Wiki source code of Transparency Policy

Last modified by Robert Schaub on 2025/12/17 18:07

version	line-number	content
1.1	1	= Transparency Policy =
	2
	3	== 1. Purpose and Scope ==
	4
	5	This Transparency Policy defines FactHarbor's commitment to openness in all aspects of operations, governance, and finances. It establishes what information is public by default, what may be kept private, and the processes for requesting information.
	6
	7	This policy applies to:
	8	* FactHarbor Organisation (legal entity)
	9	* All FactHarbor projects and services
	10	* Board, staff, and contractors
	11	* All decision-making processes
	12
	13	== 2. Core Principle: Default to Public ==
	14
	15	Default Rule: All organisational information is public unless it meets a specific exception.
	16
	17	This principle reflects FactHarbor's mission: a project claiming to support well-grounded, manipulation-resistant judgments must itself be transparent and accountable.
	18
	19	== 3. What Must Be Public ==
	20
	21	=== 3.1 Financial Information ===
	22
	23	Published annually (within 6 months of fiscal year end):
	24
	25	* Complete financial statements (audited where possible)
2.1	26	* Tax filings (Swiss tax filings per cantonal requirements)
1.1	27	* Income statement showing:
	28	* Grants and donations (aggregate)
	29	* Sponsorships and contracts (aggregate)
	30	* Other revenue sources
	31	* Expense statement showing:
	32	* Program expenses by category
	33	* Administrative costs
	34	* Fundraising costs
	35	* Compensation ranges by role (not individual salaries)
	36	* Major funding relationships (>$50,000 per year or >10% of budget)
	37
	38	=== 3.2 Governance Information ===
	39
	40	Published continuously (within 30 days of changes):
	41
	42	* Governance documents:
2.1	43	* Verein statutes (bylaws)
1.1	44	* Operating procedures
	45	* Decision-making authority matrix
	46	* Conflict of interest policy
	47	* Board information:
	48	* Current board composition
	49	* Board member bios and affiliations
	50	* Meeting schedules
	51	* Board meeting minutes (with limited exceptions - see section 4)
	52	* Board decisions and resolutions
	53	* Policy changes:
	54	* All policy updates with rationale
	55	* Effective dates
	56	* Community input periods
	57	* Organisational structure:
	58	* Reporting relationships
	59	* Key staff roles (not individual names unless they choose)
	60	* Advisory bodies and committees
	61
	62	=== 3.3 Operational Information ===
	63
	64	Published regularly:
	65
	66	* Transparency Reports (twice yearly):
	67	* Government requests for user data
	68	* Content moderation statistics
	69	* Takedown requests (DMCA, legal)
	70	* Policy violation reports
	71	* Security incident disclosures (after resolution)
	72	* Technical Performance:
	73	* AKEL performance metrics
	74	* Quality gate pass rates
	75	* Risk tier distribution statistics
	76	* System uptime and availability
	77	* Content Statistics:
	78	* Number of claims, scenarios, verdicts
	79	* Publication mode distribution
	80	* Review and audit rates
	81	* Partnership Information:
	82	* Major partnerships and collaborations
	83	* Funding relationships
	84	* Technical dependencies
	85
	86	=== 3.4 Source Code and Technical Specifications ===
	87
	88	Published continuously:
	89
	90	* All source code per open source licenses (MIT, AGPL, CC BY-SA)
	91	* Technical architecture documentation
	92	* Protocol and data model specifications
	93	* API documentation
	94	* Quality gate algorithms and parameters
	95	* Risk tier assignment criteria
	96
	97	== 4. What May Be Private ==
	98
	99	Information may be withheld ONLY when disclosure would:
	100
	101	=== 4.1 Individual Privacy (Highest Priority) ===
	102
	103	Private:
