When enterprise customers run SOC 2 or ISO 27001 due diligence on your SaaS company, one of the first questions is: "Do you have a documented IT acceptable use and BYOD policy?" The answer determines whether production systems accessed via personal devices are a material risk.
This guide covers what your Internal IT and BYOD Policy needs to include, how to handle personal devices without creating an adversarial relationship with your team, and how the policy maps to SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS.
Why You Need an IT & BYOD Policy
Four compliance drivers make this policy non-optional once you're at Series A or entering enterprise sales:
| Framework | Requirement | What auditors check |
|---|---|---|
| SOC 2 CC6.7 | Prevent or detect and act upon unauthorised transmission, movement, alteration, or destruction of information | Device management policy, MDM enrollment for corporate devices |
| SOC 2 CC1.4 | Communicate security responsibilities to personnel | Signed acknowledgement of AUP/IT policy |
| ISO 27001 A.6.2 | Mobile device policy (A.6.2.1) and teleworking policy (A.6.2.2) | Documented policy, management approval, controls for mobile access |
| ISO 27001 A.8 | Asset management, including acceptable use of assets (A.8.1.3) | Asset register, clear acceptable use rules |
| GDPR Art. 32 | Appropriate technical and organisational measures | Endpoint controls, MFA, encryption, monitoring (with GDPR Art. 6 legal basis) |
| HIPAA §164.310(b) | Workstation use | Policies for workstations that access ePHI, physical safeguards |
| PCI DSS Req. 12 | Maintain policies that address information security for all personnel | Documented AUP, employee acknowledgement |
BYOD vs Corporate-Owned Devices: The Policy Choice
Before writing the policy, decide your approach:
| Approach | Pros | Cons | Best for |
|---|---|---|---|
| BYOD allowed | No device cost; employee preference | Harder to enforce controls; separation of personal/work data; liability on loss/theft | Early-stage, remote-first teams |
| BYOD with MDM | Controls without buying hardware; can remote-wipe work profile | Privacy concerns; employee resistance to MDM on personal device | Growing teams, pre-SOC 2 |
| Corporate devices only | Full control; clear ownership; easier compliance | Hardware cost; procurement overhead | Enterprise-selling SaaS, HIPAA/PCI environments |
| COPE (Corporate-Owned, Personally Enabled) | Control + flexibility; company owns device, employee uses it personally | Privacy policy complexity; personal data on company device | Mid-size teams with compliance requirements |
For most SaaS startups, BYOD with MDM for production access is the practical sweet spot: free choice of device, but MDM enrollment required before accessing production systems or customer data.
What Your IT & BYOD Policy Must Cover
1. Scope and Device Classification
Define which devices the policy covers (company-owned laptops, personal devices used for work, mobile phones, tablets) and which systems require which level of device security. Not all systems need the same controls — a marketing tool accessed on personal device is different from production database access.
2. Required Device Security Controls
For any device accessing production systems or customer data:
- Full-disk encryption: macOS FileVault / Windows BitLocker / iOS and Android encryption enabled
- Screen lock: Auto-lock after maximum 5-10 minutes, PIN/biometric to unlock
- OS and security updates: Latest OS within [30/60] days of release; no devices more than [1/2] major versions behind
- Antivirus/EDR: Approved endpoint security tool installed (Crowdstrike, SentinelOne, Malwarebytes, or equivalent)
- Approved password manager: Company-provisioned (1Password, Bitwarden Team); no browser-stored passwords for work accounts
3. Network Access Controls
- Production system access requires VPN or Zero Trust Network Access (ZTNA)
- No production access from public/unsecured WiFi without VPN
- Home network requirements (WPA2/3, default router credentials changed)
- DNS filtering or web proxy for corporate devices
4. Cloud and SaaS Application Controls
- Approved cloud applications list (shadow IT policy)
- No customer data in unapproved cloud storage (personal Dropbox, Google Drive personal, etc.)
- MFA required for all work accounts (email, GitHub, cloud providers, HR systems)
- Unique passwords for every work account — no reuse across services
- SSO via company identity provider (Google Workspace, Okta, Azure AD) where available
5. Acceptable Use Rules
Be specific. Vague "use good judgment" policies fail audits. Define explicitly:
- What is permitted: work tasks, reasonable personal use during breaks
- What is prohibited: cryptocurrency mining, pirated software, storing customer data locally beyond what's needed, sharing work credentials
- Content restrictions: no accessing illegal content, no storing personal media on work devices
- AI tool usage: which AI tools are approved; prohibition on inputting customer personal data into unapproved AI tools (GDPR Art. 28 sub-processor issue)
6. Data Handling Requirements
- No customer data on local devices unless encrypted and work-purposed
- No sharing customer personal data via unapproved channels (personal email, WhatsApp, etc.)
