ISO 32001 — Document Management

1. Document Management Commitment

TOV «Sinaptic AI» (“Sinaptic”) recognizes that effective document management is essential to operational efficiency, regulatory compliance, knowledge preservation, and the delivery of high-quality AI products and services. As an AI company operating in regulated markets, we manage extensive documentation spanning technical specifications, policy documents, contractual agreements, compliance records, and operational procedures.

Sinaptic is committed to establishing and maintaining a document management framework aligned with the principles of ISO 32001, ensuring that documents and records are created, organized, stored, maintained, accessed, and disposed of in a controlled, consistent, and auditable manner throughout their lifecycle.

This commitment is driven by our understanding that in a highly regulated environment — where compliance with the GDPR, EU AI Act, ISO 27001, and other standards is paramount — robust document governance is not an administrative overhead but a strategic capability that supports accountability, transparency, and trust.

2. Governance of Documents and Records

Sinaptic’s document governance framework establishes clear structures for the management of all organizational documents and records:

2.1 Document Classification

All documents within Sinaptic are classified according to the following taxonomy:

• Policy Documents: High-level statements of organizational intent and direction, approved by senior leadership. This includes the Privacy Policy, AI Ethics Policy, Information Security Policy, and other governance documents.
• Procedural Documents: Step-by-step instructions for carrying out specific processes, including standard operating procedures, work instructions, and runbooks.
• Technical Documentation: System architecture documents, API specifications, model cards, deployment guides, and configuration references for Browser DLP, Sinaptic AI Intent Firewall®, and Sinaptic® DROID+.
• Contractual Documents: Client agreements, Data Processing Agreements, vendor contracts, NDAs, and partnership agreements.
• Compliance Records: Audit reports, risk assessments, incident records, data protection impact assessments, training records, and certification documentation.
• Operational Records: Meeting minutes, decision logs, project documentation, and communication records.

2.2 Document Lifecycle Management

Each document follows a defined lifecycle managed through our document management system:

1. Creation: Documents are created using approved templates that include metadata fields (author, date, version, classification, owner, review date). All documents are assigned a unique identifier.
2. Review and Approval: Documents undergo peer review and approval by designated authorities before publication. Technical documents are reviewed by subject matter experts. Policy documents require senior leadership approval.
3. Publication and Distribution: Approved documents are published through controlled channels, ensuring that authorized personnel have access to current versions. Distribution lists are maintained for documents requiring proactive dissemination.
4. Version Control: All documents are version-controlled with clear version numbering, change histories, and identification of the nature of changes between versions. Only the current approved version is accessible for operational use; previous versions are archived.
5. Periodic Review: Documents are reviewed at defined intervals (typically annually for policy documents, quarterly for operational procedures, or upon significant change in context). Reviews assess continued accuracy, relevance, and compliance.
6. Revision: When updates are necessary, documents go through the full review and approval cycle before the revised version is published.
7. Archival: Superseded documents are archived with appropriate retention metadata, clearly marked as non-current, and stored in a manner that supports retrieval for historical reference or legal purposes.
8. Disposal: Documents that have exceeded their retention period and are no longer required for legal, regulatory, or business purposes are securely disposed of in accordance with our information security and data protection policies.

2.3 Access Control

Access to documents is controlled based on the principle of need-to-know and aligned with information security classification:

• Public: Documents intended for external audiences (this policy, published product documentation).
• Internal: Documents accessible to all Sinaptic employees (internal procedures, organizational announcements).
• Confidential: Documents accessible only to specific teams or roles (financial records, strategic plans, individual performance records).
• Restricted: Documents accessible only to named individuals (board materials, certain contractual documents, security incident details).

2.4 Records Management

Records — documents that serve as evidence of activities performed or results achieved — are subject to additional governance:

• Records are immutable once finalized; modifications are not permitted without creating a new record version with documented justification.
• Retention periods are defined for each record type, based on legal requirements, contractual obligations, and business needs.
• Records related to GDPR compliance (processing activity records, consent records, breach records, DPIA records) are retained in accordance with regulatory requirements and supervisory authority guidance.
• Records supporting ISO certifications are retained for at least one full certification cycle beyond the period they cover.
• Audit trails track all access to, and modifications of, records in the document management system.

3. Scope

This document management framework applies to:

• All documents and records created, received, or maintained by Sinaptic in the course of business operations.
• All formats, including electronic documents, digital records, paper documents (where applicable), and structured data stored in databases and information systems.
• All Sinaptic personnel, including employees, contractors, and third parties who create, handle, or access Sinaptic documents.
• All organizational functions, including product development, service delivery, compliance, human resources, finance, and corporate governance.

Customer data processed through Sinaptic products is governed separately by the applicable Data Processing Agreement and Privacy Policy, though documents and records generated by Sinaptic in relation to such processing (e.g., processing logs, compliance records) fall within the scope of this framework.

4. Roles and Responsibilities

• Senior Leadership: Approves the document management policy, allocates resources, and ensures organizational commitment to effective document governance.
• Document Owners: Designated individuals responsible for the accuracy, currency, and appropriateness of specific documents. Document owners initiate reviews and approve revisions.
• Compliance Team: Oversees adherence to the document management framework, conducts periodic audits of document control practices, and manages regulatory records.
• IT/Infrastructure Team: Maintains the document management system infrastructure, including access controls, backup, and security measures.
• All Personnel: Responsible for creating, handling, and storing documents in accordance with this framework, using approved templates and systems, and reporting any document management issues.

5. Technology and Tools

Sinaptic utilizes purpose-built document management tools that provide:

• Centralized, searchable document repositories with metadata-driven organization.
• Automated version control with change tracking and comparison capabilities.
• Workflow automation for review, approval, and publication processes.
• Role-based access controls integrated with our identity and access management systems.
• Audit logging of all document access, creation, modification, and deletion events.
• Automated retention management with alerts for approaching review dates and expiring retention periods.
• Integration with other business systems (project management, compliance tracking, customer relationship management).

6. Compliance Integration

Our document management framework is integrated with our broader compliance program:

• GDPR: Records of processing activities (Article 30), breach records (Article 33), and DPIA documentation (Article 35) are managed within this framework.
• EU AI Act: Technical documentation (Article 11, Annex IV), conformity assessment records, and post-market monitoring documentation are governed by these procedures.
• ISO 27001: ISMS documentation, risk registers, audit reports, and control evidence are maintained in accordance with both ISO 27001 and this document management framework.
• ISO 9001: QMS documentation, quality records, and corrective action records are integrated into this governance structure.

7. Continuous Improvement

The document management framework is subject to periodic review and continuous improvement. Internal audits assess compliance with document management procedures, and findings are tracked through the corrective action process. User feedback on document management tools and processes is collected and incorporated into improvement plans. Key performance indicators — including document review completion rates, average time to publication, and audit finding trends — are monitored and reported to management.