Data Classification Policy (A.5.12)
Document ID: data-classification-policy
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual
Classification levels
| Level | Description | Examples | Handling |
|---|---|---|---|
| Public | Intentionally published | Documentation, marketing, open-source rules hub | No restrictions |
| Internal | Business operations | Governance configuration, non-sensitive audit logs | Access via SSO; no external sharing without approval |
| Confidential | Sensitive business or customer data | API keys, customer governance configs, evidence blobs | Encrypted at rest and in transit; access logged |
| Restricted | Highest-sensitivity | Ed25519 private signing key, GITHUB_APP_PRIVATE_KEY, STRIPE_API_KEY | Stored in Cloudflare Secrets Store; never logged; rotation ≤ 90 days |
Data inventory
Principal data categories and their classification:
| Data | Classification | Storage | Retention |
|---|---|---|---|
| Customer governance rule files | Confidential | R2 (encrypted) | Duration of subscription |
| Compliance evidence blobs | Confidential | R2 Object Lock (90 days immutable) | 90 days guaranteed; longer preserved |
| Signed manifests / audit packages | Confidential | R2 + AUDIT_PACKAGES | 3 years |
| SSO session tokens | Restricted | KV (TTL 8h) | 8 hours |
| Signing private keys | Restricted | Secrets Store | Current key + 1 rotation overlap |
| Incident records | Internal | D1 | Indefinite |
| Vendor DDQs | Confidential | R2 | 7 years |
Handling requirements
- Confidential and Restricted data must not appear in commit messages, log entries, or error responses returned to clients.
- Production data must not be used in test environments. Test fixtures use synthetic data only (enforced by
prod-data-masking-auditcollector). - Retention sweeper removes evidence older than the Object Lock window on a monthly cadence.
Labelling
Data classification is enforced through system boundaries (access controls, encryption) rather than manual labelling, consistent with a cloud-native model.
Evidence
| Collector | Cadence | Control |
|---|---|---|
data-classification-audit | Weekly | A.5.12, A.5.13, A.8.11 |
prod-data-masking-audit | Weekly | A.8.11, A.8.12 |
retention-sweeper | Monthly | A.5.33, A.8.10, A.8.12 |
r2-object-lock-verify | Weekly | A.5.33, A.8.10, A.8.13 |