
• ✅ Open-source code repositories
• ✅ Annual reports (once operational)
• ✅ Form 990 filings (once 501(c)(3) approved)

What We’re Building

• Real-time project tracker (public visibility into our work)
• Open budget (transparency in how we use resources)
• Public roadmap (what we’re working on and why)

501(c)(3) Status

Current Status: Application pending with IRS
Incorporation: Florida nonprofit (February 2026)
Tax Exemption: Application submitted (pending 8-12 month IRS review)
Effective Date: Will apply retroactively to incorporation date upon approval

What This Means:

• We are a legal Florida nonprofit corporation
• We cannot yet offer tax-deductible donations
• We are operating as a 501(c)(3) applicant
• Upon approval, tax exemption applies retroactively

Accountability

Reporting Concerns

If you have concerns about governance, ethics, or compliance at CivicOS Institute, you may contact:

Board of Directors
board@civicos-institute.org

All reports will be reviewed by the Board and handled confidentially to the extent permitted by law.

Annual Review

These governance documents are reviewed annually by the Board of Directors and updated as needed to reflect organizational growth and legal requirements.

Last Review: February 2026 (founding)
Next Review: February 2027

Questions?

For questions about CivicOS Institute governance, please contact us.

CivicOS Institute is a Florida nonprofit corporation in formation. These documents represent our current governance structure and will evolve as the organization grows.

Source: tmp/civicos-site/governance/articles-of-incorporation.md

layout: default title: Articles of Incorporation permalink: /governance/articles-of-incorporation/ —

ARTICLES OF INCORPORATION OF CIVICOS INSTITUTE

ARTICLE I: NAME

The name of the corporation is CivicOS Institute.

ARTICLE II: DURATION

The period of duration is perpetual.

ARTICLE III: PURPOSE

The corporation is organized exclusively for charitable, educational, and scientific purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code of 1986, as amended, or the corresponding section of any future federal tax code. The specific purposes for which the corporation is organized include:

(a) Conducting research and development in civic technology, open data systems, and digital public infrastructure; (b) Developing and maintaining open-source software platforms for civic engagement and governance; (c) Educating the public, policymakers, and technologists on best practices in civic technology; (d) Promoting transparency, accountability, and accessibility in democratic institutions; (e) Collaborating with public sector entities, academic institutions, and civil society organizations to improve civic systems; (f) Building and supporting communities of practice around civic technology and open government; (g) Publishing research, documentation, and educational materials related to civic technology; (h) Hosting conferences, workshops, and educational events related to civic technology and governance; (i) Providing technical assistance and consulting services to government entities and nonprofit organizations working in the public interest; (j) Any other lawful activities consistent with the foregoing purposes that are appropriate for a corporation exempt from federal income tax under Section 501(c)(3).

ARTICLE IV: PROHIBITED ACTIVITIES

Notwithstanding any other provision of these Articles, the corporation shall not:

(a) Engage in activities that do not further its exempt purposes; (b) Carry on propaganda or otherwise attempt to influence legislation, except as permitted by Section 501(h) of the Internal Revenue Code; (c) Participate in or intervene in any political campaign on behalf of or in opposition to any candidate for public office; (d) Allow any part of its net earnings to inure to the benefit of any private shareholder or individual; (e) Operate for the benefit of private interests, except as incidental to its exempt purposes; (f) Discriminate on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, age, or disability.

ARTICLE V: DISSOLUTION

Upon dissolution or winding up of the corporation, after paying or adequately providing for debts and obligations, the remaining assets shall be distributed to one or more qualifying exempt organizations:

(a) Organized and operated exclusively for charitable, educational, or scientific purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code; (b) Qualified as exempt under Section 501(c)(3) of the Internal Revenue Code (or corresponding provisions of future law); (c) Selected by the Board of Directors at or before dissolution.

Under no circumstances shall any assets be distributed to private individuals or for private benefit.

ARTICLE VI: INITIAL REGISTERED AGENT AND OFFICE

The street address of the initial registered office is:

4884 Beresford Circle West Palm Beach, Florida 33417

The name of the initial registered agent at that address is:

Nicholas A. Cerbone

The registered agent has signed below indicating acceptance of this appointment.

ARTICLE VII: INITIAL BOARD OF DIRECTORS

The number of directors constituting the initial Board of Directors is 1. The names and addresses of the initial directors are:

1. Nicholas A. Cerbone 4884 Beresford Circle West Palm Beach, Florida 33417

ARTICLE VIII: INCORPORATOR

The name and address of the incorporator is:

Nicholas A. Cerbone 4884 Beresford Circle West Palm Beach, Florida 33417

ARTICLE IX: MEMBERSHIP

The corporation shall have no members. All governance authority is vested in the Board of Directors.

ARTICLE X: LIABILITY LIMITATION

To the fullest extent permitted by Florida law, no director or officer of the corporation shall be personally liable to the corporation or its members for monetary damages for breach of fiduciary duty as a director or officer, except for liability:

(a) For any breach of the director’s or officer’s duty of loyalty to the corporation; (b) For acts or omissions not in good faith or which involve intentional misconduct or a knowing violation of law; (c) Under Section 617.0834, Florida Statutes; or (d) For any transaction from which the director or officer derived an improper personal benefit.

ARTICLE XI: INDEMNIFICATION

The corporation shall indemnify any person who was or is a party or is threatened to be made a party to any threatened, pending, or completed action, suit, or proceeding by reason of the fact that such person is or was a director, officer, employee, or agent of the corporation, to the fullest extent permitted by Florida law.

ARTICLE XII: ADDITIONAL PROVISIONS

1. The corporation shall keep correct and complete books and records of account and shall keep minutes of the proceedings of its Board of Directors and any committees.

2. The corporation shall have a seal, which may be altered at the pleasure of the Board of Directors.

3. These Articles may be amended by the affirmative vote of two-thirds (2/3) of the directors then in office at any duly convened meeting, subject to approval by the appropriate state authority.

4. All references to sections of the Internal Revenue Code shall be to the Internal Revenue Code of 1986, as amended, or to corresponding provisions of subsequent federal tax laws.

5. If any provision of these Articles is held invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions, and these Articles shall be construed as if such invalid provision had never been contained herein.

CERTIFICATION

The undersigned incorporator certifies that he/she has executed these Articles of Incorporation on behalf of the corporation and that the statements contained herein are true and correct.

Nicholas A. Cerbone, Incorporator

Date: ___________

ACCEPTANCE OF APPOINTMENT AS REGISTERED AGENT

I, Nicholas A. Cerbone, hereby accept appointment as Registered Agent for CivicOS Institute and agree to serve as such in accordance with Florida Statutes.

Nicholas A. Cerbone, Registered Agent

Date: ___________

FILING CHECKLIST FOR FLORIDA

Before filing, ensure you have:

□ Completed all [BRACKETED] placeholders □ Registered Agent signature (required in Florida) □ Incorporator signature □ $70 filing fee (online or check/money order if mailing) □ Optional: $35 for name reservation (if you want to secure the name first) □ Optional: $30 for expedited processing (24 hours)

Filing Options:

1. ONLINE (Recommended): https://efile.sunbiz.org
   • Fastest processing (5-10 business days)
   • Immediate confirmation
   • Pay by credit card
2. BY MAIL:
   • Send to: New Filing Section, Division of Corporations, P.O. Box 6327, Tallahassee, FL 32314
   • Include check or money order payable to “Florida Department of State”
   • Processing: 10-15 business days
3. IN PERSON:
   • Clifton Building, 2661 Executive Center Circle, Tallahassee, FL
   • Same day processing available

After Filing: □ Download Certificate of Incorporation from Sunbiz □ Apply for EIN (if not already obtained) at irs.gov □ Open bank account □ File IRS Form 1023 or 1023-EZ for 501(c)(3) status

501(c)(3) COMPLIANCE NOTES

These Articles include all required provisions for 501(c)(3) status:

✓ Specific 501(c)(3) purpose language (Article III) ✓ Prohibition on private inurement (Article IV) ✓ Dissolution clause requiring assets go to other 501(c)(3)s (Article V) ✓ Limitation on legislative activities (Article IV(b)) ✓ Prohibition on political campaign activities (Article IV(c))

These provisions satisfy IRS requirements for tax-exempt status under Section 501(c)(3).

Source: tmp/civicos-site/governance/board-recruitment.md

layout: default title: Board Recruitment Process permalink: /governance/board-recruitment/ —

Board Recruitment Process

CivicOS Institute is actively seeking independent directors to join our founding Board. This page outlines our recruitment process and timeline.

Current Board Composition

• Nicholas A. Cerbone - President & Founder
• [Seeking 2 additional founding members]
• [Seeking independent directors]

Recruitment Timeline

Ideal Candidate Profile

We seek directors with expertise in:

• Civic technology and open government
• Nonprofit governance and 501(c)(3) compliance
• Academic research and public policy
• Government administration (federal, state, or local)
• Technology and AI ethics

How to Express Interest

Interested candidates should contact:

Nicholas A. Cerbone
President & Founder
NCerbone@civicos-institute.org

Please include a brief statement of interest and relevant background.

