diff --git a/.github/workflows/spdx-header-check.yml b/.github/workflows/spdx-header-check.yml
new file mode 100644
index 0000000000..82266bf270
--- /dev/null
+++ b/.github/workflows/spdx-header-check.yml
@@ -0,0 +1,112 @@
+name: SPDX License Header Check
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  spdx-check:
+    name: Check SPDX License Headers
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Check LICENSE file
+        run: |
+          if [ ! -f LICENSE ]; then
+            echo "::error::LICENSE file is missing"
+            exit 1
+          fi
+          if ! grep -q "Hippocratic License Version 3.0" LICENSE; then
+            echo "::error::LICENSE does not contain Hippocratic License 3.0"
+            exit 1
+          fi
+          echo "LICENSE file OK (Hippocratic License 3.0)"
+
+      - name: Check SPDX headers in source files
+        run: |
+          HEADER_FILES=$(git ls-files \
+            '*.py' '*.js' '*.ts' '*.tsx' '*.rs' '*.go' '*.java' '*.rb' \
+            '*.sh' '*.bash' '*.yml' '*.yaml' '*.css' '*.scss' \
+            '*.html' '*.sql' '*.tf' 'Dockerfile*' \
+            2>/dev/null || true)
+
+          if [ -z "$HEADER_FILES" ]; then
+            echo "No source files found to check."
+            exit 0
+          fi
+
+          MISSING=0
+          TOTAL=0
+          while IFS= read -r file; do
+            TOTAL=$((TOTAL + 1))
+            if head -20 "$file" 2>/dev/null | grep -qi "SPDX-License-Identifier"; then
+              continue
+            else
+              echo "::warning title=Missing SPDX header::$file"
+              MISSING=$((MISSING + 1))
+            fi
+          done <<< "$HEADER_FILES"
+
+          echo "---"
+          echo "Files checked: $TOTAL"
+          echo "Files with SPDX header: $((TOTAL - MISSING))"
+          echo "Files missing SPDX header: $MISSING"
+
+          if [ "$MISSING" -gt 0 ]; then
+            echo "::warning:: $MISSING source files are missing SPDX license headers"
+          fi
+          echo "SPDX header scan complete."
+
+      - name: Verify SPDX identifier is Hippocratic-3.0
+        run: |
+          IDENTIFIER_FILES=$(git ls-files \
+            '*.py' '*.js' '*.ts' '*.tsx' '*.rs' '*.go' '*.java' '*.rb' \
+            '*.sh' '*.bash' '*.yml' '*.yaml' '*.css' '*.scss' \
+            '*.html' '*.sql' '*.tf' 'Dockerfile*' \
+            2>/dev/null || true)
+
+          if [ -z "$IDENTIFIER_FILES" ]; then
+            echo "No source files to verify SPDX identifier against."
+            exit 0
+          fi
+
+          MISMATCH=0
+          TOTAL=0
+          while IFS= read -r file; do
+            LINE=$(head -20 "$file" 2>/dev/null | grep -i "SPDX-License-Identifier" | head -1 || true)
+            if [ -n "$LINE" ]; then
+              TOTAL=$((TOTAL + 1))
+              if ! echo "$LINE" | grep -qi "Hippocratic-3.0"; then
+                echo "::warning title=Non-HL3 SPDX identifier::$file"
+                echo "  Found: $(echo "$LINE" | sed 's/^[[:space:]]*//')"
+                MISMATCH=$((MISMATCH + 1))
+              fi
+            fi
+          done <<< "$IDENTIFIER_FILES"
+
+          echo "---"
+          echo "Files with SPDX identifiers checked: $TOTAL"
+          echo "Non-HL3 identifiers found: $MISMATCH"
+          if [ "$MISMATCH" -gt 0 ]; then
+            echo "::warning:: $MISMATCH file(s) use a non-Hippocratic-3.0 SPDX identifier"
+          fi
+
+      - name: Verify governance files exist
+        run: |
+          MISSING_GOV=0
+          for f in SECURITY.md CONTRIBUTING.md CODE_OF_CONDUCT.md; do
+            if [ ! -f "$f" ]; then
+              echo "::warning::$f is missing"
+              MISSING_GOV=$((MISSING_GOV + 1))
+            else
+              echo "$f present"
+            fi
+          done
+          if [ "$MISSING_GOV" -gt 0 ]; then
+            echo "::warning:: $MISSING_GOV governance file(s) missing"
+          fi
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000000..d6b61ba5a2
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,41 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior:
+
+- The use of sexualized language or imagery, and sexual attention or advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email address, without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at **conduct@jawafdehi.org**. All complaints will be reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org), version 2.1.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000000..0fb55f9d36
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,39 @@
+# Contributing to Jawafdehi
+
+Thank you for your interest in contributing. Jawafdehi.org builds civic-accountability infrastructure for Nepal — we welcome contributions that further that mission.
