Data Handling Policy¶
Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Review cycle: Annual; interim revision upon material change to data categories, customer contracts, or law
Document control¶
| Role | Name |
|---|---|
| Prepared by | Management / Security Owner (Cloudnaut) |
| Reviewed by | Nidhi Jain (third-party reviewer) |
| Approved by | Sandeep AC |
Revision history¶
| Version | Date | Summary | Reviewed by | Approved by |
|---|---|---|---|---|
| 0.9 | 2021-03-14 | Draft for third-party review prior to first effective release. | Nidhi Jain (third party) | — |
| 1.0 | 2021-06-18 | Initial effective release. | Nidhi Jain (third party) | Sandeep AC |
| 1.0 | 2024-03-11 | Scheduled annual review; clarifications and cross-references (retained at version 1.0). | Nidhi Jain (third party) | Sandeep AC |
Purpose¶
This policy defines how Cloudnaut handles customer confidential, sensitive, and regulated categories of data.
Scope¶
This policy applies to personal, health, financial, educational, proprietary, confidential, and other regulated or contractually protected data encountered during customer engagements.
Policy¶
Personnel access customer regulated or confidential data only when explicitly authorized by the customer, required for the engagement, and approved through the engagement’s governance path. Access follows need-to-know and least privilege.
Personnel use customer-approved accounts, repositories, environments, and transfer mechanisms. Customer data is not copied to personal equipment, unmanaged storage, or repositories outside the engagement boundary.
Awareness¶
Personnel complete security training that covers identification of sensitive data, avoidance of unnecessary access, and escalation when work may exceed agreed data scope.
Handling rules¶
- Store and transfer data only on customer-approved systems.
- Do not commit customer data, secrets, or credentials to source control.
- Segregate customer work using organization, group, project, repository, and access boundaries as defined for each customer.
- Report suspected unauthorized access, loss, or disclosure without delay per incident procedures.
Records¶
Typical evidence includes training records, access approvals, repository membership, customer correspondence authorizing access, and incident records where relevant.