Last updated: February 2026

Source: tmp/civicos-site/governance/bylaws.md

layout: default title: Bylaws permalink: /governance/bylaws/ —

CIVICOS INSTITUTE BYLAWS

ARTICLE I: NAME AND PURPOSE

Section 1.01: Name

The name of this organization is [CIVICOS INSTITUTE], hereinafter referred to as the “Organization.”

Section 1.02: Existence

The Organization is a nonprofit corporation incorporated under the laws of [STATE OF INCORPORATION]. These Bylaws constitute the code of rules adopted by the Organization for the regulation and management of its affairs.

Section 1.03: Purpose

The Organization is organized exclusively for charitable, educational, and scientific purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code of 1986, as amended, or the corresponding section of any future federal tax code, including:

(a) Conducting research and development in civic technology, open data systems, and digital public infrastructure; (b) Developing and maintaining open-source software platforms for civic engagement and governance; (c) Educating the public, policymakers, and technologists on best practices in civic technology; (d) Promoting transparency, accountability, and accessibility in democratic institutions; (e) Collaborating with public sector entities, academic institutions, and civil society organizations to improve civic systems; (f) Any other lawful activities consistent with the foregoing purposes that are appropriate for a corporation exempt from federal income tax under Section 501(c)(3).

Section 1.04: Limitations

Notwithstanding any other provision of these Bylaws, the Organization shall not:

(a) Engage in activities that do not further its exempt purposes; (b) Carry on propaganda or otherwise attempt to influence legislation, except as permitted by Section 501(h) of the Internal Revenue Code; (c) Participate in or intervene in any political campaign on behalf of or in opposition to any candidate for public office; (d) Allow any part of its net earnings to inure to the benefit of any private shareholder or individual; (e) Operate for the benefit of private interests, except as incidental to its exempt purposes.

Upon dissolution of the Organization, all remaining assets shall be distributed to one or more qualifying exempt organizations selected by the Board of Directors, in accordance with Article XII of these Bylaws.

ARTICLE II: MEMBERSHIP

Section 2.01: Membership Structure

The Organization shall have no voting members. All governance authority is vested in the Board of Directors as described in Article III.

Section 2.02: Non-Voting Affiliates

The Board may establish categories of non-voting affiliates, advisors, or fellows who may participate in Organization activities and provide input to the Board, but who shall have no voting rights in Board matters. The rights, responsibilities, and qualifications of such affiliates shall be determined by Board policy.

ARTICLE III: BOARD OF DIRECTORS

Section 3.01: General Powers

All corporate powers shall be exercised by or under the authority of the Board of Directors. The Board shall oversee the affairs of the Organization, establish strategic direction, approve major policies, and ensure the Organization operates in accordance with its mission and applicable law.

Section 3.02: Number and Composition

The Board of Directors shall consist of no fewer than [THREE (3)] and no more than [NINE (9)] Directors. Within these limits, the Board may fix the exact number of Directors by resolution. The Board shall strive to maintain diverse representation across relevant expertise areas including: technology, civic/government affairs, nonprofit governance, finance, and community organizing.

Section 3.03: Qualifications

Directors must: (a) Be individuals at least eighteen (18) years of age; (b) Demonstrate commitment to the Organization’s mission; (c) Satisfy any additional qualifications established by Board policy; (d) Not be employees of the Organization (with the exception of the Executive Director, who may serve as an ex-officio, non-voting Director if the Board so determines).

Section 3.04: Election and Terms

(a) Initial Directors: The incorporator(s) shall appoint the initial Board of Directors, who shall serve until the first annual meeting or until their successors are elected.

(b) Subsequent Elections: Directors shall be elected by majority vote of the Directors then in office at any duly convened meeting of the Board. The Board shall establish a Nominating Committee responsible for identifying and vetting candidates.

(c) Terms: Each Director shall serve a term of [THREE (3)] years, or until their successor is elected and qualified. Directors may serve up to [TWO (2)] consecutive full terms, after which they must rotate off the Board for at least [ONE (1)] year before becoming eligible for re-election.

(d) Staggered Terms: To ensure continuity, Directors shall be divided into classes with staggered terms as nearly equal in number as possible.

Section 3.05: Resignation and Removal

(a) Resignation: Any Director may resign at any time by delivering written notice to the Chair of the Board, the Secretary, or the Board. Such resignation shall take effect at the time specified therein or, if no time is specified, upon receipt.

(b) Removal: Any Director may be removed, with or without cause, by a two-thirds (2/3) vote of the Directors then in office at a duly convened meeting. A Director who fails to attend [THREE (3)] consecutive regular Board meetings without excuse acceptable to the Board may be deemed to have resigned.

Section 3.06: Vacancies

Any vacancy occurring on the Board by reason of resignation, removal, death, or otherwise may be filled by majority vote of the remaining Directors, even if less than a quorum. A Director elected to fill a vacancy shall serve the unexpired term of their predecessor.

Section 3.07: Regular Meetings

The Board shall hold at least [FOUR (4)] regular meetings per year. The time and place of regular meetings shall be determined by the Board or the Chair. Notice of regular meetings shall be given at least [FIFTEEN (15)] days in advance, unless waived by all Directors.

Section 3.08: Special Meetings

Special meetings of the Board may be called by the Chair, the Executive Director, or by any [TWO (2)] Directors. Notice of special meetings, stating the date, time, place, and purpose, shall be given at least [SEVEN (7)] days in advance, unless waived by all Directors.

Section 3.09: Meeting Participation

Directors may participate in and act at any meeting through the use of conference telephone, video conference, or similar communications equipment by means of which all persons participating in the meeting can hear each other. Participation in such manner shall constitute presence in person at the meeting.

Section 3.10: Quorum

A majority of the number of Directors fixed by these Bylaws or Board resolution shall constitute a quorum for the transaction of business. If a quorum is not present at any meeting, a majority of the Directors present may adjourn the meeting to a future date.

Section 3.11: Voting

(a) Each Director shall have one vote. (b) The affirmative vote of a majority of Directors present at a meeting at which a quorum is present shall be the act of the Board, unless these Bylaws or applicable law require a greater vote. (c) Action may be taken by the Board without a meeting if all Directors consent in writing or by electronic transmission. Such consent shall have the same effect as a unanimous vote at a meeting.

Section 3.12: Compensation

Directors shall not receive compensation for their services as Directors. Directors may be reimbursed for reasonable expenses incurred in the performance of their duties, provided such reimbursement is approved in accordance with Organization policy.

Section 3.13: Committees of the Board

(a) Executive Committee: The Board may designate an Executive Committee consisting of at least three (3) Directors, including the Chair, Treasurer, and Secretary. The Executive Committee may exercise such powers as delegated by the Board, except those reserved to the full Board by law or these Bylaws. All actions of the Executive Committee shall be reported to the full Board at the next meeting.

(b) Other Committees: The Board may establish such other standing or special committees as it deems necessary or appropriate. Committee members need not be Directors, but any committee exercising Board authority must consist solely of Directors.

(c) Committee Charters: Each committee shall operate under a written charter approved by the Board, which shall specify the committee’s purpose, composition, authority, and reporting requirements.

ARTICLE IV: OFFICERS

Section 4.01: Officers

The officers of the Organization shall be: (a) Chair of the Board (may also be titled “President”); (b) Secretary; (c) Treasurer; (d) Such other officers as the Board may from time to time determine.

No individual may hold more than one of the offices of Chair, Secretary, and Treasurer simultaneously.

Section 4.02: Election and Terms

Officers shall be elected annually by the Board from among the Directors at the first regular meeting following the annual meeting of the Board. Each officer shall serve a one-year term or until their successor is elected and qualified. Officers may be re-elected for successive terms without limit.

Section 4.03: Removal and Vacancies

Any officer may be removed, with or without cause, by majority vote of the Directors then in office. Any vacancy in any office may be filled by the Board for the unexpired portion of the term.

Section 4.04: Chair of the Board

The Chair of the Board shall: (a) Preside at all meetings of the Board and Executive Committee; (b) Serve as the principal volunteer leader of the Organization; (c) Serve as an ex-officio member of all committees, unless otherwise provided; (d) In coordination with the Executive Director, set agendas for Board meetings; (e) Perform such other duties as may be prescribed by the Board.

Section 4.05: Secretary

The Secretary shall: (a) Ensure that accurate minutes are kept of all Board and Executive Committee meetings; (b) Ensure that all notices are duly given in accordance with these Bylaws; (c) Be custodian of the corporate records and the seal of the Organization, if any; (d) Maintain a current roster of Directors and officers; (e) Perform such other duties as may be prescribed by the Board or Chair.

Section 4.06: Treasurer

The Treasurer shall: (a) Serve as Chair of the Finance Committee, if any; (b) Oversee the management and investment of Organization funds; (c) Ensure that accurate financial records are maintained; (d) Present financial reports to the Board at each regular meeting; (e) Ensure that an annual audit or review is conducted by an independent accountant; (f) Perform such other duties as may be prescribed by the Board or Chair.

The Board may appoint an Assistant Treasurer or delegate day-to-day financial management to the Executive Director or staff, but ultimate oversight responsibility remains with the Treasurer.

Section 4.07: Other Officers

Other officers shall perform such duties as prescribed by the Board or by the officer’s job description.

ARTICLE V: EXECUTIVE DIRECTOR

Section 5.01: Appointment

The Board shall appoint an Executive Director who shall serve as the chief executive officer of the Organization. The Executive Director need not be a Director, but may serve as an ex-officio, non-voting Director if the Board so determines.

