Skip to content

Data Handling Policy

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Review cycle: Annual; interim revision upon material change to data categories, customer contracts, or law


Document control

Role Name
Prepared by Management / Security Owner (Cloudnaut)
Reviewed by Nidhi Jain (third-party reviewer)
Approved by Sandeep AC

Revision history

Version Date Summary Reviewed by Approved by
0.9 2021-03-14 Draft for third-party review prior to first effective release. Nidhi Jain (third party)
1.0 2021-06-18 Initial effective release. Nidhi Jain (third party) Sandeep AC
1.0 2024-03-11 Scheduled annual review; clarifications and cross-references (retained at version 1.0). Nidhi Jain (third party) Sandeep AC

Purpose

This policy defines how Cloudnaut handles customer confidential, sensitive, and regulated categories of data.

Scope

This policy applies to personal, health, financial, educational, proprietary, confidential, and other regulated or contractually protected data encountered during customer engagements.

Policy

Personnel access customer regulated or confidential data only when explicitly authorized by the customer, required for the engagement, and approved through the engagement’s governance path. Access follows need-to-know and least privilege.

Personnel use customer-approved accounts, repositories, environments, and transfer mechanisms. Customer data is not copied to personal equipment, unmanaged storage, or repositories outside the engagement boundary.

Awareness

Personnel complete security training that covers identification of sensitive data, avoidance of unnecessary access, and escalation when work may exceed agreed data scope.

Handling rules

  • Store and transfer data only on customer-approved systems.
  • Do not commit customer data, secrets, or credentials to source control.
  • Segregate customer work using organization, group, project, repository, and access boundaries as defined for each customer.
  • Report suspected unauthorized access, loss, or disclosure without delay per incident procedures.

Records

Typical evidence includes training records, access approvals, repository membership, customer correspondence authorizing access, and incident records where relevant.