Legal, Risk & Compliance
The formal policies that keep TechAbout and its people protected — confidentiality, intellectual property, anti-bribery, whistleblowing, data privacy, and responsible use of AI.
Governance, Risk & Compliance Framework
This is the foundational document for TechAbout's Legal, Risk & Compliance book. It explains how we govern the company, manage risk, and stay compliant with the law and our own standards — and what all of that means for you, whatever your role. It is written for every employee, and it is public, so clients and candidates are welcome to read it too.
What governance, risk and compliance mean here
These three words sound formal, but the ideas are simple and they protect everyone at TechAbout.
- Governance is how decisions get made and who is accountable for them. Clear ownership means a problem has an owner instead of falling through the cracks.
- Risk is anything that could harm our people, our clients, our data, or the company — a security breach, a legal exposure, a broken commitment. Managing risk means seeing it early and deciding what to do on purpose, not by accident.
- Compliance is doing what the law and our own policies require. For a Pakistan-based technology company serving international clients, that spans local law and the standards our clients expect.
Good governance, risk and compliance (GRC) is not bureaucracy for its own sake. It is what lets a small, fast-moving team take on serious work, hold sensitive client data, and grow without breaking things that are expensive — or impossible — to fix later.
How we manage risk: the three lines of defence
TechAbout uses a simple, widely-used model so that risk is actually owned rather than assumed to be someone else's job. It has three layers, each with a distinct role.
- First line — the teams that do the work. Whoever builds a website, runs an SEO campaign, processes a payroll, or manages a domain owns the risk of that work. You are closest to it, so you spot it first and control it best.
- Second line — oversight and policy. Functions such as People, Security, and Legal/Compliance set the policies, provide the tools and training, and monitor how well the first line is managing risk. This book is largely their output.
- Third line — independent assurance. Leadership provides independent review of the company's overall control environment and confirms that the first two lines are working.
Because our team is small and scaling, one person may currently hold a role in more than one line until the team grows. That makes separation of duties something we practise deliberately, and it is exactly why written policy matters.
How this book relates to the Employee Handbook
The two books work together and do not repeat each other.
- The Employee Handbook covers everyday conduct — how we treat each other and how we work day to day. Start there for the human, practical view, including the Code of Conduct.
- This book, Legal, Risk & Compliance, is the formal, legally-protective policy layer. It exists to protect the company and its people if something goes wrong.
Where the handbook already covers a topic for employees — such as conflict of interest, grievance escalation, or device and password security — this book cross-links it rather than restating it.
The policies in this book
This book contains TechAbout's formal policies, covering, among others:
- Governance and delegation of authority
- Enterprise risk management
- Data protection, privacy, and information security
- Information classification and handling
- Incident response and breach notification
- Business continuity and disaster recovery
- Intellectual property ownership
- Anti-bribery, ethics, and whistleblowing
Individual policies reference relevant frameworks — such as the Prevention of Electronic Crimes Act 2016 and the Companies Act 2017, and, for international-client work, standards like GDPR and ISO/IEC 27001 — as general context only. Pakistan's personal-data-protection framework is still developing, and we track it as it matures. Any specific legal question is subject to review by qualified local counsel and current law; nothing here is legal advice.
Your three duties
Everyone at TechAbout, at every level, has the same three duties. They are short on purpose, so they are easy to remember.
Comply. Ask when unsure. Report concerns without fear.
- Comply with the law and with these policies. "I didn't know" is a reason to read; it is not a defence.
- Ask when unsure. A question asked early is cheap; a mistake discovered late is not. Nobody is expected to have every answer memorised — you are expected to ask.
- Report concerns without fear. If something looks wrong, say so. TechAbout does not tolerate retaliation against anyone who raises a concern in good faith.
Questions? Contact ethics@techabout.com.
Have a compliance question?
When in doubt, ask before you act. Email ethics@techabout.com for anything sensitive.