Wiki · For procurement evaluators

For procurement evaluators

A direct map from Policy Window's shipped artefacts to a typical institutional-procurement checklist. UK CCS, EU eForms, US GSA, foundation grants — the questions are similar. Each row below names a typical requirement, the shipped / partial / roadmap / absent status, and a link to the evidence.

Honest summary: 9 shipped / 3 partial / 3 roadmap / 7 absent across 22 typical requirements. Policy Window is not currently procurement-ready for most public-sector frameworks (legal entity + SOC 2 + insurance + reference customers all missing). It is a credible early-stage candidate for a paid pilot or foundation grant with a 6-18 month maturation runway.

Organisational structure

P1
Registered legal entity (corporation, nonprofit, PBC)
Roadmap
Currently sole-trader-operated by founder Ryan Wong. UK CIC or equivalent on Q4 2026 roadmap.
Evidence: /wiki/roadmap
P2
Named editorial board with disclosed COI
Partial
1 of 6 slots filled (founder). Recruitment open; full board target Q4 2026.
Evidence: /wiki/editorial-board

Financial transparency

P3
Public funding-source disclosure
Shipped
Live register at /wiki/funding. Zero paying customers as of 2026-05-29. No grants. In-kind dependencies named (Fly.io, Anthropic, GitHub, Cloudflare).
Evidence: /wiki/funding
P4
Published pricing model + tier structure
Absent
No firehose pricing published yet. Charter §4 commits to commercial firewall design but pricing TBD. Free public wiki has no charge.
Evidence: /wiki/charter#4

Legal compliance

P5
Privacy policy + GDPR data-controller statement
Shipped
Live at /privacy with controller identity, data-residency (lhr / London region), retention policy, GDPR rights, breach-notification SLA (72h).
Evidence: /privacy
P6
Terms of service + acceptable-use policy
Shipped
Live at /terms with acceptable use, IP licensing (CC BY 4.0 content + MIT code), liability cap, governing law (England and Wales).
Evidence: /terms
P7
Data processing agreement (GDPR Art. 28) template
Absent
No DPA template yet. Charter §4 firehose-firewall design predates first customer contract. Expected to ship with first firehose contract.
Evidence: /wiki/roadmap

Security posture

P8
Vulnerability disclosure policy (security.txt or SECURITY.md)
Shipped
SECURITY.md in repo root with disclosure email, response SLA (3 business days), 30-90 day embargo policy, scope.
Evidence: https://github.com/ryanwong/policy-window/blob/main/SECURITY.md
P9
SOC 2 Type 2 attestation
Roadmap
SOC 2 Type 1 scoping target Q4 2026 per README. Type 2 attestation 12-18 months later.
Evidence: /wiki/roadmap
P10
ISO 27001 alignment
Roadmap
On roadmap. Not yet formally aligned.
P11
Cyber Essentials Plus (UK) or FedRAMP (US)
Absent
Neither obtained. Required for UK CCS Crown Commercial Service catalogue eligibility.

Operational maturity

P12
Service-level agreement (uptime + latency + support response)
Absent
Free public wiki: best-effort, no SLA. Firehose SLA: TBD with first customer contract.
P13
Business continuity + disaster recovery plan
Absent
No BCP/DRP published. Single-region SQLite on Fly.io with daily backup script (scripts/backup-db.sh). RTO/RPO undocumented.
P14
Insurance certificates (E&O + cyber + professional indemnity)
Absent
No insurance held while operating as sole trader. Required before any commercial firehose contract.

Editorial governance

P15
Code of conduct + governance documentation
Shipped
CODE_OF_CONDUCT.md (Contributor Covenant 2.1) + GOVERNANCE.md + CONTRIBUTING.md in repo root.
Evidence: https://github.com/ryanwong/policy-window/blob/main/GOVERNANCE.md
P16
Editorial-independence statement
Shipped
Charter §7.3 codifies: no funder veto, no commercial-customer cell-modification rights, no party / government / movement standing preference.
Evidence: /wiki/charter#7-3
P17
Conflict-of-interest disclosure + recusal policy
Partial
Charter §2 + §7.3 establish; per-editor disclosure forms on /wiki/editorial-board/onboarding. Full enforcement gated on ≥3 named editors.
Evidence: /wiki/editorial-board/onboarding
P18
Disagreement / appeal procedure for disputed claims
Shipped
Charter §7.2 codifies: file via GitHub issue or editorial@policywindow.org → 30-day initial response → 60-day escalation review → public disagreement record if unresolved.
Evidence: /wiki/charter#7-2

Reference + adoption

P19
Named reference customers (≥3 typical for procurement)
Absent
Zero paying customers as of 2026-05-29 per /wiki/funding §3. Open to pilots (see contact below).
Evidence: /wiki/funding
P20
Procurement-grade machine-readable catalog access
Shipped
/wiki/catalog/json (CORS-open) + /wiki/catalog/csv + /wiki/catalog/csv-schema (CSVW) + /wiki/catalog/jsonld-context (JSON-LD) + /api/openapi (OpenAPI 3.1) + RSS feed with ETag.
Evidence: /api/openapi

Compliance + accessibility

P21
WCAG 2.2 AA conformance + accessibility statement
Partial
Accessibility statement at /wiki/accessibility discloses substantial-conformance + known gaps. Formal AA audit on roadmap.
Evidence: /wiki/accessibility
P22
Audit logs + append-only correction history
Shipped
ArticleRevision table + ?asOf= snapshot pinning + /wiki/changelog (RSS feed). Append-only AuditLog at app layer (per README §Trust & Compliance).
Evidence: /wiki/changelog

What we can do now (paid pilot or foundation grant)

Until the items above are checked off, Policy Window is best engaged as a:

Free reference source— cite the catalog via ?asOf=YYYY-MM-DD permanent URLs (see /wiki/persistent-id).
Paid pilot ($20-50k, 6 months)— beta firehose with structured-delta access, custom topic request, and editorial board co-design. Pilot completion unblocks reference-customer requirement (P19) for both parties.
Foundation tech-infrastructure grant ($50-250k)— underwrites the 8-12 weeks of ops-hardening work (CI hardening, dependency security, SOC 2 scoping, BCP/DRP) needed to move from "substantive coverage" to "procurement-grade infrastructure."

Contact: procurement@policywindow.org (routed to founder Ryan Wong; response target 5 business days for procurement enquiries).