Section 5.02: Responsibilities

The Executive Director shall: (a) Serve as the chief executive officer responsible for day-to-day operations; (b) Implement policies and programs established by the Board; (c) Hire, supervise, and terminate staff and contractors, subject to the Delegation of Authority Matrix; (d) Manage the Organization’s budget and resources; (e) Report regularly to the Board on operations, finances, and strategic matters; (f) Serve as the primary spokesperson for the Organization; (g) Execute contracts and agreements within delegated authority limits; (h) Ensure compliance with all applicable laws and regulations; (i) Perform such other duties as may be prescribed by the Board.

Section 5.03: Evaluation

The Board shall conduct an annual performance evaluation of the Executive Director. The evaluation shall be conducted by the Chair or a designated committee and shall include review of progress toward organizational goals.

Section 5.04: Removal

The Executive Director may be removed by majority vote of the Directors then in office. The Executive Director shall be given [THIRTY (30)] days’ written notice of any proposed removal, unless the Board determines that immediate removal is necessary to protect the Organization’s interests.

ARTICLE VI: FINANCIAL ADMINISTRATION

Section 6.01: Fiscal Year

The fiscal year of the Organization shall be [JANUARY 1 – DECEMBER 31] unless otherwise determined by the Board.

Section 6.02: Annual Budget

The Executive Director shall prepare and submit to the Board for approval an annual operating budget before the beginning of each fiscal year. The Board may modify the budget as it deems appropriate.

Section 6.03: Budget Administration

The Executive Director is authorized to make expenditures within the approved budget. Expenditures exceeding budget line items by more than [TEN PERCENT (10%)] or [TEN THOUSAND DOLLARS ($10,000)], whichever is less, require prior Board approval.

Section 6.04: Audit

The Board shall cause an annual audit of the Organization’s financial statements to be conducted by an independent certified public accountant. The Treasurer shall present the audited financial statements to the Board for approval.

Section 6.05: Financial Controls

The Organization shall maintain adequate internal controls over financial transactions, including: (a) Segregation of duties among staff handling financial transactions; (b) Dual authorization for expenditures above specified thresholds; (c) Regular reconciliation of bank accounts; (d) Protection of assets through appropriate insurance coverage.

ARTICLE VII: MEETINGS AND VOTING PROCEDURES

Section 7.01: Notice

(a) Written or electronic notice of all meetings shall be given to each Director at their address or email as shown on Organization records. (b) Notice shall state the date, time, place (or electronic access information), and, for special meetings, the purpose. (c) A Director’s attendance at a meeting constitutes waiver of notice unless the Director attends solely to object to the transaction of business due to lack of notice.

Section 7.02: Waiver of Notice

(a) Any Director may waive notice of any meeting before or after the meeting. (b) Such waiver must be in writing or electronic form, signed by the Director entitled to notice, and filed with the minutes or corporate records.

Section 7.03: Quorum

(a) A quorum at any Board meeting shall be a majority of the Directors then in office. (b) Once a quorum is established, it shall not be broken by the withdrawal of Directors.

Section 7.04: Voting

(a) Each Director shall be entitled to one vote on each matter submitted to a vote. (b) Voting by proxy is not permitted. (c) Unless otherwise specified, matters shall be decided by majority vote of Directors present at a meeting at which a quorum exists. (d) The Chair shall vote only to break a tie, unless otherwise required by law.

Section 7.05: Action Without Meeting

Any action required or permitted to be taken at a meeting may be taken without a meeting if all Directors consent in writing or by electronic transmission. Such consent shall be filed with the minutes and have the same effect as a unanimous vote.

Section 7.06: Minutes

Minutes shall be kept of all Board and committee meetings and shall include: (a) Date, time, and place of the meeting; (b) Directors present and absent; (c) Principal matters discussed and decisions made; (d) Records of all votes taken; (e) Any conflicts of interest disclosed and how they were handled.

ARTICLE VIII: CONFLICTS OF INTEREST

Section 8.01: Policy Adoption

The Organization shall adopt and maintain a Conflict of Interest Policy consistent with the requirements of the Internal Revenue Service for 501(c)(3) organizations. The current version of such policy is incorporated by reference as if fully set forth herein.

Section 8.02: Duty to Disclose

Each Director, officer, and key employee has a duty to: (a) Disclose any actual, potential, or apparent conflict of interest; (b) Abstain from voting on any matter in which they have a conflict; (c) Recuse themselves from discussion of such matters unless specifically requested to provide information.

Section 8.03: Annual Statements

All Directors, officers, and key employees shall complete and sign an annual conflict of interest disclosure statement.

ARTICLE IX: INDEMNIFICATION

Section 9.01: General

The Organization shall indemnify any person who was or is a party or is threatened to be made a party to any threatened, pending, or completed action, suit, or proceeding by reason of the fact that such person is or was a Director, officer, employee, or agent of the Organization, to the fullest extent permitted by applicable law.

Section 9.02: Insurance

The Organization may purchase and maintain insurance on behalf of any person who is or was a Director, officer, employee, or agent of the Organization against any liability asserted against such person, whether or not the Organization would have the power to indemnify such person.

ARTICLE X: DOCUMENT RETENTION

Section 10.01: Policy Adoption

The Organization shall adopt and maintain a Document Retention and Destruction Policy consistent with applicable legal requirements. The current version of such policy is incorporated by reference.

ARTICLE XI: AMENDMENT

Section 11.01: Amendment of Bylaws

These Bylaws may be amended or repealed, and new Bylaws may be adopted, by a two-thirds (2/3) vote of the Directors then in office at any duly convened meeting, provided that notice of the proposed amendment shall have been included in the notice of such meeting or given to all Directors at least [SEVEN (7)] days prior to the meeting.

Section 11.02: Amendment of Articles of Incorporation

The Articles of Incorporation may be amended only by the affirmative vote of at least two-thirds (2/3) of the Directors then in office, subject to approval by the appropriate state authority.

ARTICLE XII: DISSOLUTION

Section 12.01: Voluntary Dissolution

The Organization may be dissolved only by a three-fourths (3/4) vote of the Directors then in office at a duly convened meeting called for that purpose.

Section 12.02: Distribution of Assets

Upon dissolution or winding up of the Organization, after paying or adequately providing for debts and obligations, the remaining assets shall be distributed to one or more exempt organizations: (a) Organized and operated exclusively for charitable, educational, or scientific purposes; (b) Qualified as exempt under Section 501(c)(3) of the Internal Revenue Code (or corresponding provisions of future law); (c) Selected by the Board of Directors at or before dissolution.

Under no circumstances shall any assets be distributed to private individuals or for private benefit.

Section 12.03: Compliance with Law

All dissolution proceedings shall be conducted in accordance with the laws of [STATE OF INCORPORATION] and the Internal Revenue Code.

ARTICLE XIII: MISCELLANEOUS

Section 13.01: Corporate Seal

The Organization may, but need not, adopt a corporate seal. If adopted, the seal shall be in such form as the Board may determine.

Section 13.02: Execution of Instruments

Contracts, deeds, and other instruments may be executed on behalf of the Organization by the Executive Director or such other officers or agents as the Board may designate. The Board may authorize the use of facsimile signatures.

Section 13.03: Construction

These Bylaws shall be construed in accordance with the laws of [STATE OF INCORPORATION].

Section 13.04: Severability

If any provision of these Bylaws is held invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions, and these Bylaws shall be construed as if such invalid provision had never been contained herein.

CERTIFICATION

These Bylaws were adopted by the Board of Directors of [CIVICOS INSTITUTE] on [DATE], and amended on the dates noted below:

Adopted: _________ [DATE]

Amended: _________ [DATE]

Amended: _________ [DATE]

Amended: _________ [DATE]

[NAME] Secretary

IMPLEMENTATION NOTES

1. Filling in Brackets: Replace all [BRACKETED] placeholders with organization-specific information before adoption.

2. State Law Compliance: Have an attorney review these Bylaws against the specific nonprofit corporation statutes of your state of incorporation. State law may require modifications.

3. IRS Filing: Submit these Bylaws with your Form 1023 or 1023-EZ application for 501(c)(3) status.

4. Regular Review: Schedule a review of these Bylaws every three (3) years or whenever there is a significant change in operations or law.

5. Committee Charters: Develop detailed charters for each Board committee referenced in Article III, Section 3.13.

6. Policies: Develop supporting policies referenced herein (Conflict of Interest, Document Retention, Delegation of Authority, etc.) concurrently with Bylaws adoption.

Source: tmp/civicos-site/governance/conflict-of-interest-policy.md

layout: default title: Conflict of Interest Policy permalink: /governance/conflict-of-interest-policy/ —

CIVICOS INSTITUTE

CONFLICT OF INTEREST POLICY

PURPOSE

This Conflict of Interest Policy (“Policy”) is designed to ensure that the interests of CivicOS Institute (the “Organization”) are protected and advanced at all times, and that decisions made by Directors, officers, and key employees are made in the best interest of the Organization, free from any personal, financial, or other conflicting interests.

This Policy is adopted in compliance with the requirements of Section 501(c)(3) of the Internal Revenue Code of 1986, as amended, and the regulations promulgated thereunder. Compliance with this Policy is a condition of service as a Director, officer, or key employee of the Organization.

