Purpose:

To establish a data classification system that defines the levels of sensitivity for all data assets at Rundoo. This policy ensures appropriate handling, access, and protection for information based on its sensitivity, thereby supporting regulatory compliance, safeguarding intellectual property, and protecting client data.

Scope:

This policy applies to all data created, accessed, or managed by Rundoo employees, contractors, or third-party providers on behalf of Rundoo. It encompasses electronic data stored on Rundoo systems, as well as physical records containing sensitive information.

Policy:

Rundoo classifies its data into four categories, each with distinct handling, access, and security requirements:

  1. Confidential Data
    1. Definition: Information that is highly sensitive, with disclosure likely to cause significant harm to Rundoo, its clients, or its partners. This category includes personally identifiable information (PII), client data, financial records, proprietary business information, and trade secrets.
    2. Access Control: Limited strictly to employees or third parties with a legitimate need-to-know basis. Access is granted only through secure authentication mechanisms.
    3. Handling Requirements:
    4. Storage: Confidential data must be stored in encrypted form, whether at rest or in transit.
    5. Transmission: Transmission of Confidential data must occur over secure, encrypted channels (e.g., HTTPS, VPN).
    6. Destruction: Secure deletion and destruction methods must be used when disposing of Confidential data, such as secure file shredding or physical destruction for printed materials.
  2. Restricted Data
    1. Definition: Information sensitive to Rundoo’s operations but less critical than Confidential data. This includes operational plans, internal project documents, and internal communications that do not contain highly sensitive details.
    2. Access Control: Accessible to Rundoo employees who require access for legitimate business purposes, subject to manager approval and access logging.
    3. Handling Requirements:
      1. Storage: Restricted data may be stored in standard internal systems, with access control and monitoring.
      2. Transmission: Should be shared internally through secure channels and externally only when necessary, using approved encryption methods.
      3. Destruction: Standard digital deletion methods may be applied, and physical copies must be securely shredded when no longer required.
  3. Internal Use Data
    1. Definition: Information intended for internal consumption that does not expose Rundoo to significant risk if disclosed. Examples include employee contact information, general operational procedures, and non-sensitive meeting notes.
    2. Access Control: Accessible to all Rundoo employees and contractors for internal purposes.
    3. Handling Requirements:
      1. Storage: Internal use data may be stored on standard systems without encryption but must still be safeguarded from unauthorized access.
      2. Transmission: Can be shared within Rundoo’s network but should be limited in external communication unless necessary.
      3. Destruction: Deletion when no longer required; physical documents should be discarded in a secure manner.
  4. Public Data
    1. Definition: Information intended for public distribution or already available to the public. This includes marketing materials, published blog posts, press releases, and public website content.
    2. Access Control: Accessible by anyone, including external stakeholders and the general public.
    3. Handling Requirements:
      1. Storage: No specific storage requirements, but should remain accurate and up-to-date.
      2. Transmission: Freely shareable with the public.
      3. Destruction: No specific requirements, but regular review for accuracy and relevance is recommended.
  5. Data Classification Responsibilities:
    1. Employees and Contractors: Must classify information appropriately, handle it according to its classification level, and report any incidents of mishandling or data breaches.
    2. Managers: Responsible for ensuring that their team members are trained in data classification standards and for reviewing access permissions regularly.
    3. IT and Security Team: Responsible for providing tools and resources to secure data, monitoring for policy adherence, and assisting in the resolution of security incidents.

Policy Review and Amendments:

Rundoo retains the right to review and amend this Data Classification Policy as needed. All employees and contractors will be notified of any material changes and are required to comply with the latest version of this policy.

Compliance:

Failure to comply with this Data Classification Policy may result in disciplinary action, up to and including termination of employment or contract.

https://embed.notionlytics.com/wt/ZXlKM2IzSnJjM0JoWTJWVWNtRmphMlZ5U1dRaU9pSkNZMlJNVm1seFdHUjViMmRYZERKbVlsQkpaaUlzSW5CaFoyVkpaQ0k2SWpFek1tVXhNVE01T0RabFlUZ3daV000TlRjNFpEbGpPVFJtTnpWa1pqaGtJbjA9