	104	* User personal data (emails, IP addresses, phone numbers)
	105	* Contributor real names (if pseudonymous)
	106	* Personnel files and reviews
	107	* Individual salaries (publish ranges only)
	108	* Medical or family information
	109	* Background checks
	110
	111	=== 4.2 Security ===
	112
	113	Temporarily private (with time limits):
	114	* Unpatched security vulnerabilities (public after patch + 30-90 days)
	115	* Active security incidents (public after resolution)
	116	* Penetration test results (sanitized version public after fixes)
	117	* Authentication credentials and API keys
	118	* Infrastructure-specific security configurations
	119
	120	=== 4.3 Legal ===
	121
	122	Private while active:
	123	* Ongoing litigation details (summary public, details after resolution)
	124	* Attorney-client privileged communications
	125	* Settlement negotiations
	126	* Subpoenas with gag orders (challenge orders exceeding 1 year)
	127	* Whistleblower identity (protected permanently unless they consent)
	128
	129	=== 4.4 Operational ===
	130
	131	Private with conditions:
	132	* Donor information (unless donor consents to publication)
	133	* Abuse investigation details (protect victims)
	134	* Board discussions on personnel matters (outcomes public)
	135	* Strategic plans that would create competitive disadvantage (time-limited: public after 12 months or execution)
	136
	137	== 5. Time Limits on Privacy ==
	138
	139	All private information has an expiration date:
	140
	141	* Security vulnerabilities: Public 30-90 days after patch
	142	* Security incidents: Public immediately after resolution (sanitized)
	143	* Board personnel discussions: Outcomes public, process private for 1 year then reviewed
	144	* Strategic plans: Public after execution or 12 months, whichever comes first
	145	* Legal matters: Public after resolution
	146	* Donor information: May be withheld permanently only with donor objection
	147
	148	Annual Review: All information marked "private" is reviewed annually. If exception no longer applies, information becomes public.
	149
	150	== 6. Transparency Reports ==
	151
	152	Published twice yearly (January and July):
	153
	154	=== 6.1 Government Requests ===
	155
	156	* Number of requests for user data (by type)
	157	* Number of requests complied with
	158	* Number of requests challenged
	159	* Number of users affected
	160	* Types of data requested
	161
	162	=== 6.2 Content Moderation ===
	163
	164	* Total moderation actions by category
	165	* Publication mode changes (Mode 1 → 2, etc.)
	166	* Quality gate failures by gate
	167	* Community flags and expert reviews
	168	* Takedown requests and responses
	169
	170	=== 6.3 Security ===
	171
	172	* Security incidents (after resolution)
	173	* Vulnerability reports received
	174	* Bounties paid
	175	* Patches deployed
	176	* Audit findings (sanitized)
	177
	178	=== 6.4 Performance ===
	179
	180	* AKEL performance metrics
	181	* User growth and engagement
	182	* Content growth
	183	* Community contributions
	184	* System availability
	185
	186	== 7. Information Request Process ==
	187
	188	=== 7.1 Submitting a Request ===
	189
	190	Anyone may request organisational information:
	191
2.1	192	1. Email: [Transparency contact to be established]
1.1	193	2. Include:
	194	* Specific information requested
	195	* Rationale for request
	196	* Preferred format (if applicable)
	197	3. Expect: Initial response within 14 business days
	198
	199	=== 7.2 Request Evaluation ===
	200
	201	Requests are evaluated against:
	202
	203	* Is information already public? (link provided)
	204	* Does exception in Section 4 apply?
	205	* Can information be disclosed with redactions?
	206	* Is time limit on privacy expired?