SECTION 1: DEFINITIONS

1.1 Conflict of Interest

A “Conflict of Interest” exists when a person’s personal, financial, professional, or other interests conflict—or appear to conflict—with the interests of the Organization. Conflicts may be:

(a) Actual: A direct conflict between personal interests and organizational interests; (b) Potential: A situation that could develop into an actual conflict; (c) Apparent: A situation that would appear to a reasonable observer to create a conflict, whether or not an actual conflict exists.

1.2 Interested Person

An “Interested Person” is any Director, officer, or key employee of the Organization who has a direct or indirect financial interest, as defined below, or any other interest that could conflict with the interests of the Organization.

1.3 Financial Interest

A person has a “Financial Interest” if they have, directly or indirectly, through business, investment, or family:

(a) An ownership or investment interest in any entity with which the Organization has a transaction or arrangement; (b) A compensation arrangement with the Organization or with any entity with which the Organization has a transaction or arrangement; (c) A potential ownership or investment interest in, or compensation arrangement with, any entity with which the Organization is negotiating a transaction or arrangement; (d) A family member who has any of the interests described above. “Family member” includes a spouse, domestic partner, parent, child, sibling, or any relative sharing the same household.

1.4 Key Employee

“Key Employee” means any employee or contractor who: (a) Has responsibilities that allow them to exercise substantial influence over the Organization’s affairs; (b) Receives total compensation exceeding [ONE HUNDRED THOUSAND DOLLARS ($100,000)] annually; (c) Is designated as a key employee by the Board of Directors.

1.5 Non-Financial Interest

A “Non-Financial Interest” includes personal relationships, organizational affiliations, or other interests that could influence or appear to influence a person’s objectivity, even if no money is involved.

SECTION 2: DUTY OF LOYALTY

2.1 Fiduciary Duty

Directors, officers, and key employees owe a fiduciary duty of loyalty to the Organization. This duty requires that they:

(a) Act in good faith and in the best interests of the Organization; (b) Place the interests of the Organization above personal interests; (c) Exercise independent judgment free from outside influence; (d) Avoid situations that create actual, potential, or apparent conflicts of interest.

2.2 Duty of Care

Directors, officers, and key employees shall exercise the care an ordinarily prudent person would exercise in similar circumstances, including:

(a) Being informed about matters before the Board or relevant to their responsibilities; (b) Participating actively in deliberations; (c) Seeking independent advice when appropriate; (d) Making decisions based on all relevant information reasonably available.

2.3 Duty of Obedience

Directors, officers, and key employees shall ensure the Organization operates within its mission and in compliance with all applicable laws and regulations.

SECTION 3: DISCLOSURE REQUIREMENTS

3.1 Annual Disclosure

Each Director, officer, and key employee shall complete and sign the Organization’s Annual Conflict of Interest Disclosure Statement within thirty (30) days of: (a) Beginning service with the Organization; (b) The start of each fiscal year thereafter; (c) Whenever their circumstances change materially.

3.2 Contents of Annual Statement

The Annual Disclosure Statement shall require disclosure of:

(a) All entities in which the person has an ownership or investment interest of more than [FIVE PERCENT (5%)]; (b) All compensation arrangements with the Organization; (c) All business relationships with entities that do business with or compete with the Organization; (d) All family members’ interests as defined in Section 1.3(d); (e) Any other facts or circumstances that could create a conflict of interest; (f) Any positions held with other organizations that might create conflicts.

3.3 Transactional Disclosure

In addition to annual disclosure, each Director, officer, and key employee must disclose any actual or potential conflict of interest:

(a) Immediately upon becoming aware of the conflict; (b) Before participating in any discussion or vote related to the matter; (c) In writing or verbally at the beginning of the relevant meeting, to be recorded in the minutes.

3.4 Gifts and Gratuities

Directors, officers, and key employees must disclose:

(a) Any gifts or gratuities received from vendors, contractors, donors, or others doing business with the Organization valued at more than [SEVENTY-FIVE DOLLARS ($75)]; (b) Any entertainment or hospitality that is excessive or could reasonably be perceived as intended to influence official action; (c) Gifts or benefits provided to family members as described above.

SECTION 4: PROCEDURES FOR ADDRESSING CONFLICTS

4.1 Identification of Conflict

When a potential conflict is disclosed or identified:

(a) The Interested Person shall disclose all material facts; (b) The Board or relevant committee shall determine whether a conflict exists; (c) The determination shall be documented in the meeting minutes.

4.2 Recusal Requirements

When a Director, officer, or key employee has a conflict of interest with respect to a matter:

(a) They shall leave the meeting during discussion of the matter, unless specifically requested to provide information; (b) They shall not vote on the matter; (c) They shall not attempt to influence the vote outside the meeting; (d) They shall not be counted for quorum purposes for that matter; (e) Their absence and recusal shall be recorded in the minutes.

4.3 Independent Review

Before approving any transaction involving a conflict of interest:

(a) The disinterested Directors shall review the material facts; (b) Appropriate due diligence shall be conducted; (c) Comparable market data shall be obtained when relevant; (d) The transaction shall be determined to be fair and reasonable to the Organization; (e) The transaction shall be determined to be in the best interests of the Organization.

4.4 Documentation

All proceedings related to conflicts of interest shall be documented in the minutes, including:

(a) The nature of the disclosed conflict; (b) The name of the Interested Person; (c) The determination that a conflict exists; (d) The individuals present during discussion; (e) The content of the discussion; (f) Any comparisons to market rates or other due diligence; (g) The vote taken and the result; (h) The determination that the transaction is fair and reasonable.

4.5 Arm’s Length Terms

Any transaction with an Interested Person shall be conducted on arm’s length terms no less favorable to the Organization than would be available from an unrelated party. The Board must specifically approve any compensation or contractual terms.

SECTION 5: PROHIBITED TRANSACTIONS

5.1 Prohibited Arrangements

The following are prohibited without prior approval by the Board after full disclosure:

(a) Loans to Directors, officers, or key employees; (b) Guarantees of personal obligations of Directors, officers, or key employees; (c) Sale, lease, or exchange of Organization property to an Interested Person; (d) Purchase of property from an Interested Person; (e) Compensation arrangements with family members of Directors or officers, unless following an open competitive process; (f) Any other transaction that would result in private inurement or excess benefit.

5.2 Excess Benefit Transactions

No Director, officer, or key employee shall receive any benefit from the Organization that is excessive or unreasonable compared to benefits provided by similar organizations for similar services or property.

5.3 Political Activities

No Organization resources shall be used to support or oppose any candidate for public office or any political party, and no Director, officer, or key employee shall use their position to engage in partisan political activities.

SECTION 6: COMMON CONFLICT SCENARIOS

6.1 Compensation Decisions

When determining compensation for an Interested Person:

(a) The person shall recuse themselves from discussion and voting; (b) The Board shall use appropriate comparability data; (c) The decision shall be documented; (d) Independent Directors shall approve the compensation.

6.2 Business Relationships

If an Interested Person or their business has a relationship with a vendor, grantee, or contractor:

(a) Full disclosure is required; (b) Competitive bidding should be used when practicable; (c) The relationship must be demonstrably fair to the Organization; (d) The Board must approve the relationship after recusal.

6.3 Board Service on Other Organizations

Service on multiple boards can create conflicts:

(a) Directors shall disclose board memberships; (b) Potential conflicts arising from dual service must be disclosed; (c) Directors shall not share confidential information between organizations; (d) Directors shall recuse themselves when organizations have competing interests.

6.4 Employment of Family Members

Employment or contracting with family members requires:

(a) Prior Board approval; (b) Disclosure of the relationship; (c) Compliance with all Organization employment policies; (d) Documentation that the arrangement is in the best interest of the Organization; (e) No reporting relationship between family members.

SECTION 7: INVESTIGATION AND ENFORCEMENT

7.1 Duty to Report

All Directors, officers, and key employees have a duty to report suspected violations of this Policy to the Chair of the Board or, if the Chair is involved, to another Director.

7.2 Investigation

Upon receipt of a report of a potential violation:

(a) The Chair (or designated Director) shall review the allegation; (b) If warranted, an investigation shall be conducted; (c) The investigation shall be documented; (d) The results shall be reported to the Board or Executive Committee; (e) The Interested Person shall have an opportunity to respond.

7.3 Corrective Actions

If a violation of this Policy is confirmed, the Board may take appropriate corrective action, including:

(a) Requiring additional disclosure; (b) Requiring recusal from specific matters; (c) Requiring divestment of conflicting interests; (d) Suspension of the person from their position; (e) Removal from the Board or termination of employment; (f) Legal action to recover damages; (g) Reporting to appropriate authorities if laws were violated.

7.4 No Retaliation

The Organization prohibits retaliation against any person who reports a potential conflict in good faith, even if the report is later determined to be unsubstantiated.

SECTION 8: EDUCATION AND TRAINING

8.1 Orientation

All new Directors, officers, and key employees shall receive a copy of this Policy and complete an orientation on their duties and responsibilities within thirty (30) days of assuming their position.

8.2 Annual Review

All Directors, officers, and key employees shall review this Policy annually and acknowledge in writing their understanding and agreement to comply.

