(Swiss Verein; Zug register; principal base Geneva. This Article sets GRF’s standards, governance and controls for data, models, cybersecurity and privacy. It binds all bodies and programs (Arts. 6, 10) and operates through the Council System of Record (Art. 13) with CB Clearance for material processing and cross-border flows (Arts. 9, 12). EN controls; FR/DE companions provided operationally. Related annexes: L (Identity & InfoSec), T (Data/Model Governance & Licenses), W (Records Schedule), Z (Continuity & DR), AA (Digital Assets/Carbon), AB (Open Contracting & Integrity).)
15.1 Standards Alignment (ISO/IEC/OGC/WMO/IEEE)
15.1.1 Governing Baselines
(a) Information Security: ISO/IEC 27001 ISMS with ISO/IEC 27002 controls; cloud controls aligned to ISO/IEC 27017/27018 and CSA STAR.
(b) Privacy & AI Risk: ISO/IEC 27701 (PIMS), ISO/IEC 23894 (AI risk mgmt), NIST AI RMF; EU AI Act readiness (non-binding, forward-compatible).
(c) Software & Supply Chain: Secure SDLC practices; SBOM per SPDX; build integrity per SLSA L2+; code signing and artifact verification.
(d) Geospatial & EO: OGC API standards (Features, Tiles, Coverages), STAC catalogues, CF conventions/NetCDF, sensor lineage; WMO data exchange where applicable.
(e) Telemetry & Reliability: IEEE 1588 (time sync) where required; IEC/IEEE for grid/critical-infra interfaces; ITU-T X-series (security) as informative references.
15.1.2 Internal Policies & Certification
(a) The EM maintains an ISMS and PIMS mapped to the baselines above; the CB audits alignment annually.
(b) External certifications (e.g., ISO/IEC 27001/27701) may be pursued by Board decision; surveillance audits are recorded in the Council Register and gazetted where material.
15.2 Data & Model Governance (Cards; Validation; Provenance)
15.2.1 Scope & Roles
(a) Scope: all datasets, models, code, and decision aids used in DRR/DRF/DRI Programs and Tracks (Art. 10).
(b) Roles: Data Steward (EM) maintains policy; Model Steward (SLB/EM) manages model lifecycle; CB enforces materiality gates and provenance; Chairs ensure sprint-level compliance.
15.2.2 Classification & Lifecycle
(a) Classification: Public / Internal / Restricted / Secret; default to minimization and need-to-know.
(b) Lifecycle: collection → ingestion → storage → processing → sharing/publication → archival/deletion; each stage must carry purpose, legal basis, retention, security controls, and ownership metadata in the CSR (Art. 13).
15.2.3 Data Cards (per Release) (Annex T templates)
Mandatory fields: sources (EO/in-situ; admin/regulatory; alt/OSINT), licenses, sampling/coverage bias, preprocessing, validation methods, uncertainty ranges, limitations, known harms, QA/QC results, retention, and provenance hash.
15.2.4 Model Cards (per Algorithm) (Annex T templates)
Mandatory fields: intended use & boundaries; inputs/features; training/validation sets; performance (incl. calibration & error bars); fairness & drift checks; explainability notes; adversarial/robustness tests; update cadence; failure modes; safeguards; license; provenance hash.
15.2.5 Validation, Red-Team & Acceptance
(a) Validation: statistical and out-of-sample tests; uncertainty disclosure; posterior predictive checks for Bayesian models.
(b) Red-Team: cadence based on risk; challenge assumptions, data lineage, and decision thresholds; findings tracked to closure.
(c) Acceptance gates: TRL/PRL/CRL/DRL criteria (Annex V, referenced in Art. 10) with Clearance ID for high-stakes deployment.
15.2.6 Provenance & Integrity
(a) Every material dataset/model carries a CSR URI and cryptographic hash; supersessions are append-only.
