Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

Policy Owner: Managing Director

Effective Date: 2023-05-01

Purpose

To ensure that information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.

Scope

All CloudCard data, information and information systems.

Policy

CloudCard classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.

Information systems and applications shall be classified according to the highest classification of data that they store or process.

Data Classification

To help CloudCard and its employees easily understand requirements associated with different kinds of information, the company has created three classes of data.

Confidential

Highly sensitive data requiring the highest levels of protection; access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner, or a company executive. Example include:

  • Customer Data

  • Personally identifiable information (PII)

  • Company financial and banking data

  • Salary, compensation and payroll information

  • Strategic plans

  • Incident reports

  • Risk assessment reports

  • Technical vulnerability reports

  • Authentication credentials

  • Secrets and private keys

  • Source code

  • Litigation data

Restricted

CloudCard proprietary information requiring thorough protection; access is restricted to employees with a “need-to-know” based on business requirements. This data can only be distributed outside the company with approval. This is default for all company information unless stated otherwise. Examples include:

  • Internal policies

  • Legal documents

  • Meeting minutes and internal presentations

  • Contracts

  • Internal reports

  • Instant messages

  • Email

Public

Documents intended for public consumption which can be freely distributed outside CloudCard. Examples include:

  • Marketing materials

  • Product descriptions and documentation

  • Release notes

  • External facing policies

Data Handling

Confidential Data Handling

Confidential data is subject to the following protection and handling requirements:

  • Access for non-preapproved roles requires documented approval from the data owner

  • Access is restricted to specific employees, roles and/or departments

  • Confidential systems shall not allow unauthenticated or anonymous access

  • Confidential Customer Data shall not be used or stored in non-production systems/environments

  • Confidential data shall be encrypted at rest and in transit over public networks in accordance with the Cryptography Policy

  • All storage devices containing or potentially containing confidential data, including laptops, shall be encrypted

    • Additionally, such devices should be able to be erased remotely in the event that the device is lost or stolen.

    • This includes any devices used for backup.

  • Mobile devices storing or accessing confidential data shall be protected by a log-on password (or equivalent, such as biometric) or passcode and shall be configured to lock the screen after at most 20 minutes of non-use

  • Confidential data shall not be stored on personal phones or devices or removable media including USB drives, CD’s, or DVD’s.

    • Confidential data should not be stored on laptops except for short periods of time necessary to transfer data or produce analyses of data. Where possible, all uses of confidential data should be performed on approved systems without downloading.

  • Paper records shall be labeled “confidential” and securely stored and disposed of in a secure, approved manner in accordance with data handling and destruction policies and procedures

  • Hardcopy paper records shall only be created based on a business need and shall be avoided whenever possible

  • Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed

  • Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner

Restricted Data Handling

Restricted data is subject to the following protection and handling requirements:

  • Access is restricted to users with a need-to-know based on business requirements

  • Restricted systems shall not allow unauthenticated or anonymous access

  • Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner

  • Paper records shall be securely stored and disposed of in a secure, approved manner in accordance with data handling and destruction policies and procedures

  • Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroyed

Public Data Handling

No special protection or handling controls are required for public data. Public data may be freely distributed.

Data Retention

CloudCard shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data.

Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use.

Retention periods shall be documented in the Data Retention Matrix in Appendix B to this policy.

Data & Device Disposal

Data classified as restricted or confidential shall be securely deleted when no longer needed. CloudCard shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet CloudCard requirements for secure data disposal shall be used for storage and processing of restricted or confidential data.

CloudCard shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of, disposal.

Confidential and Restricted hardcopy materials shall be shredded or otherwise disposed of using a secure method.

Personally identifiable information (PII) shall be collected, used and retained only for as long as the company has a legitimate business purpose. PII shall be securely deleted and disposed of following contract termination in accordance with company policy, contractual commitments and all relevant laws and regulations. PII shall also be deleted in response to a verified request from a consumer or data subject, where the company does not have a legitimate business interest or other legal obligation to retain the data.

Annual Data Review

Management shall review data retention requirements during the annual review of this policy. Data shall be disposed of in accordance with this policy.

Legal Requirements

Under certain circumstances, CloudCard may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by CloudCard legal counsel. Such records and information are exempt from any other requirements specified within this Data Management Policy and are to be retained in accordance with requirements identified by the Legal department. All such holds and special retention requirements are subject to annual review with CloudCard’s legal counsel to evaluate continuing requirements and scope.

Policy Compliance

CloudCard will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.

Exceptions

Requests for an exception to this policy must be submitted to the Managing Director for approval.

Violations & Enforcement

Any known violations of this policy should be reported to the Managing Director. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

Version

Date

Description

Author

Approved by

1.0

2023-03-21

First Version

Ryan Heathcote

Luke Rettstatt

APPENDIX A – Internal Retention and Disposal Procedure

CloudCard’s Principal Engineer is responsible for setting and enforcing the data retention and disposal procedures for CloudCard managed accounts and devices.

Customer Accounts:

Customer accounts and data shall be deleted within sixty (60) days of contract termination through manual data deletion processes.

Devices:

  1. Employee devices will be collected promptly upon an employee’s termination. Remote employees will be sent a shipping label and the return of their device shall be monitored.

  2. Collected devices will be cleared to be re-provisioned—or removed from inventory. CloudCard will securely erase the device when reprovisioning.

  3. Device images may be retained at the discretion of management for business purposes

Destroying devices or electronic media

In cases where a device is damaged in a way that CloudCard cannot access the Recovery Partition to erase the drive, CloudCard may optionally decide to use an E-Waste service that includes data destruction with a certificate. CloudCard will keep certificates of destruction on record for one year. Physical destruction can be optional if it is verified that the device is encrypted with Full Disk Encryption, which would negate the risk of data recovery.

Management will review this procedure at least annually.

APPENDIX B – Data Retention Matrix

System or Application

Data Description

Retention Period

CloudCard SaaS Products (AWS)

Customer Data

Up to 60 days after contract termination.

Exception: anonymous photos may be stored indefinitely for AI training purposes.

CloudCard Support

Customer instance and metadata, debugging data

Indefinite

CloudCard Customer Sales and Support Conversations (Close.io)

Opportunity and Sales Data

Indefinite

CloudCard Customer Support Conversations (HelpScout)

Support Email Conversations

Indefinite

CloudCard Security Event Data (AWS)

Security and system event and log data, network data flow logs

Indefinite

CloudCard Vulnerability Scan Data (Snyk / Amazon Inspector)

Vulnerability scan results and detection data

6 months

CloudCard QA and Testing Data (Trello)

QA, testing scenarios and results data

Indefinite

Security Policies

Security Policies

1 year after archive

Temporary Files

AWS /tmp ephemeral storage

automatically when process finishes

Appendix C: Technical Protection Mechanisms

  • Photos and Supporting Documents are encrypted at rest using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. As an additional safeguard, the key itself is encrypted with a master key that is regularly rotated. The server-side encryption uses 256-bit Advanced Encryption Standard (AES-256) to encrypt all data. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

  • All photo metadata stored at rest in the underlying storage is encrypted, as are all automated backups, read replicas, and snapshots using AES-256 encryption algorithm.

  • Photos, photo metadata, and supporting documents are encrypted in transit using HTTPS. Clients are required to support TLS 1.2 encryption or higher.

  • All data is securely deleted using the techniques detailed in or NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process. Refer to AWS Overview of Security Processes Whitepaper for additional details - available at http://aws.amazon.com/security

  • All CloudCard servers enable automatic minor and patch updates during weekly update windows.

  • All CloudCard employee laptop file systems are encrypted at rest 

  • No labels