8.3 Ongoing Education

The Organization shall provide periodic training on conflict of interest issues, including: (a) Recognition of potential conflicts; (b) Proper disclosure procedures; (c) Recusal requirements; (d) Documentation requirements.

SECTION 9: RECORD KEEPING

9.1 Confidentiality

Disclosure statements and related documents shall be treated as confidential and shall be: (a) Maintained by the Secretary or designee; (b) Accessible only to the Board, auditors, and legal counsel; (c) Stored securely with appropriate access controls; (d) Retained for [SEVEN (7)] years after the person’s service ends.

9.2 Access

Directors may review their own disclosure statements upon request. Access to others’ statements requires a majority vote of the Board with a legitimate need to know.

SECTION 10: ANNUAL CERTIFICATION

Each Director, officer, and key employee shall annually sign and return the following certification:

ANNUAL CONFLICT OF INTEREST CERTIFICATION

I, _____________, certify that:

1. I have received and read the Conflict of Interest Policy of CivicOS Institute;
2. I understand my obligations under this Policy;
3. I have disclosed all actual and potential conflicts of interest as required;
4. I agree to comply with this Policy and promptly disclose any future conflicts;
5. I understand that failure to comply may result in removal from my position.

I have the following interests to disclose (attach additional sheets if necessary):

Signature: _________ Date: _______

Print Name: __________

Position: __________

SECTION 11: REVIEW AND AMENDMENT

This Policy shall be reviewed annually by the Board and amended as necessary to ensure compliance with applicable law and best practices. Any amendments must be approved by the Board of Directors.

SECTION 12: EFFECTIVE DATE

This Conflict of Interest Policy is effective as of [DATE] and supersedes all prior policies on this subject.

ADOPTED BY THE BOARD OF DIRECTORS:

Date: _______

[NAME], Secretary

APPENDIX A: COMMON EXAMPLES OF CONFLICTS OF INTEREST

The following are examples of situations that may create conflicts of interest. This list is illustrative, not exhaustive:

1. Compensation Arrangements
   • Voting on one’s own salary or benefits
   • Influencing the compensation of a family member
   • Receiving payments from Organization vendors
2. Business Relationships
   • Selling goods or services to the Organization
   • Purchasing goods or services from the Organization below market rates
   • Having an ownership interest in an Organization vendor or competitor
3. Governance Conflicts
   • Serving on the board of a competing organization
   • Using Organization resources for personal benefit
   • Disclosing confidential information for personal advantage
4. Gift Relationships
   • Accepting substantial gifts from vendors or grantees
   • Receiving entertainment that could influence decision-making
   • Offering preferential treatment to gift-givers
5. Employment Conflicts
   • Hiring or supervising family members
   • Influencing the hiring of friends or associates
   • Making personnel decisions affecting someone with whom one has a personal relationship

APPENDIX B: DISCLOSURE STATEMENT TEMPLATE

CONFLICT OF INTEREST DISCLOSURE STATEMENT

Personal Information Name: ____________ Position: __________ Date: ____________ Fiscal Year: ___________

Employment and Compensation

1. Do you receive compensation from the Organization? ☐ Yes ☐ No If yes, describe: _______

2. Do any family members receive compensation from the Organization? ☐ Yes ☐ No If yes, describe: _______

Business Interests

1. Do you have an ownership interest (>5%) in any entity that does business with the Organization? ☐ Yes ☐ No If yes, describe: _______

2. Do you serve on the board of or have a fiduciary duty to any organization that does business with or competes with the Organization? ☐ Yes ☐ No If yes, describe: _______

Financial Relationships

1. Do you have any financial relationship with any Organization vendor, grantee, or contractor? ☐ Yes ☐ No If yes, describe: _______

2. Are you negotiating any transaction or arrangement with the Organization? ☐ Yes ☐ No If yes, describe: _______

Gifts and Gratuities

1. Have you received any gifts or gratuities from Organization-related parties valued over $75? ☐ Yes ☐ No If yes, describe: _______

Other Potential Conflicts

1. Are you aware of any other circumstances that could create a conflict of interest? ☐ Yes ☐ No If yes, describe: _______

Certification I certify that the information provided above is true and complete to the best of my knowledge.

Signature: _________ Date: _______

IMPLEMENTATION CHECKLIST

• Board formally adopts Policy
• Policy distributed to all Directors, officers, and key employees
• Initial disclosure statements collected from all covered persons
• Orientation/training conducted
• Annual review process established
• Documentation procedures implemented
• Secure storage system established for disclosure statements
• Process for handling conflicts communicated to all stakeholders

Source: tmp/civicos-site/governance/data-privacy-security-policy.md

layout: default title: Data Privacy & Security Policy permalink: /governance/data-privacy-security-policy/ —

Data, Privacy & Security Policy

Document Number: 06
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Approved By: [BOARD/EXECUTIVE BODY]

1. Purpose and Scope

1.1 Purpose

This Data, Privacy & Security Policy establishes comprehensive standards for the collection, processing, storage, and protection of data by [ORGANIZATION NAME] (“Organization”). This policy reflects our commitment to respecting individual privacy, maintaining data security, and complying with applicable privacy regulations including GDPR, CCPA, and other relevant frameworks.

1.2 Scope

This policy applies to:

• All Personnel: Board members, officers, employees, volunteers, contractors, and agents
• All Data: Personal data, organizational data, and third-party data in our custody
• All Systems: Information technology systems, cloud services, and third-party processors
• All Activities: Data collection, processing, storage, transmission, and destruction
• All Locations: Physical offices, remote work, cloud environments, and partner systems

1.3 Policy Principles

1. Data Minimization: Collect only what is necessary
2. Purpose Limitation: Use data only for stated purposes
3. Privacy by Design: Build privacy into systems and processes
4. Security First: Protect data with appropriate safeguards
5. Transparency: Be clear about data practices
6. Individual Rights: Respect and enable data subject rights

2. Data Collection Principles

2.1 Lawful Basis for Processing

All data collection must have a lawful basis under applicable privacy law:

2.2 Data Minimization

Principle: Collect only data that is directly necessary for the specific purpose identified.

Requirements:

• Document the specific purpose for each data element collected
• Review collections annually for continued necessity
• Delete data when purpose is fulfilled (unless retention required)
• Do not collect “nice to have” data without explicit justification

Examples:

2.3 Purpose Limitation

Principle: Use data only for the purpose for which it was collected, unless compatible additional purpose or new consent obtained.

Compatible Purposes (generally permitted):

• Archiving in public interest
• Scientific or historical research
• Statistical analysis (anonymized)
• Internal operational improvements

Incompatible Purposes (require new basis):

• Marketing to non-consented individuals
• Selling or sharing with third parties
• Uses materially different from original purpose
• New data controller relationship

2.4 Collection Methods

Direct Collection:

• Web forms with clear privacy notices
• In-person with informed consent
• Phone with verbal privacy notice

Automated Collection:

• Website analytics (cookie consent required)
• System logs (anonymized where possible)
• Public sources (disclosed in privacy notice)

Third-Party Collection:

• Processor agreements required
• Verify third-party compliance
• Disclose source in privacy notice

3. Privacy Commitments

3.1 Core Privacy Pledge

The Organization commits to:

We Will NOT:

• Sell personal data to third parties
• Share data with third parties for their marketing
• Use data for purposes beyond those disclosed
• Retain data longer than necessary
• Collect data from children under 13 without parental consent
• Discriminate against individuals exercising privacy rights

We Will:

• Be transparent about data practices
• Provide meaningful privacy choices
• Protect data with appropriate security
• Honor data subject rights promptly
• Notify of breaches as required by law
• Regularly review and improve privacy practices

3.2 Privacy Notice Requirements

All collection points must include a privacy notice containing:

1. Identity: Who is collecting the data
2. Contact: Data protection officer contact
3. Purpose: Why data is being collected
4. Legal Basis: Lawful basis for processing
5. Recipients: Who data will be shared with
6. Transfers: International transfer safeguards
7. Retention: How long data will be kept
8. Rights: Data subject rights and how to exercise
9. Complaints: How to lodge complaints with authorities
10. Automated Decisions: Existence of profiling (if any)

3.3 Special Categories of Data

The following “special category” data receives enhanced protection:

Collection of special category data requires:

• Data Protection Impact Assessment (DPIA)
• Enhanced security measures
• Explicit opt-in consent (if consent basis)
• Documentation of lawful basis
• Limited access and strict need-to-know

3.4 Children’s Data

COPPA/GDPR Requirements:

• No collection from children under 13 without verifiable parental consent
• For 13-16: Informational notice sufficient (opt-out)
• Clear age gating on websites and services
• No behavioral advertising to children
• Enhanced security for children’s data

Verifiable Consent Methods:

• Credit card verification
• Signed consent form
• Video conference with parent
• Phone call with trained staff

4. Data Subject Rights

4.1 Rights Overview

Data subjects have the following rights:

4.2 Request Handling Procedures

Receipt:

• Acknowledge request within 72 hours
• Verify identity of requestor
• Log request in tracking system

Processing:

• Gather relevant data across systems
• Review for legal exemptions (e.g., legal obligation to retain)
• Prepare response in accessible format
• Quality assurance review

Response:

• Provide data or explanation of action taken
• Explain any exemptions applied
• Include information on appeal process
• Document completion

Extensions:

• Complex requests: May extend to 60 days with notification
• High volume: May extend with notification
• Must explain basis for extension

4.3 Exemptions and Limitations

Requests May Be Denied When:

Partial Response: When portions must be withheld, provide:

• Redacted version with explanation
• Basis for withholding (legal citation)
• Appeal rights

5. Security Baseline

5.1 Security Governance

Security Officer: [NAME/TITLE]
Responsibilities:

• Security policy development and enforcement
• Risk assessment and management
• Incident response coordination
• Security awareness training
• Vendor security evaluation

Security Committee:

• Cross-functional representation (IT, Legal, Operations)
• Monthly security reviews
• Incident post-mortems
• Policy approval authority

5.2 Access Controls

Principle of Least Privilege:

• Access granted on need-to-know basis
• Role-based access control (RBAC)
• Regular access reviews (quarterly)
• Immediate revocation upon termination

Authentication Requirements:

Password Policy:

• Minimum 12 characters
• Complexity required (upper, lower, number, special)
• No dictionary words or personal info
• Changed immediately if suspected compromise
• Password manager required

5.3 Encryption Standards

Data at Rest:

• Full disk encryption on all devices
• Database encryption (AES-256)
• Encrypted backups
• Secure key management (HSM or KMS)

Data in Transit:

• TLS 1.3 minimum for web traffic
• VPN for remote access
• SFTP/FTPS for file transfers
• Encrypted email for sensitive data

Key Management:

• Keys stored in hardware security module or cloud KMS
• Key rotation annually or on compromise
• Separation of duties for key access
• Key escrow for business continuity

5.4 Network Security

Perimeter Protection:

• Next-generation firewall with IDS/IPS
• DDoS protection
• Web application firewall (WAF)
• Regular penetration testing (annual)

Network Segmentation:

• VLAN separation by function
• Critical systems isolated
• Guest network separate from production
• Zero-trust architecture for remote access

Monitoring:

• 24/7 security monitoring
• SIEM for log aggregation and analysis
• Anomaly detection
• Threat intelligence feeds

5.5 Endpoint Security

Device Requirements:

• Organization-approved devices for work data
• MDM enrollment for all mobile devices
• EDR (Endpoint Detection and Response) on all endpoints
• Automatic updates and patching

Prohibited:

• Personal email for work data
• Unapproved cloud storage
• Unencrypted removable media
• Jailbroken/rooted devices

Remote Work:

• VPN required for system access
• Home network security recommendations
• Dedicated workspace guidance
• No work in public spaces with visible screens

5.6 Application Security

Development:

• Secure coding standards
• Code review requirements
• Dependency vulnerability scanning
• Static and dynamic security testing (SAST/DAST)

Production:

• Regular vulnerability scanning
• Patch management (critical: 24 hours, high: 7 days)
• Change management process
• Segregated production access

Third-Party:

• Security assessment before procurement
• Annual security review
• Right to audit clauses
• Incident notification requirements

5.7 Physical Security

Office Security:

• Badge access control
• Visitor escort required
• Clean desk policy
• Secure disposal (shredding)

Data Center / Server Room:

• Multi-factor physical access
• Environmental controls
• CCTV monitoring
• Fire suppression systems

Remote Work:

• Secure home office setup
• Privacy screens for laptops
• Safe storage of devices
• No unattended devices in public

6. Incident Response

6.1 Incident Classification

6.2 Incident Response Team

Core Team:

• Security Officer (Incident Commander)
• IT/Systems Administrator
• Legal Counsel
• Communications Lead
• Executive Sponsor

Extended Team (as needed):

• HR (personnel incidents)
• External forensics
• Law enforcement liaison
• Insurance carrier
• Affected system owners

6.3 Response Procedures

Phase 1: Detection and Analysis (0-1 hour)

1. Identify and confirm incident
2. Assign severity classification
3. Activate response team
4. Preserve evidence
5. Document timeline

Phase 2: Containment (1-4 hours)

1. Isolate affected systems
2. Block attack vectors
3. Prevent data exfiltration
4. Maintain business continuity where safe

Phase 3: Eradication (4-24 hours)

1. Remove attacker access
2. Patch vulnerabilities
3. Clean compromised systems
4. Verify integrity

Phase 4: Recovery (24-72 hours)

1. Restore from clean backups
2. Verify system integrity
3. Return to normal operations
4. Enhanced monitoring

Phase 5: Post-Incident (1-4 weeks)

1. Complete forensic analysis
2. Document lessons learned
3. Update security controls
4. Conduct post-mortem

6.4 Breach Notification

Legal Notification Requirements:

Internal Notification:

• Board Chair: Within 4 hours for Critical/High
• Full Board: Within 24 hours
• Insurance carrier: Within policy timeframe

External Communication:

• Draft by Legal and Communications
• Board approval required
• Transparent but legally protective
• Offer credit monitoring if SSN/financial involved

6.5 Documentation Requirements

Maintain for duration of litigation plus 7 years:

• Incident timeline
• All communications
• Forensic analysis
• Response actions taken
• Notification records
• Post-incident report
• Lessons learned

7. Third-Party Processors

7.1 Due Diligence

Before Engagement:

• Security questionnaire
• SOC 2 Type II or equivalent review
• Data Processing Agreement (DPA) execution
• Privacy Shield or SCCs for international transfers

Minimum Security Requirements:

• Encryption at rest and in transit
• Access controls and MFA
• Incident response capabilities
• Annual penetration testing
• Business continuity plan

7.2 Data Processing Agreements

All processors must sign DPA containing:

• Processing instructions and limitations
• Subprocessor authorization and notification
• Security measures and audits
• Breach notification (24-48 hours)
• Data subject rights assistance
• Return/destruction of data upon termination
• Audit rights

7.3 Ongoing Monitoring

Annual Review:

• Security certification renewal
• Incident history review
• Compliance attestation
• Contract compliance verification

Continuous Monitoring:

• Threat intelligence on processors
• News and breach monitoring
• Performance and availability

8. International Data Transfers

8.1 Transfer Mechanisms

From EU/EEA:

• Standard Contractual Clauses (SCCs) - mandatory
• Adequacy decisions (UK, limited others)
• Binding Corporate Rules (if applicable)

From UK:

• UK Addendum to SCCs
• UK adequacy regulations

From Other Jurisdictions:

• Local law compliance
• Contractual safeguards
• Data localization requirements

8.2 Transfer Impact Assessment (TIA)

Required before international transfers:

1. Document laws in destination country
2. Assess impact on data subject rights
3. Identify supplementary measures if needed
4. Implement additional safeguards
5. Periodic re-assessment

8.3 Supplementary Measures

When destination laws may impede data subject rights:

• Enhanced encryption (data encrypted with keys held in origin country)
• Pseudonymization before transfer
• Strict purpose limitation
• Enhanced monitoring

9. Compliance and Governance

9.1 Privacy by Design

All new projects and systems must undergo:

Privacy Impact Assessment (PIA) for:

• New data collections
• New processing activities
• Significant system changes
• New vendor relationships

Data Protection Impact Assessment (DPIA) for:

• Systematic monitoring
• Large-scale special category processing
• Automated decision-making with significant effects
• New technologies (AI, biometrics)

9.2 Training and Awareness

9.3 Audits and Assessments

Annual Activities:

• Security risk assessment
• Privacy compliance audit
• Penetration testing
• Vulnerability scanning
• Third-party security reviews

Quarterly Activities:

• Access reviews
• Policy compliance spot checks
• Incident metrics review
• Security metrics review

9.4 Record Keeping

Maintain for compliance:

• Processing activities records (ROPA)
• Consent records
• Data subject request logs
• DPIAs and PIAs
• Security assessments
• Incident reports
• Training records
• Processor agreements

Retention: Duration of processing plus [NUMBER] years

10. Implementation Notes

10.1 Immediate Actions (0-30 Days)

• Appoint Data Protection Officer / Privacy Officer
• Inventory all data processing activities (ROPA)
• Map all data flows and international transfers
• Review and update privacy notices
• Implement consent management platform
• Establish data subject request intake process

10.2 Short-Term Actions (30-90 Days)

• Complete DPIAs for high-risk processing
• Audit third-party processors for DPA compliance
• Deploy data subject rights request management system
• Conduct security risk assessment
• Implement security monitoring and alerting
• Develop incident response playbooks

10.3 Ongoing Actions

• Monthly security metrics review
• Quarterly access reviews
• Quarterly privacy compliance checks
• Annual penetration testing
• Annual policy and training refresh
• Annual ROPA update
• Continuous consent and preference management

10.4 Key Contacts

11. Regulatory Compliance Summary

11.1 GDPR (General Data Protection Regulation)

Applicability: Processing personal data of EU residents
Key Requirements:

• Lawful basis for processing
• Data subject rights
• Privacy by design
• Breach notification (72 hours)
• DPO (if required by scale/sensitivity)
• Records of processing activities

11.2 CCPA/CPRA (California)

Applicability: For-profit or non-profit with >$25M revenue or >100K CA residents’ data
Key Requirements:

• Privacy notice at collection
• Right to know, delete, opt-out
• Do not sell/share (opt-out link)
• Service provider contracts
• Consumer request fulfillment

11.3 Other State Laws

Monitor compliance requirements for:

• Virginia CDPA
• Colorado CPA
• Connecticut CTDPA
• Utah UCPA
• Emerging state privacy laws

11.4 Industry-Specific

If Applicable:

• HIPAA (health information)
• FERPA (educational records)
• GLBA (financial information)
• COPPA (children’s online privacy)

Document Control

Acknowledgment

I have received, read, and understood the Data, Privacy & Security Policy. I agree to comply with its requirements and understand that violations may result in disciplinary action.