	207
	208	=== 7.3 Response Types ===
	209
	210	* Granted: Information provided within 30 days
	211	* Partially Granted: Information with redactions provided, explanation of redactions
	212	* Denied: Written explanation of which exception applies
	213	* Deferred: If time-limited exception, date when information will become public
	214
	215	== 8. Appeals Process ==
	216
	217	If request is denied:
	218
	219	=== 8.1 First Appeal ===
	220
	221	1. Submit appeal to Transparency Committee (if established) or Board
	222	2. Include:
	223	* Original request
	224	* Denial reason
	225	* Additional context or rationale
	226	3. Decision within 30 days
	227
	228	=== 8.2 Final Appeal ===
	229
	230	1. Appeal to Full Board of Directors
	231	2. Board reviews at next scheduled meeting
	232	3. Board decision is final
	233	4. Rationale published (unless it would disclose the private information)
	234
	235	== 9. Community Input ==
	236
	237	=== 9.1 Policy Changes ===
	238
	239	Before making material changes to transparency commitments:
	240
	241	1. Proposal published with rationale
	242	2. Public comment period (minimum 30 days)
	243	3. Community input considered
	244	4. Decision rationale published with final policy
	245
	246	=== 9.2 Ongoing Input ===
	247
	248	Community may:
	249	* Request additional transparency commitments
	250	* Suggest improvements to reporting
	251	* Identify information that should be public
	252	* Challenge exceptions
	253
2.1	254	Submit suggestions to: [Transparency contact to be established]
1.1	255
	256	== 10. Compliance and Oversight ==
	257
	258	=== 10.1 Internal Oversight ===
	259
	260	* Transparency Officer (staff or board designee):
	261	* Reviews all privacy classifications
	262	* Manages information requests
	263	* Prepares transparency reports
	264	* Annual Transparency Audit:
	265	* Reviews all "private" classifications
	266	* Checks compliance with publication schedules
	267	* Assesses process effectiveness
	268
	269	=== 10.2 Public Reporting ===
	270
	271	Annual transparency compliance report includes:
	272
	273	* Number of information requests received
	274	* Request grant/deny statistics
	275	* Exception usage (how often each applied)
	276	* Privacy expiration reviews
	277	* Improvements made to process
	278
	279	=== 10.3 Independent Audit ===
	280
	281	When feasible (budget permitting):
	282
	283	* Independent third-party transparency audit
	284	* Results published
	285	* Recommendations implemented or explanations provided
	286
	287	== 11. Enforcement ==
	288
	289	=== 11.1 Violations ===
	290
	291	Violation of this policy includes:
	292
	293	* Withholding information that should be public
	294	* Failing to publish required reports on schedule
	295	* Misclassifying public information as private
	296	* Extending privacy beyond time limits without review
	297
	298	=== 11.2 Consequences ===
	299
	300	* Internal violations: Performance review, retraining, or disciplinary action
	301	* Board violations: Board review, potential removal
	302	* Persistent violations: Independent investigation
	303
	304	=== 11.3 Whistleblower Protection ===
	305
	306	Anyone may report transparency violations to:
2.1	307	* [Transparency contact to be established]
1.1	308	* Any board member directly
	309	* External parties (regulators, media)
	310
	311	Whistleblowers are protected from retaliation. Reports may be anonymous.
	312
	313	== 12. Updates to This Policy ==
	314
	315	Changes to this Transparency Policy:
	316
	317	* Require Board approval
	318	* Must include 30-day public comment period
	319	* Are published with rationale
	320	* Take effect 30 days after final publication
	321
	322	Version History:
	323
	324	* 0.9.28 (2025-12-17): Initial policy based on best practices from Wikimedia Foundation and Mozilla Foundation
	325
	326	== 13. Contact ==
	327
2.1	328	Transparency Requests: [Transparency contact to be established]
1.1	329
2.1	330	Appeals: [Board contact to be established]
1.1	331
	332	Whistleblower Reports: [To be established - secure channel]
	333
	334	== 14. Related Policies ==
	335
	336	* [[Open Source Model and Licensing>>FactHarbor.Organisation.Open Source Model and Licensing]]
	337	* [[Privacy Policy>>FactHarbor.Organisation.Privacy-Policy]]
	338	* [[Governance>>FactHarbor.Organisation.Governance.WebHome]]
	339	* [[Finance & Compliance>>FactHarbor.Organisation.Finance-Compliance]]
	340