1. Purpose and Scope
The purpose of this Data Classification Policy is to establish a framework for categorizing Speak Ai Inc.'s ("Speak Ai") data based on its sensitivity and value to the organization. This classification guides the application of appropriate security controls to protect data according to its level of sensitivity. This policy applies to all employees, contractors, and third parties who handle Speak Ai's data.
2. Policy Statement
Speak Ai is committed to ensuring the confidentiality, integrity, and availability of its data by implementing a formal data classification policy. This policy categorizes data to apply suitable security measures, ensuring that sensitive data is adequately protected against unauthorized access, disclosure, alteration, and destruction.
3. Data Classification Framework
Public: Data that can be made publicly available without any restrictions. Examples include marketing materials and publicly released white papers.
Internal Use Only: Data that is sensitive to the company but not classified as confidential. This may include internal emails, internal project documents, and non-sensitive business operations data.
Confidential: Data that, if disclosed, could potentially harm the company or its clients. Examples include business contracts, client information, and proprietary business processes.
Restricted: The most sensitive data that requires the highest level of security. This category includes data such as personal identification information (PII) and financial records. We ensure that such data is managed in compliance with applicable privacy standards and organizational policies.
4. Implementation of Security Controls
Public Data:
No specific security controls are required beyond general access management practices.
Internal Use Only Data:
Protected with access controls to ensure only authorized personnel can access this data.
Confidential Data:
Encrypted at rest.
Access controlled through role-based access controls (RBAC).
Audit logs maintained for all access and processing activities.
Restricted Data:
Strong encryption measures applied both at rest.
Strict access controls with multi-factor authentication (MFA).
Comprehensive audit logs and real-time monitoring.
Regular security assessments and compliance checks.
5. Regular Review and Updating
The data classification policy is reviewed at least annually or more frequently if significant changes occur in our business environment or in relevant laws and regulations. This ensures that the policy remains effective and relevant to current conditions.
6. Training and Awareness
All employees receive training on the data classification policy as part of their onboarding process, with regular refresher courses annually or whenever significant updates to the policy are made. This training ensures that employees understand the importance of data classification and know how to handle data appropriately.
7. Compliance and Enforcement
Compliance with the data classification policy is mandatory for all employees. Our compliance team conducts regular audits to ensure that the policy is properly enforced and that data is handled according to its classification.
8. Documentation and Accessibility
The data classification policy is well-documented and readily accessible to all employees. Documentation includes detailed guidelines on how to classify data and the specific security controls that must be applied to each classification level.
9. Roles and Responsibilities
IT Team: Responsible for implementing and maintaining security controls based on data classification levels.
Department Managers: Responsible for ensuring that data within their departments is classified appropriately and that employees adhere to the policy.
All Employees: Responsible for understanding and applying the data classification policy to their daily activities, ensuring data is handled according to its classification.
10. Policy Review
This policy will be reviewed annually or as needed to ensure its relevance and effectiveness. Changes to the policy will be communicated to all employees.
11. Contact Information
For any inquiries or issues related to this Data Classification Policy, please contact the IT Team at [email protected].