+
+## Before you start
+
+1. **Read our [Code of Conduct](./CODE_OF_CONDUCT.md).**
+2. **Check existing issues** — someone may already be working on what you have in mind.
+3. **Open a discussion issue first** for anything larger than a typo fix, especially new features.
+
+## Development setup
+
+Each repository has its own setup instructions in its README. Pick the repo that matches your contribution:
+
+- **Frontend / accountability cases:** [Jawafdehi](https://github.com/Jawafdehi/Jawafdehi)
+- **Backend API:** [JawafdehiAPI](https://github.com/Jawafdehi/JawafdehiAPI)
+- **Entity registry:** [NepalEntityService](https://github.com/Jawafdehi/NepalEntityService)
+- **Judicial data:** [ngm](https://github.com/Jawafdehi/ngm) / [ngm-frontend](https://github.com/Jawafdehi/ngm-frontend)
+- **MCP server:** [jawafdehi-mcp](https://github.com/Jawafdehi/jawafdehi-mcp)
+
+Cross-repo orchestration lives in [jawafdehi-meta](https://github.com/Jawafdehi/jawafdehi-meta).
+
+## Pull request workflow
+
+1. Fork the repository.
+2. Create a feature branch from `main`.
+3. Make your changes, following existing code style.
+4. Run tests if the repo has them.
+5. Open a pull request with a clear description.
+
+## Style guides
+
+- Follow existing code style in the relevant language (Python PEP 8, TypeScript Prettier, etc.).
+- Write clear commit messages in English.
+- Add or update tests when modifying behavior.
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the [Hippocratic License 3.0](./LICENSE).
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000000..f60f6aa802
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,24 @@
+Hippocratic License Version 3.0
+
+Licensor: Jawafdehi.org
+Project: Nepal Entity Service Database
+
+Rights Granted
+
+Subject to the terms and conditions of this License, Licensor hereby grants to any person obtaining a copy of this software and associated documentation files (the "Software"), a worldwide, royalty-free, non-exclusive, perpetual license to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+1. The above copyright notice and this License or a subsequent version published on the Hippocratic License Website (https://firstdonoharm.dev/) shall be included in all copies or substantial portions of the Software. Licensee has the option of following the terms and conditions either of the above numbered version of this License or of any subsequent version published on the Hippocratic License Website.
+
+2. Compliance with Human Rights Laws and Human Rights Principles:
+
+   a. Human Rights Laws. The Software shall not be used by any person or entity for any systems, activities, or other uses that violate any applicable laws, regulations, or rules that protect human, civil, labor, privacy, political, environmental, security, economic, due process, or similar rights (collectively, "Human Rights Laws"). Where the Human Rights Laws of more than one jurisdiction are applicable to the use of the Software, the Software shall not be used in any manner that violates any of the Human Rights Laws.