Employee Name: _________
Signature: _________
Date: _________

Source: tmp/civicos-site/governance/delegation-of-authority.md

layout: default title: Delegation of Authority permalink: /governance/delegation-of-authority/ —

CIVICOS INSTITUTE

DELEGATION OF AUTHORITY MATRIX

PURPOSE

This Delegation of Authority Matrix (“Matrix”) establishes clear boundaries for decision-making authority within CivicOS Institute (the “Organization”). It defines who has the power to:

• Sign contracts and legal documents
• Commit organizational funds
• Make binding commitments on behalf of the Organization
• Hire, manage, and terminate personnel
• Approve expenditures at various thresholds

This Matrix is a living document that shall be reviewed annually and updated as needed.

SECTION 1: DEFINITIONS

1.1 Authority Levels

1.2 Financial Thresholds

1.3 Contract Types

• Standard Contract: Routine agreements using Organization templates (e.g., standard NDAs, simple vendor agreements)
• Non-Standard Contract: Agreements with custom terms or significant liability exposure
• Strategic Contract: Multi-year agreements, partnership MOUs, major vendor relationships
• Employment Contract: Individual employment agreements
• Grant Agreement: Funding agreements with donors or recipients

SECTION 2: SIGNING AUTHORITY

2.1 Contract Signing Authority

*With specific written delegation from ED

2.2 Financial Document Signing Authority

*Primary signatory

2.3 Legal Document Signing Authority

SECTION 3: SPENDING AUTHORITY

3.1 Expenditure Approval Matrix

*New position creation requires Board notice; salary bands established by Board

3.2 Recurring vs. One-Time Expenses

3.3 Emergency Expenditure Authority

In emergency situations where delay would harm the Organization:

Emergency Expenditure Requirements:

• Must be necessary to prevent significant harm
• Must be documented within 24 hours
• Must be reported to Board at next meeting
• Retroactive Board ratification required for amounts over $[25,000]
• May not be used to circumvent normal approval processes

SECTION 4: PERSONNEL AUTHORITY

4.1 Hiring Authority

4.2 Compensation Authority

4.3 Termination Authority

SECTION 5: OPERATIONAL COMMITMENTS

5.1 Commitment Authority

5.2 Obligation Limits

No individual may commit the Organization to:

• Obligations exceeding their spending authority
• Multi-year commitments without appropriate approval
• Personal guarantees or surety obligations
• Unlimited liability or indemnification

SECTION 6: DELEGATION PROCEDURES

6.1 Formal Delegation

Authority may be formally delegated as follows:

6.2 Documentation of Delegation

All formal delegations must include:

• Scope of authority granted
• Financial limits, if applicable
• Duration of delegation
• Reporting requirements
• Conditions for revocation
• Signature of delegating authority

6.3 Revocation of Delegation

Delegation may be revoked by:

• The authority that granted it, at any time
• The Board, in its sole discretion
• Automatic revocation upon termination of employment
• Automatic revocation upon expiration of term

Revocation must be in writing and effective immediately upon notice.

SECTION 7: ACCOUNTABILITY AND REPORTING

7.1 Monthly Reporting

The Executive Director shall provide monthly reports to the Board including:

• Contracts executed (summary)
• Expenditures exceeding $[10,000]
• Personnel changes
• Emergency expenditures

7.2 Quarterly Reporting

The Treasurer shall provide quarterly reports including:

• All contracts exceeding $[25,000]
• Budget variance analysis
• Commitments and obligations outstanding
• Compliance with spending authority limits

7.3 Annual Review

The Board shall annually review:

• This Delegation Matrix
• Effectiveness of delegation structure
• Any proposed changes to authority levels
• Compliance and exceptions

7.4 Documentation Requirements

All delegations of authority must be documented:

• Contracts: Retained per Document Retention Policy
• Approvals: Evidence of approval attached to expenditure
• Delegations: Written documentation on file
• Reports: Minutes or written summaries

SECTION 8: PROHIBITED ACTIONS

The following actions are prohibited regardless of authority level:

1. Self-Dealing: No individual may approve a transaction in which they have a personal financial interest
2. Splitting Transactions: Breaking a single transaction into multiple smaller ones to circumvent authority limits
3. Retroactive Approval: Seeking approval after a commitment has been made, except in genuine emergencies
4. Conditional Commitments: Making commitments “subject to Board approval” without prior Board indication
5. Personal Liability: Committing to personal liability on behalf of the Organization
6. Gift Restrictions: Accepting gifts with conditions that violate Organization policy or law
7. Political Activity: Authorizing partisan political activities or campaign intervention

SECTION 9: EXCEPTIONS AND OVERRIDE

9.1 Board Override

The Board retains ultimate authority and may:

• Override any delegated decision
• Require additional approvals for specific matters
• Modify authority levels for specific transactions
• Suspend delegation in extraordinary circumstances

9.2 Conflict Resolution

If there is uncertainty about authority:

1. The matter shall be escalated to the next higher authority level
2. Legal counsel may be consulted
3. The conservative interpretation shall prevail pending resolution
4. The Board shall be notified of material ambiguities

SECTION 10: AMENDMENT

This Delegation of Authority Matrix may be amended by:

• Board resolution for changes to Board-level authority
• Board resolution for changes to ED-level authority
• ED with Board notice for administrative clarifications

APPENDIX A: SIGNATORY CARD TEMPLATE

BANK SIGNATORY AUTHORIZATION

Authorized Signatories for Account #[ACCOUNT NUMBER]

Dual Signature Required For: Amounts exceeding $[10,000]

APPENDIX B: DELEGATION CERTIFICATE TEMPLATE

CERTIFICATE OF DELEGATION

I, _____________, [TITLE], delegate to:

Name: ____________ Title: ____________

the following authority:

☐ Contract signing up to $_____ ☐ Expenditure approval up to $___ ☐ Hiring authority for positions up to: _______ ☐ Other: _________________

Conditions: _________________________

Duration: ☐ Ongoing ☐ Until: _______ ☐ Revocable at will

Reporting Requirements: _________________________

This delegation does not include authority to further delegate without written consent.

Delegating Authority: _________ Date: _______

Accepting Authority: __________ Date: _______

APPENDIX C: QUICK REFERENCE CHART

WHO CAN APPROVE WHAT?

IMPLEMENTATION NOTES

1. Customize Thresholds: Adjust all bracketed dollar amounts based on Organization budget size and risk tolerance
2. Bank Documentation: Provide this Matrix to all banking institutions holding Organization funds
3. Training: Train all authorized signatories on their responsibilities
4. Insurance: Ensure appropriate Directors & Officers (D&O) and fidelity bond coverage
5. Annual Review: Review and update this Matrix as part of annual governance review
6. Legal Review: Have an attorney review to ensure compliance with state law and banking requirements

Source: tmp/civicos-site/governance/document-retention-policy.md

layout: default title: Document Retention Policy permalink: /governance/document-retention-policy/ —

Document Retention & Records Policy

Document Number: 04
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Approved By: [BOARD/EXECUTIVE BODY]

1. Purpose and Scope

1.1 Purpose

This Document Retention & Records Policy establishes consistent guidelines for the creation, retention, storage, and destruction of organizational records for [ORGANIZATION NAME] (“Organization”). This policy ensures compliance with legal and regulatory requirements, supports operational efficiency, and protects the Organization from liability associated with improper records management.

1.2 Scope

This policy applies to:

• All Personnel: Board members, officers, employees, volunteers, contractors, and agents
• All Records: Regardless of format (paper, electronic, audio, video, photographic)
• All Locations: Physical offices, remote work environments, cloud storage, and third-party services
• All Activities: Past, present, and future organizational operations

2. Records Classification and Retention Requirements

2.1 Permanent Retention (Indefinite)

The following records must be retained permanently:

Storage: Fireproof safe or secure offsite facility with climate control. Digital copies in redundant, encrypted cloud storage with geographic distribution.

2.2 Financial Records (7 Years)

The following financial records must be retained for seven (7) years:

Storage: Secure filing system with limited access. Digital records encrypted with role-based access controls.

2.3 Operational Records (3-7 Years)

*Exception: Emails related to litigation, regulatory matters, or permanent retention categories must be retained according to those categories.

