Information Classification Policy

Last updated: January 15, 2026

Information Classification Policy

Document owner: Chief Information Security Officer (CISO), with Legal Counsel as co-owner Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual review; updates for regulatory or business changes Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions and Key Terms

Term	Definition
Information Asset	Any data, document, system, or resource that has value to Acme Cloud or its customers
Classification	The process of categorizing information based on its sensitivity and value
Classification Level	A designation indicating the sensitivity and required protection for information
Data Owner	The individual or role accountable for the classification and protection of specific data
Data Custodian	The individual or role responsible for implementing technical controls for classified data
Data Steward	The individual responsible for data quality and appropriate use within their domain
Confidential	Information that, if disclosed, could cause significant harm to the organization or individuals
Internal	Information intended only for internal use within Acme Cloud
Public	Information approved for external distribution without restriction
Restricted	Highly sensitive information requiring the strictest protection controls
Personal Data	Information relating to an identified or identifiable natural person (PII/PI)
Sensitive Personal Data	Personal data requiring additional protection (health, financial, biometric, etc.)
Business Critical	Information essential to core business operations and competitive advantage
Intellectual Property	Patents, trade secrets, proprietary algorithms, and confidential business methods
Customer Data	Any data belonging to or provided by customers of Acme Cloud
Regulated Data	Data subject to specific legal, regulatory, or contractual requirements
Labeling	The act of marking or tagging information with its classification level
Handling	The processes and procedures for working with classified information
Declassification	The process of reducing the classification level of information
Retention	The period for which classified information must be preserved
Disposal	The secure destruction or deletion of classified information
Need-to-Know	Access limited to individuals who require the information to perform their duties
Minimum Necessary	Limiting access to the minimum amount of information required for the purpose
Aggregation	The combination of unclassified data that may require higher classification when combined

Scope and Purpose

This Information Classification Policy establishes Acme Cloud, Inc.'s framework for categorizing, labeling, handling, and protecting information assets based on their sensitivity, value, and regulatory requirements. The policy applies to all information created, processed, stored, transmitted, or disposed of by Acme Cloud, regardless of format (digital, paper, verbal) or location (on-premises, cloud, mobile). The purpose is to ensure appropriate protection levels, regulatory compliance, and risk-based security controls for all organizational and customer information.

Classification Objectives

Objective	Description	Benefit
Risk-Based Protection	Apply controls proportional to information sensitivity	Efficient resource allocation
Regulatory Compliance	Meet legal and contractual data protection requirements	Compliance assurance
Business Protection	Safeguard competitive advantage and operations	Business continuity
Privacy Preservation	Protect personal data of customers and employees	Trust maintenance
Operational Efficiency	Enable appropriate information sharing for business	Productivity support
Incident Preparedness	Support incident response and forensic capability	Rapid response

Scope Applicability

Information Category	In Scope	Primary Classification	Examples
Customer Data	Yes	Confidential or Restricted	Account data, usage data, stored content
Personal Data (PII)	Yes	Confidential or Restricted	Names, emails, addresses, identifiers
Financial Data	Yes	Restricted	Payment data, billing records, pricing
Health Data (PHI)	Yes	Restricted	HIPAA-protected health information
Authentication Data	Yes	Restricted	Passwords, tokens, keys, certificates
Source Code	Yes	Confidential	Application code, infrastructure as code
Business Data	Yes	Internal or Confidential	Contracts, strategies, financials
Public Materials	Yes	Public	Marketing content, public documentation
Employee Data	Yes	Confidential or Restricted	HR records, compensation, performance
Third-Party Data	Yes	Per agreement	Vendor data, partner data

Classification Levels

Level Definitions

Level	Label	Description	Disclosure Impact
Restricted	🔴 RESTRICTED	Most sensitive information requiring maximum protection	Severe harm to organization, customers, or individuals; regulatory penalties; legal liability
Confidential	🟠 CONFIDENTIAL	Sensitive business or personal information for authorized use only	Significant harm to business operations, competitive position, or individual privacy
Internal	🟡 INTERNAL	Non-public information for internal business use	Limited harm; potential operational inefficiency or embarrassment
Public	🟢 PUBLIC	Information approved for unrestricted external distribution	No harm; information is or will be publicly available

Classification Criteria

Criterion	Restricted	Confidential	Internal	Public
Regulatory Requirement	Yes (PHI, PCI, etc.)	Possible (GDPR, etc.)	No	No
Contractual Obligation	Strict confidentiality	Standard NDA	Internal only clause	None
Financial Impact if Disclosed	>$1M or material	$100K-$1M	<$100K	None
Reputational Impact	Severe	Significant	Minor	None
Competitive Advantage	Critical	Important	Moderate	None
Personal Data Sensitivity	Special categories	Standard PII	Aggregated/anonymized	None
Recovery Difficulty	Irreplaceable	Difficult	Manageable	Public record

Data Type Classification Matrix

Data Type	Default Classification	Rationale	Override Conditions
Customer PII	Confidential	Privacy protection	Restricted if sensitive categories
Customer PHI	Restricted	HIPAA requirements	N/A — always Restricted
Customer Content	Confidential	Customer trust	Per customer contract
Payment Card Data	Restricted	PCI DSS	N/A — always Restricted
Authentication Secrets	Restricted	Security critical	N/A — always Restricted
Employee PII	Confidential	Employment privacy	Restricted if medical/financial
Source Code	Confidential	IP protection	Restricted for core algorithms
Infrastructure Config	Confidential	Security	Restricted if contains secrets
Security Logs	Confidential	Investigation support	Restricted during incidents
Financial Statements	Confidential	Business sensitive	Public after publication
Marketing Materials	Internal → Public	Review workflow	Public after approval
API Documentation	Internal	Development support	Public if published externally
Legal Contracts	Confidential	Contractual obligations	Per agreement terms
Board Materials	Restricted	Governance sensitivity	N/A — always Restricted
Research Data	Confidential	IP protection	Public after publication