+
+   b. Human Rights Principles. Licensee is advised to consult the articles of the United Nations Universal Declaration of Human Rights (https://www.un.org/en/universal-declaration-human-rights/) and the United Nations Global Compact (https://www.unglobalcompact.org/what-is-gc/mission/principles) that define recognized principles of international human rights (collectively, "Human Rights Principles"). It is Licensor's express intent that all use of the Software be consistent with Human Rights Principles. If Licensor receives notification or otherwise learns of an alleged violation of any Human Rights Principles relating to Licensee's use of the Software, Licensor may in its discretion and without obligation (i) (a) notify Licensee of such allegation and (b) allow Licensee 90 days from notification under (i)(a) to investigate and respond to Licensor regarding the allegation and (ii) (a) after the earlier of 90 days from notification under (i)(a), or Licensee's response under (i)(b), notify Licensee of License termination and (b) allow Licensee an additional 90 days from notification under (ii)(a) to cease use of the Software.
+
+   c. Indemnity. Licensee shall hold harmless and indemnify Licensor against all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including Licensor's reasonable attorneys' fees, arising out of or relating to Licensee's non-compliance with this License or use of the Software in violation of Human Rights Laws or Human Rights Principles.
+
+3. Enforceability: If any portion or provision of this License is determined to be invalid, illegal, or unenforceable by a court of competent jurisdiction, then such invalidity, illegality, or unenforceability shall not affect any other term or provision of this License or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon a determination that any term or provision is invalid, illegal, or unenforceable, to the extent permitted by applicable law, the court may modify this License to affect the original intent of the parties as closely as possible. The section headings are for convenience only and are not intended to affect the construction or interpretation of this License. Any rule of construction to the effect that ambiguities are to be resolved against the drafting party shall not apply in interpreting this License. The language in this License shall be interpreted as to its fair meaning and not strictly for or against any party.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+The Hippocratic License is an Ethical Source license (https://ethicalsource.dev).
diff --git a/LICENSING.md b/LICENSING.md
new file mode 100644
index 0000000000..fc54c776dc
--- /dev/null
+++ b/LICENSING.md
@@ -0,0 +1,17 @@
+# Licensing
+
+This project is licensed under the [Hippocratic License Version 3.0](./LICENSE) (HL3).
+
+## Why HL3
+
+Jawafdehi.org builds civic-accountability infrastructure for Nepal. We chose the Hippocratic License to align our software with our mission: technology should serve human dignity and justice, never undermine it.
+
+The Hippocratic License is an [Ethical Source](https://ethicalsource.dev) license. It requires that the software not be used to violate human rights laws or the principles in the UN Universal Declaration of Human Rights and UN Global Compact.
+
+## Reporting misuse
+
+If you believe this software is being used in violation of the license, contact the licensor at [info@jawafdehi.org](mailto:info@jawafdehi.org).
+
+## Third-party code
+
+Dependencies and third-party code remain under their original licenses.
diff --git a/README.md b/README.md
index ee51265d25..951d75b940 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,7 @@
 # NepalEntityService-database
+
 A file-based database that powers the NepalEntityService API.
+
+## License
+
+This project is licensed under the [Hippocratic License Version 3.0](./LICENSE) — see [LICENSING.md](./LICENSING.md) for details.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..e176db42a5
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Jawafdehi.org takes security seriously. If you discover a security vulnerability in any Jawafdehi project, please report it responsibly.
+
+**Do not open a public issue.** Instead, please email:
+
+**security@jawafdehi.org**
+
+We will acknowledge your report within 72 hours and provide an estimated timeline for a fix.
+
+## Scope
+
+This policy covers all repositories under the [Jawafdehi GitHub organization](https://github.com/Jawafdehi).
+
+## Disclosure
+
+We follow coordinated disclosure. Once a fix is available, we will publish a security advisory and credit the reporter (unless anonymity is requested).
+
+## Supported Versions
+
+Only the latest release or the `main` branch is actively supported with security patches.