Data Handling Policy¶

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to data categories, customer contracts, or law

Purpose¶

This policy defines how Cloudnaut handles customer confidential, sensitive, and regulated categories of data.

Scope¶

This policy applies to personal, health, financial, educational, proprietary, confidential, and other regulated or contractually protected data encountered during customer engagements.

Policy¶

Personnel access customer regulated or confidential data only when explicitly authorized by the customer, required for the engagement, and approved through the engagement’s governance path. Access follows need-to-know and least privilege.

Personnel use customer-approved accounts, repositories, environments, and transfer mechanisms. Customer data is not copied to personal equipment, unmanaged storage, or repositories outside the engagement boundary.

Awareness¶

Personnel complete security training that covers identification of sensitive data, avoidance of unnecessary access, and escalation when work may exceed agreed data scope.

Handling rules¶

Store and transfer data only on customer-approved systems.
Do not commit customer data, secrets, or credentials to source control.
Segregate customer work using organization, group, project, repository, and access boundaries as defined for each customer.
Report suspected unauthorized access, loss, or disclosure without delay per incident procedures.

Records¶

Typical evidence includes training records, access approvals, repository membership, customer correspondence authorizing access, and incident records where relevant.