- Printer and screen privacy in shared spaces
- Secure deletion of customer data from personal devices on role change or offboarding
7. Remote Work Security
- Physical security of workspace (screen not visible to others in public locations)
- No leaving devices unattended and unlocked
- Immediate reporting of lost or stolen device (with timeline: within [2/4/24] hours)
- Remote wipe capability: employee acknowledges company has right to remotely wipe work profile on loss/theft
8. Monitoring Disclosure (Critical: GDPR Art. 6)
This is the section most policies get wrong. Under GDPR Art. 6(1)(f) (legitimate interests), employers can monitor work device usage, but must disclose this monitoring. For BYOD devices, this is particularly sensitive — the employer cannot monitor personal activity, only work-related activity.
Your policy must state clearly:
- What is monitored (MDM enrollment data, company-managed applications, VPN connection logs, corporate email)
- What is NOT monitored (personal applications, personal browsing on personal browser profile, non-work data)
- Why monitoring occurs (security purposes, compliance, incident investigation)
- Who can access monitoring data and under what circumstances
- GDPR Art. 6(1)(f) legitimate interests as the legal basis, balanced against employee privacy rights
In Germany (BDSG §26), France (CNIL guidance on employee monitoring), and the Netherlands, workplace monitoring has additional requirements. If you have employees in these jurisdictions, seek local employment law advice.
9. Enforcement and Consequences
Policies without enforcement are decorative. Document:
- Graduated consequences (warning → performance management → termination)
- Immediate consequences for severe violations (deliberate data exfiltration, sharing credentials)
- Incident reporting process (how to report lost device, suspected breach)
10. Policy Acknowledgement
For SOC 2 CC1.4 and ISO 27001 A.6.3 (security awareness), auditors want evidence that employees have read and acknowledged the policy. Implement:
- Digital acknowledgement at onboarding (HR system or email with read confirmation)
- Annual re-acknowledgement on policy updates
- Audit trail of who acknowledged what version when
BYOD and GDPR: The Employer's Privacy Obligations
When employees use personal devices for work (BYOD), the employer is processing employee personal data present on those devices, or installing MDM software that can read device information. This triggers GDPR Art. 13/14 obligations:
- Employee Privacy Notice must disclose the MDM/monitoring, the legal basis, what data is collected, retention period, and employee rights
- Data minimisation (Art. 5(1)(c)): MDM should access only what's needed for work purposes — work apps, device compliance status, not personal app data
- Purpose limitation: Monitoring data collected for security cannot be used for performance management without separate disclosure
- Right to erasure / offboarding: On departure, work profile wiped; personal data not retained
Implementation Checklist
| # | Action | Priority |
|---|---|---|
| 1 | Choose BYOD / MDM / corporate device strategy | Immediate |
| 2 | Draft policy covering all 10 sections above | Immediate |
| 3 | Update Employee Privacy Notice to disclose monitoring | Before MDM deployment |
| 4 | Deploy password manager (1Password Teams / Bitwarden) company-wide | This week |
| 5 | Enroll all devices in MDM (Jamf for Mac, Microsoft Intune, or Google MDM) | 30 days |
| 6 | Collect signed acknowledgement from all employees | On policy release |
| 7 | Schedule annual policy review and re-acknowledgement | Ongoing |
| 8 | Test remote wipe capability on a test device | Before SOC 2 audit |
Related guides
- GDPR Article 32: TOMs for SaaS Founders
- Security Awareness Training for SaaS Teams
- SOC 2 Gap Analysis Before Your Audit
- ISO 27001 Gap Assessment
- Employee Privacy Notice GDPR Guide
Generate your IT & BYOD Policy → /generate/it-byod-policy | InfoSec Policy → /generate/information-security-policy | Employee Privacy Notice → /generate/employee-privacy-notice
⚠️ This guide is for informational purposes only and does not constitute legal advice. Employment law and monitoring requirements vary by jurisdiction. Engage qualified employment and data protection counsel before implementing employee monitoring.