(b) Content authenticity (where feasible) uses open provenance frameworks (e.g., C2PA-compatible watermarks) without reliance on proprietary lock-in.
15.2.7 Access, Licensing & Open-by-Default
(a) Open by default for methods and non-identifying aggregates; exceptions require CB-cleared necessity and expiry.
(b) Licenses are non-exclusive/FRAND or open; core marks and identity are never co-branded (Art. 3).
15.2.8 PETs & Sensitive Processing
Use privacy-enhancing technologies where proportionate (pseudonymization, anonymization with re-id testing, differential privacy, secure enclaves, federated learning, MPC). PET selection and parameters are recorded in the Data/Model Card.
15.2.9 High-Risk Triggers (CB Clearance)
CB Pre-Clearance is mandatory for: (i) cross-border transfers from Restricted/Secret classes, (ii) linkage of personal/sensitive data with EO/admin sources, (iii) deployment of decision aids in public/critical services, (iv) any donor-conditioned data/model work (normally prohibited under Art. 3).
15.3 Cybersecurity (IR; DR/BCP; Testing; Vendor Security)
15.3.1 Governance & Architecture
(a) CISO (EM) owns cyber program; CB verifies material controls via Clearances and audits.
(b) Identity-first architecture: single sign-on, MFA mandatory, RBAC/ABAC with just-in-time provisioning; PAM for privileged operations; session recording for admin actions.
(c) Crypto: TLS in transit; AES-256 at rest; HSM-backed key custody, dual control and rotation; roadmap to post-quantum suites (Annex Z).
15.3.2 Monitoring & Logging
Centralized logging/SIEM; immutable logs for admin and signatory actions; time sync per IEEE 1588/NTP. Log retention follows Annex W; alert thresholds calibrated and tested.
15.3.3 Vulnerability & Patch Management
(a) Asset inventory and SBOM maintained; CVSS-based SLAs: Critical ≤ 7 days, High ≤ 14, Medium ≤ 30, Low per cycle.
(b) Emergency patching under RAP permitted with post-change review.
15.3.4 Testing & Assurance
(a) Annual independent penetration tests; quarterly vulnerability scans; purple-team exercises for high-stakes systems.
(b) Table-top and live incident response drills semi-annually; lessons learned filed in the CSR.
15.3.5 Incident Response (IR)
(a) Severity tiers with runbooks; breach desk staffed 24/7 during RAP.
(b) Initial containment within 24 hours; forensic triage ≤72 hours; Board/CB informed per Art. 13; stakeholder comms plan aligns with privacy notifications (15.4.7).
15.3.6 Continuity, Backup & DR (Annex Z)
(a) Tier-1 processes: CSR, identity, treasury, early-warning platforms.
(b) RTO/RPO targets defined; encrypted, geo-redundant backups; quarterly restore tests; failover runbooks.
15.3.7 Vendor & Supply-Chain Security
(a) Security due diligence for processors: ISO 27001/SOC 2 or equivalent evidence; CSA CAIQ where relevant; DPA with audit and breach-notice clauses.
(b) Software supply-chain controls: SBOM, dependency pinning, code signing, verified builds, vulnerability disclosure policy, and optional bug bounty.
15.3.8 Secure Development & Deployment
Secure SDLC with threat modeling, mandatory code review, static/dynamic analysis, secrets hygiene; infrastructure-as-code with policy guardrails; environment segregation (dev/test/stage/prod).
15.4 Privacy Compliance (Swiss FADP; GDPR/UK GDPR; DPO; ROPA; DPIA; EU/UK Reps; Cross-Border; DSARs)
15.4.1 Principles & Legal Bases
(a) Lawfulness, fairness, transparency, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability.
(b) Processing bases include consent, contract, legal obligation, vital/public interest, or legitimate interests (with balancing test). Bases recorded per activity in the ROPA.
15.4.2 Governance & Roles
(a) Data Protection Officer (DPO) appointed by the Board; independence assured; reports to Trustees/Audit & Risk.
