CorpSE

Appearance

Technical Compliance, Privacy & Security

1. Overview & Mandate

Business Unit Purpose Technical Compliance, Privacy & Security is responsible for defining, maintaining, and governing MorgueBoard®’s technical security posture and compliance readiness. This business unit ensures that the platform meets enterprise healthcare expectations for data protection, risk management, and auditability while enabling—not blocking—product development and delivery.

Mandate Statement Technical Compliance, Privacy & Security exists to protect customer data, reduce organizational risk, and maintain regulatory and contractual trust through clear standards, proactive risk management, and continuous compliance readiness.

Primary Accountability Owner

  • Primary: Technical Compliance & Security Owner
  • Supporting: Engineering, Operations, Legal
  • Fractional / External: Security & Compliance Advisory Partners (e.g., SOC 2 / audit support)

2. Core Functions & Responsibilities

Core Functions

  • Security architecture and control definition
  • HIPAA technical safeguards governance
  • SOC 2 readiness, maintenance, and evidence oversight
  • Vulnerability management and penetration testing coordination
  • Incident response planning and coordination
  • Technical vendor risk assessment
  • Security policy and standards management

Explicit Responsibilities

  • Define technical security and privacy standards for the platform
  • Own scope, posture, and readiness for SOC 2 and similar audits
  • Establish vulnerability management and remediation expectations
  • Coordinate and document penetration testing and security assessments
  • Oversee incident response processes and post-incident reviews
  • Partner with Engineering to embed security-by-design practices
  • Maintain security documentation and audit evidence

Explicit Non-Responsibilities

  • Engineering implementation or delivery execution
  • Product roadmap ownership or prioritization
  • Clinical or operational compliance interpretation
  • Contract negotiation or legal interpretation

3. Fractional & Embedded Capability Partners

This section documents ongoing fractional or embedded partners that function as extensions of this business unit. These partners provide executional capability for defined scopes while internal ownership and accountability remain with MorgueBoard LLC.

PartnerCapability ProvidedEngagement TypeAccountability BoundaryPrimary Engagement ContactNotes
Genius GRCSOC 2 program execution, audit readiness support, evidence management, and compliance advisoryFractional / EmbeddedExecution support only; compliance accountability retained internallyEric Shoemaker, CISSP — Advisory CISO / OwnerOngoing, annual engagement required to maintain SOC 2 posture
Advantage PartnersIndependent SOC 2 audit execution and attestationIndependent Audit PartnerIndependent assurance only; no execution or advisory authoritySOC 2 Engagement Lead (per audit engagement)Annual SOC 2 Type II audits; recurring audit partner

4. Decision Rights & Authority Boundaries

Important Context The decision rights outlined in this section are intentionally high-level and directional. Formal, binding authority, escalation paths, and governance mechanisms are defined in the company’s Decision Rights & Governance Policy and supporting compliance documentation. In the event of conflict, formal policy prevails.

Technical Compliance, Privacy & Security Owns Decisions Regarding:

  • Security and privacy standards applicable to the platform
  • Compliance scope, audit posture, and risk acceptance (technical)
  • Required remediation for identified security risks
  • Incident classification and response requirements

Does Not Own:

  • Technical implementation approaches (Engineering)
  • Feature scope or prioritization (Product Management)
  • Customer deployment timelines (Implementation)
  • Budget approval authority (Executive Leadership / Finance)

Escalation Triggers:

  • Security risks that materially impact customer trust or contractual obligations
  • Conflicts between delivery timelines and security requirements
  • Material audit findings or unresolved control gaps

5. Key Interfaces & Dependencies

InterfaceNature of Interaction
Engineering / R&DSecurity controls, remediation guidance, secure design alignment
Product ManagementEarly identification of compliance-impacting features
OperationsPolicy management, tooling, and internal process alignment
Legal & Contract ManagementContractual security obligations and risk interpretation
Customer Success / SalesSecurity questionnaires, trust enablement, escalations

6. Budget Ownership & Cost Structure

Compliance & Security Budget Scope

  • Security and compliance tooling
  • Audit and assessment costs (e.g., SOC 2)
  • Penetration testing and vulnerability scanning
  • Fractional or advisory security resources
  • Training related to security and compliance

Budget Ownership Model

  • Technical Compliance manages spend within an approved budget
  • Executive Leadership and Finance approve annual budgets and material increases
  • Spend must be justified by risk reduction, audit readiness, or contractual necessity

7. General KPIs & Performance Metrics

Security Posture

  • Number of open vs. remediated vulnerabilities
  • Time to remediate critical findings
  • Frequency and severity of security incidents

Compliance Readiness

  • Audit findings by severity
  • Time to close audit remediation items
  • Completeness and freshness of audit evidence

Operational Enablement

  • Responsiveness to security questionnaires
  • Reduction in security-related delivery blockers

8. Maturity Roadmap

Current State Founder-led security and compliance oversight with reliance on periodic assessments and limited continuous monitoring.

Next State Defined security standards, continuous vulnerability management, and predictable audit readiness supported by fractional expertise.

Future State Proactive, continuously monitored security and compliance program with minimal founder dependency and strong enterprise credibility.

9. Document Revision History

VersionDateDescription of ChangeAuthorApproved ByApproval Date
1.02026-01-04Document CreationNic Bavetta