Data Management

your organization is primarily a Cloud Computing company and the digital information it possesses from operations, internal infrastructure, and customers are hosted on Cloud Computing infrastructure and storage.

your organization uses different stages for :

• Development
• Testing
• Production

In all stages, Digital Information (Data) will be stored, retrieved, archived, or deleted regularly, depending on the operations required to make use of it.

your organization operates under the principle of "C, I, A – Confidentiality, Integrity, and Availability" of the data, a principle that applies to all handled digital information as well.

All digital information and associated operations available for it are governed by the rules outlined in the Data Handling Procedure and at no time a single entity is granted full access and rights to it.

For all the following processes your organization has implemented controls, guidelines, and worksheets to keep track of access times, categorize the collected digital information and log all performed actions.

This procedure is intended to help your organization employees and 3rd Parties classify data to determine its need for protection, handling, and determining applicable policies and laws.

Depending on the regulatory compliance Standards your organization has to comply with, the following levels of data classification are defined:

• Protected Data
• Confidential Data
• Internal Data
• Public Data

Protected Data

Protected data refers to any information protected by federal, state, or local laws and regulations or industry standards, such as HIPAA, HITECH, GDPR, the New York State Information Security Breach and Notification Act, similar state laws, and PCI-DSS.

Unauthorized disclosure of Protected data will cause major problems to business operations, generate a significant cost, damage the company's reputation, and can result in legal prosecution for your organization.

Protected data requires privacy and security protections. Special authorization is required for use and collection, and the disclosure of this class of data is prohibited without prior approval.

Characteristics of Protected Data

• Protected Data cannot be stored outside properly protected and labeled environments.
• Protected Data must be encrypted at all times, both at rest and in transit.
• CISO Approval: when a business need arises, the CISO must authorize all storing, processing, and transmitting of Protected Data.
• Compliance Risk: Protection of information is mandated by law (HIPAA, GDPR, GLBA, CCPA) or required by private contract (PCI DSS).
• Reputation Risk: Loss of confidentiality or integrity will cause significant damage to your organization's reputation.
• Other Risks: Loss of the confidentiality or integrity of the information that could cause harm to individuals and cause the company to incur significant costs in response.

Examples of Protected Data

• PII, such as Social Security Numbers (SSN) or last four numbers of an individual's SSN
• Personal Data for an EU Citizen - governed under GDPR
• PHI (Protected health information) or ePHI - governed under HIPAA/HITECH
• CHD (Payment card cardholder data) - governed under PCI-DSS/PA-DSS
• Credit/debit card numbers, bank account, financial information
• Production Secrets, Passwords, and Encryption keys

Confidential Data

This type of data is restricted information that is required to be maintained in a highly confidential manner as directed by your organization's Privacy Officer, applicable law or regulation, contractual obligation, or subject to any applicable legal privilege or protection.

Unauthorized disclosure of Confidential data will cause business operations problems and some financial loss.

Characteristics of Protected Data

• Access to Confidential Data is limited to your organization employees and 3rd Parties operating under an executed non-disclosure agreement. This information should never be stored on a computing device or electronic storage media that is personally owned unless expressly permitted.
• Protected Data must be encrypted at all times, both at rest and in transit.
• Compliance Risk: Protection of data is mandated by law (e.g. FERPA) or required by private contract (e.g. non-disclosure agreements).
• Reputation Risk: Loss of confidentiality or integrity will cause significant damage to your organization's reputation. For example, loss of social security numbers or defacement of the your organization website would likely be a news item that would appear in the media.
• Other Risks: Loss of confidentiality that could cause harm to individuals such as your organization personnel, and partners. Loss of confidentiality or integrity would cause your organization to incur significant costs in response.
• Treatment in Open Records Requests: Sensitive information is typically redacted from open records disclosures.

Examples of Confidential Data

• Business-critical intellectual property, proprietary data, and/or trade secrets, business plans
• IP-rich Source Code, Business Application Source Code
• HR records (e.g., background check reports, salary, DoB, employment records, etc.)
• Non-public tax and accounting data
• Non-production Secrets, Passwords, and Encryption keys
• Network and infrastructure designs
• Customer lists and contacts
• Security, system, and application audit logs
• Internal information security protocols, plans, and processes

Internal Data

Any information that is proprietary or produced only for internal use in your organization.

Unauthorized disclosure of Protected data may result in major disruption to business operations, significant cost, irreparable reputation damage, and/or legal prosecution for your organization.

Protected data requires privacy and security protections. Special authorization is required for use and collection, and the disclosure of this class of data is prohibited without prior approval.

Examples of Internal Data

• Application data that does not fall into Protected or Confidential levels
• Product details and roadmaps, which will be made public at some point
• Internal operating procedures and operational manuals, security policies and procedures
• Internal memoranda, emails, reports, communications (e.g., Teams, Slack, Zoom), and other documents
• IP addresses, system names, account names
• Source code that is not business critical or contains little or no IP

Public Data

This type of information can be disclosed without any restriction at any given time and by any your organization employee or 3rd Party. This type of data has no legal restrictions on its access or use.

Examples of Public Data

• Any information made available on the company's website and subdomains such as support, help, blog, etc.
• Financial statements and other reports filed for tax purposes and generally available to the public
• Marketing information that is part of materials or posted on Social media

Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies, and destruction methods, among others.

In general, controls assigned by Data Asset Owners will deal with the confidentiality category of the data. The categories representing Integrity and Availability will be used to guide your organization to protect against the loss or corruption of the data.

| Data | Retention¹| Labeling | Non-prod storage | Encrypt (rest, transit) | Access Control²| Backup | |-----------------|-----------|----------|------------------|-------------------------|----------------|------------| | Protected | 5 yrs | Yes | No | Yes, Yes | Yes | Required | | Confidential| 3 yrs | Yes | Yes | Yes, Yes | Yes | Required | | Internal | Optional | Yes | Yes | No, Yes | No | Optional | | Public | Optional | Optional | Yes | No, No | Now | Optional |

¹There are situations when data retention may differ, depending on business needs and regulatory requirements.

²The need-to-know requires that Data Assets should only be available to those who need to use or access the Data Asset to do their work.

There are times when digital information must be destroyed entirely for several reasons:

• your organization stores digital information for 3 years either in the original form or archived; After this period and if no further contractual obligations have to be met, data will be destroyed by deletion; As your organization is using Cloud Storage, it initiates the procedure of deletion based on the instructions from the Cloud Provider and logs the operations for later reference;
• If a customer is requesting deletion of data, this must be carried out by following GDPR, CCPA or HIPAA, and performed in a timely interval. your organization will delete data requested by customers in 90 days from the request being formally sent;
• Personal data was unlawfully processed;
• Data is no longer relevant or provides no meaningful insights;
• Data has expired in the lifecycle based on an agreement;
• Regulatory compliance – where applicable;

Active customers' data is preserved for as long as the customer is active. Unless otherwise stated or data belonging to inactive customers is not part of an investigation, the inactive account will have its data automatically removed within 30 days.

Free or Trial customers that wish to voluntarily close their account should download their data manually or via the API before closing their account. After the trial period has expired, customers in this category will have their data deleted automatically from the systems within 7 days.

All company-owned devices are subject to a complete data wipe. In the event of the device being lost or stolen, the owner must inform the IT Team as soon as possible, giving details of the circumstances of the loss and the sensitivity of the business information stored on it. your organization reserves the right to remote wipe the device where possible as a security precaution. This may involve the deletion of non-business data belonging to the device owner.