(b) Privacy Steering Group (EM, CB, legal, security) meets at least quarterly.
(c) Regional privacy leads may be designated where required by host law.
15.4.3 Records of Processing (ROPA)
A living register of processing activities (purposes, categories, legal bases, recipients, retention, security measures, transfers, PETs) maintained by EM; reviewed by DPO; excerpt filed in the CSR annually.
15.4.4 DPIA / PIA & High-Risk Processing
(a) Mandatory DPIA/PIA for high-risk use (large-scale sensitive data, systematic monitoring, children, automated decisions with legal/similar effects).
(b) DPIA outputs (risks, mitigations, residual risk) are CB-cleared for Material deployments and referenced in Data/Model Cards.
15.4.5 Representatives & Local Law
(a) Where GDPR/UK GDPR apply without establishment, appoint EU/UK Representatives.
(b) Local registrations or notifications (where required) are maintained by EM with CB oversight.
15.4.6 Cross-Border Transfers
(a) Use adequacy mechanisms where available; otherwise Swiss/EU SCCs (with Swiss Addendum) and UK IDTA/Addendum as applicable.
(b) TIA (transfer impact assessment) documented; supplemental technical/organizational measures applied where risk warrants.
(c) Data localization honored where legally required or risk-justified; mapping recorded in the CSR.
15.4.7 Data Subject Rights & Requests (DSARs)
(a) Rights: access, rectification, erasure, restriction, portability, objection, and rights related to automated decisions.
(b) SLA: acknowledge within 7 days, fulfill within 30 days (extendable by law); identity verification required; responses logged in the CSR.
(c) Exemptions (e.g., public-interest archiving, legal privilege) are documented with reasons.
15.4.8 Special Categories & Children
(a) Process special categories only with an appropriate legal basis and safeguards (PETs, access limits, audit).
(b) Children’s data requires age-appropriate notices and verifiable consent where required.
15.4.9 Breach Notification
(a) FADP: notify FDPIC and affected individuals without undue delay where high risk; internal target ≤72 hours.
(b) GDPR/UK GDPR: notify authority within 72 hours where required, and affected individuals when high risk.
(c) Notifications coordinated with CB/Board communications; entries in Incident Register and Gazette per Art. 13 (lawful redactions).
15.4.10 Processors & Sub-Processors
(a) Written DPA required (purpose, instructions, confidentiality, security, sub-processor approval, assistance, deletion/return, audits).
(b) Sub-processor list published; changes notified with opt-out/cure windows; cross-border terms aligned with §15.4.6.
15.4.11 Anonymization & Research
Anonymization must be robust and documented (adversarial re-id testing); research exemptions (where applicable) require ethics review and CB opinion; publication favors aggregates with statistical disclosure controls.
15.5 Compliance, Audits & Updates
15.5.1 Assurance & Metrics
(a) Quarterly privacy/security dashboards to Trustees (incidents, DPIAs, DSARs, transfer maps, testing coverage).
(b) Annual internal audit of ISMS/PIMS; external audits/certifications as approved.
15.5.2 Non-Compliance & Remedies
Processing in breach of this Article or without required CB Clearance is voidable; corrective actions, suspensions, or decommissioning may be ordered; repeated breaches trigger disciplinary processes (Art. 8.5) and Gazette notice where material.
15.5.3 Updates & Transitional
(a) EM proposes and CB vets updates to Annexes L, T, W, Z at least annually or upon material risk change; Board approval as required.
(b) Within 60 days of adoption: publish (i) the Data/Model Card Catalog, (ii) the Transfer Map (restricted), (iii) the Testing & Drill Calendar.
Design result: Evidence and models that drive decisions are traceable, validated, and honest; systems are secure by design; privacy is built-in and provable; and all high-risk actions are cleared, recorded, and gazetted—so GRF can operate at global scale with Swiss-grade trust in the multipolar, polycrisis era.