2.4 Short-Term Retention (1-3 Years)

2.5 Immediate Destruction (Upon Processing)

The following may be destroyed immediately after processing:

• Junk mail and spam
• Duplicate copies (unless serving a specific purpose)
• Transitory communications (meeting scheduling, lunch orders)
• Superseded drafts with no historical value
• Convenience copies of official records

3. Electronic Records Management

3.1 Electronic Storage Standards

Cloud Storage Requirements:

• Use Organization-approved cloud providers only: [PROVIDER NAMES]
• Minimum encryption: AES-256 at rest, TLS 1.3 in transit
• Geographic redundancy: Data replicated across minimum [NUMBER] regions
• Access logging enabled for all repositories
• Version history maintained for [DURATION]

Prohibited Storage:

• Personal cloud accounts (Dropbox personal, Google Drive personal, etc.)
• Unencrypted removable media (USB drives, external hard drives)
• Personal email accounts for Organization business
• Public file-sharing services without password protection and expiration dates

3.2 Backup Procedures

3.3 Email Retention

Automatic Archival:

• All emails retained in searchable archive for 3 years
• Litigation hold suspends automatic deletion
• Users may not manually delete emails subject to hold

Mailbox Management:

• Active mailbox size limit: [SIZE] per user
• Auto-archival to compliant storage after [TIME PERIOD]
• Personal folders must sync to approved cloud storage

4. Records Destruction Procedures

4.1 Destruction Authorization

No records may be destroyed without proper authorization:

1. Department Head Review: Identifies records eligible for destruction
2. Legal/Compliance Review: Confirms no litigation holds or regulatory requirements
3. Approval: [DESIGNATED OFFICIAL] authorizes destruction
4. Execution: Approved destruction method applied
5. Certificate of Destruction: Documentation maintained per retention schedule

4.2 Destruction Methods

4.3 Destruction Schedule

Quarterly Review:

• Records eligible for destruction identified
• Hold verification conducted
• Destruction batch approved

Annual Certification:

• Complete inventory of destroyed records
• Certificates of destruction filed
• Policy compliance attestation to Board

5. Litigation Hold Procedures

5.1 Triggering Events

A litigation hold (“legal hold”) must be implemented upon:

• Receipt of subpoena, discovery request, or other legal process
• Threatened or pending litigation (internal or external)
• Regulatory investigation or audit notice
• Internal investigation where records may be relevant
• Reasonable anticipation of legal action

5.2 Hold Implementation

Step 1: Notice (Within 24 Hours)

• DESIGNATED LEGAL COUNSEL issues litigation hold notice
• Notice distributed to all relevant personnel
• IT/Systems Administrator implements technical holds

Step 2: Identification

• Identify all custodians with potentially relevant records
• Map all relevant systems, devices, and storage locations
• Document scope of relevant time period and subject matter

Step 3: Preservation

• Suspend automatic deletion protocols
• Preserve records in native format with metadata
• Create forensic images when necessary
• Prevent custodian self-collection

Step 4: Monitoring

• Quarterly reminders to custodians
• Updated notices as litigation scope changes
• New employee onboarding to hold obligations

5.3 Hold Release

• Hold released only upon written authorization from DESIGNATED LEGAL COUNSEL
• Release documented with date, scope, and authorization
• Normal retention resumes for non-hold records
• Hold-related records retained per litigation outcome

5.4 Hold Documentation

Maintain for duration of litigation plus 7 years:

• Original hold notice and all updates
• Custodian acknowledgment receipts
• Hold compliance certifications
• Records produced in litigation

6. Roles and Responsibilities

6.1 Board of Directors

• Approve Document Retention & Records Policy
• Review annual compliance reports
• Authorize exceptions in extraordinary circumstances

6.2 Executive Director / CEO

• Overall accountability for policy implementation
• Appoint Records Management Officer
• Approve destruction of significant record categories

6.3 Records Management Officer

Designated Officer: [NAME/TITLE]

• Day-to-day administration of retention program
• Develop and maintain retention schedules
• Coordinate litigation hold implementation
• Conduct training and awareness programs
• Maintain certificates of destruction

6.4 Department Heads

• Implement department-specific retention procedures
• Identify records eligible for destruction
• Ensure staff compliance with retention requirements
• Report suspected violations

6.5 All Personnel

• Comply with all retention and destruction requirements
• Maintain records in approved systems only
• Report litigation triggers immediately
• Complete required training

6.6 IT / Systems Administrator

• Implement technical controls for retention
• Execute secure deletion procedures
• Maintain backup and archival systems
• Support litigation hold technical requirements

7. Privacy and Confidentiality

7.1 Confidential Records

Records containing the following require enhanced handling:

• Personally identifiable information (PII)
• Protected health information (PHI)
• Financial account numbers
• Social Security Numbers
• Donor financial information
• Personnel medical information
• Attorney-client privileged communications

7.2 Handling Requirements

Access Control:

• Role-based access on need-to-know basis
• Multi-factor authentication for sensitive repositories
• Access logging and quarterly review

Transmission:

• Encryption required for all external transmission
• Secure file transfer for files exceeding [SIZE]
• Password-protected documents with separate password delivery

Disposal:

• Immediate shredding for paper documents
• Cryptographic erasure for electronic files
• Certificate of destruction for bulk disposal

8. Compliance and Monitoring

8.1 Training Requirements

8.2 Audit and Review

Annual Internal Audit:

• Random sample of record categories
• Compliance with retention schedules
• Secure destruction verification
• Litigation hold compliance

Policy Review:

• Full policy review every [NUMBER] years
• Ad hoc updates for legal/regulatory changes
• Board approval for material amendments

8.3 Violations and Remedies

Policy Violations:

• Failure to follow retention schedules
• Unauthorized destruction of records
• Storage in non-approved systems
• Failure to report litigation triggers

Consequences:

• First occurrence: Remedial training
• Repeated occurrences: Disciplinary action up to and including termination
• Legal violations: Referral to legal counsel

9. Implementation Notes

9.1 Immediate Actions (0-30 Days)

• Designate Records Management Officer
• Inventory existing record categories
• Identify and contract with secure destruction vendor
• Implement litigation hold notification procedures
• Deploy records management training for all staff

9.2 Short-Term Actions (30-90 Days)

• Audit current storage systems for compliance
• Migrate non-compliant records to approved systems
• Establish backup verification procedures
• Create department-specific retention guides
• Implement access control reviews

9.3 Ongoing Actions

• Quarterly destruction batch processing
• Annual policy training refresh
• Annual compliance audit
• Regular review of retention schedules against legal requirements

9.4 Template Forms

The following supporting documents should be developed:

• Records Destruction Request Form
• Certificate of Destruction Template
• Litigation Hold Notice Template
• Hold Release Authorization Form
• Quarterly Compliance Report Template

10. Policy Exceptions

Exceptions to this policy require:

1. Written request with business justification
2. Legal counsel review and approval
3. [DESIGNATED EXECUTIVE] authorization
4. Documentation of exception and duration
5. Annual review of ongoing exceptions

No exceptions may circumvent legal or regulatory retention requirements.

Document Control

Acknowledgment

I have received, read, and understood the Document Retention & Records Policy. I agree to comply with its requirements and understand that violations may result in disciplinary action.

Employee Name: _________
Signature: _________
Date: _________

Source: tmp/civicos-site/governance/ip-licensing-policy.md

layout: default title: IP & Licensing Policy permalink: /governance/ip-licensing-policy/ —

Intellectual Property & Licensing Policy

Document Number: 05
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Approved By: [BOARD/EXECUTIVE BODY]

1. Purpose and Scope

1.1 Purpose

This Intellectual Property & Licensing Policy establishes guidelines for the creation, protection, management, and licensing of intellectual property assets for [ORGANIZATION NAME] (“Organization”). This policy ensures that IP assets are properly identified, protected, and leveraged to advance the Organization’s mission while respecting the rights of others and complying with open source community norms.

1.2 Scope

This policy applies to:

• All Personnel: Board members, officers, employees, volunteers, contractors, interns, and contributors
• All IP Types: Copyrights, trademarks, patents, trade secrets, and proprietary information
• All Activities: Research, development, content creation, software development, and collaboration
• All Works: Created during organizational activities, using organizational resources, or within scope of engagement

2. IP Ownership Framework

2.1 Work-for-Hire and Assignment

Employee-Created IP: All intellectual property created by employees within the scope of their employment is the exclusive property of the Organization. This includes, but is not limited to:

• Software code and documentation
• Research findings and publications
• Educational materials and curricula
• Designs, graphics, and multimedia content
• Processes, methodologies, and know-how
• Data sets and databases

Contractor-Created IP: All contractor engagements must include explicit IP assignment clauses ensuring Organization ownership of deliverables. Standard contract language requires:

• Assignment of all IP rights in deliverables
• License to underlying pre-existing IP incorporated into deliverables
• Waiver of moral rights where applicable
• Cooperation in registration and enforcement

Volunteer and Contributor IP: Volunteers and external contributors must execute a Contributor License Agreement (CLA) or equivalent assignment before contributions are accepted. See Section 6 for CLA requirements.

2.2 Pre-Existing IP

Personnel retain ownership of IP developed:

• Prior to engagement with Organization
• Outside scope of employment/engagement
• Without use of organizational resources
• Unrelated to organizational mission or activities

Personnel must disclose pre-existing IP that may relate to organizational work to avoid conflicts.

2.3 Joint Development

When IP is developed jointly with third parties:

• Execute joint development agreement before work commences
• Define ownership splits, licensing rights, and commercialization
• Establish decision-making authority for enforcement and licensing
• Document each party’s contributions

3. Open Source Licensing Policy

3.1 Philosophy and Preferences

The Organization is committed to open source principles and supports broad access to its innovations. Our licensing philosophy prioritizes:

1. Mission advancement over commercial restrictions
2. Adoption and impact through permissive terms
3. Community collaboration through standard licenses
4. Attribution to recognize contributions

3.2 License Selection Framework

Tier 1: Preferred Licenses (Default)