...
Marketing materials
Product descriptions and documentation
Release notes
External facing policies
Labeling
Confidential data should be labeled “confidential” whenever paper copies are produced for distribution.
Data Handling
Confidential Data Handling
...
Access for non-preapproved roles requires documented approval from the data owner
Access is restricted to specific employees, roles and/or departments
Confidential systems shall not allow unauthenticated or anonymous access
Confidential Customer Data shall not be used or stored in non-production systems/environments
Confidential data shall be encrypted at rest and in transit over public networks in accordance with the Cryptography Policy
Mobile device hard drives All storage devices containing or potentially containing confidential data, including laptops, shall be encrypted
Additionally, such devices should be able to be erased remotely in the event that the device is lost or stolen.
This includes any devices used for backup.
Mobile devices storing or accessing confidential data shall be protected by a log-on password (or equivalent, such as biometric) or passcode and shall be configured to lock the screen after five (5) at most 20 minutes of non-useBackups shall be encrypted
Confidential data shall not be stored on personal phones or devices or removable media including USB drives, CD’s, or DVD’s.
Confidential data should not be stored on laptops except for short periods of time necessary to transfer data or produce analyses of data. Where possible, all uses of confidential data should be performed on approved systems without downloading.
Paper records shall be labeled “confidential” and securely stored and disposed of in a secure, approved manner in accordance with data handling and destruction policies and procedures
Hardcopy paper records shall only be created based on a business need and shall be avoided whenever possible
Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner
...
Any known violations of this policy should be reported to the Managing Director. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
Version | Date | Description | Author | Approved by |
1.0 | 2023-03-21 | First Version | Ryan Heathcote | Luke Rettstatt |
APPENDIX A – Internal Retention and Disposal Procedure
...
APPENDIX B – Data Retention Matrix
System or Application | Data Description | Retention Period |
CloudCard SaaS Products (AWS) | Customer Data | Up to 60 days after contract termination. Exception: anonymous photos may be stored indefinitely for AI training purposes. |
CloudCard Support | Customer instance and metadata, debugging data | Indefinite |
CloudCard Customer Sales and Support Conversations (Close.io) | Opportunity and Sales Data | Indefinite |
CloudCard Customer Support Conversations (HelpScout) | Support Email Conversations | Indefinite |
CloudCard Security Event Data (AWS) | Security and system event and log data, network data flow logs | Indefinite |
CloudCard Vulnerability Scan Data (Snyk / Amazon Inspector) | Vulnerability scan results and detection data | 6 months |
CloudCard QA and Testing Data (Trello) | QA, testing scenarios and results data | Indefinite |
Security Policies | Security Policies | 1 year after archive |
Temporary Files | AWS /tmp ephemeral storage | automatically when process finishes |
Appendix C: Technical Protection Mechanisms
Photos and Supporting Documents are encrypted at rest using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. As an additional safeguard, the key itself is encrypted with a master key that is regularly rotated. The server-side encryption uses 256-bit Advanced Encryption Standard (AES-256) , to encrypt all data. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).
All photo metadata stored at rest in the underlying storage is encrypted, as are all automated backups, read replicas, and snapshots using AES-256 encryption algorithm.
Photos, photo metadata, and supporting documents are encrypted in transit using HTTPS. Clients are required to support TLS 1.2 encryption or higher.
All data is securely deleted using the techniques detailed in or NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process. Refer to AWS Overview of Security Processes Whitepaper for additional details - available at http://aws.amazon.com/security
All CloudCard servers enable automatic minor and patch updates during weekly update windows.
All CloudCard employee laptop file systems are encrypted at rest
...