Roles and Responsibilities

Data Governance Roles

Role	Primary Responsibilities	Authority	Accountability
Data Owner	Classify data; approve access; define retention	Classification decisions	Information protection
Data Custodian	Implement technical controls; manage storage	Technical implementation	Control effectiveness
Data Steward	Ensure data quality; manage metadata	Data standards	Data accuracy
Security Team	Define control requirements; monitor compliance	Security standards	Policy enforcement
Legal/Compliance	Regulatory interpretation; legal requirements	Legal guidance	Compliance
All Employees	Handle data per classification; report incidents	Personal compliance	Own actions

Classification Authority Matrix

Classification Level	Who Can Classify	Who Can Downgrade	Who Can Upgrade
Restricted	Director+ or designated owner	VP+ with Security approval	Data Owner
Confidential	Manager+ or Data Owner	Director+ or Data Owner	Data Owner
Internal	Any employee (default)	Data Owner	Data Owner
Public	Marketing/Legal approval required	N/A (already public)	N/A

Escalation Path

Scenario	First Contact	Escalation	Resolution Authority
Classification dispute	Data Owner	Security Team	CISO
Access request denial	Data Owner	Manager chain	VP or Data Owner
Suspected data leak	Security Team	CISO	Incident Response Team
Regulatory interpretation	Legal/Compliance	General Counsel	Legal decision
Policy exception	Security Team	CISO	CISO or delegate

Labeling Requirements

Labeling Standards

Classification	Digital Label	Document Header/Footer	Email Subject	Verbal Announcement
Restricted	[RESTRICTED]	"RESTRICTED — Authorized Recipients Only"	[RESTRICTED] prefix	"This is restricted information"
Confidential	[CONFIDENTIAL]	"Acme Cloud Confidential"	[CONFIDENTIAL] prefix	"This is confidential"
Internal	[INTERNAL]	"Acme Cloud Internal"	Optional	Not required
Public	None required	None required	None	None

Labeling Implementation

Asset Type	Labeling Method	Automation	Verification
Documents	Header/footer; metadata	DLP tagging	Periodic audit
Emails	Subject prefix; classification header	Email gateway	Automated scan
Databases	Schema metadata; column tags	Discovery tools	Data catalog
Files	Filename suffix; metadata	Automated tagging	File scan
Cloud Storage	Object tags; bucket policies	Cloud-native tagging	Policy audit
APIs	Response headers; documentation	API gateway	Automated testing
Code	README; comment headers	Repository policies	Code review
Physical	Stamps; cover sheets	Manual process	Physical audit

Labeling Exceptions

Scenario	Handling	Approval Required	Documentation
Legacy unlabeled data	Apply classification at next access	No (apply default)	Classification log
Third-party materials	Honor source classification or apply internal	Data Owner	Agreement review
Aggregated data	Assess combined sensitivity	If higher classification	Aggregation assessment
Temporary working copies	Inherit source classification	No	None

Handling Requirements

Handling Controls by Classification

Control Area	Restricted	Confidential	Internal	Public
Storage Encryption	Required (AES-256)	Required (AES-256)	Required	Not required
Transit Encryption	Required (TLS 1.3)	Required (TLS 1.2+)	Required	Recommended
Access Control	Named individuals; MFA	Role-based; MFA	Role-based	Open
Access Logging	Full audit trail	Audit trail	Standard logging	None required
Sharing Approval	Explicit per-recipient	Manager/owner approval	Within organization	Unrestricted
External Sharing	Prohibited without VP approval	With NDA/DPA	Generally prohibited	Unrestricted
Printing	Prohibited unless essential	Secure print only	Standard	Standard
Mobile Access	Approved MDM devices only	Approved devices	Standard devices	Any device
Cloud Storage	Approved services only	Approved services	Approved services	Any
Backup	Encrypted; restricted access	Encrypted	Standard backup	Standard
Disposal	Crypto-shred; destruction certificate	Crypto-shred	Secure delete	Standard delete

Handling Procedures

Activity	Restricted	Confidential	Internal	Public
Creating	Log creation; apply label; set permissions	Apply label; set permissions	Apply label	None special
Accessing	Verify authorization; log access	Verify role; log access	Standard auth	None
Copying	Approval required; log copy	Minimize copies	Standard	Standard
Modifying	Change control; log changes	Log changes	Standard	Standard
Transmitting	Encrypted channel; verify recipient	Encrypted channel	Encrypted	Standard
Storing	Designated secure systems only	Approved systems	Approved systems	Any
Archiving	Encrypted archive; access control	Standard archive	Standard archive	Standard
Disposing	Destruction with certificate	Secure destruction	Secure delete	Standard

Incident Handling

Incident Type	Restricted	Confidential	Internal	Public
Unauthorized Access	Critical incident; immediate escalation	High incident; 4-hour escalation	Medium incident	N/A
Data Loss	Critical incident; breach assessment	High incident; impact assessment	Medium incident	Low impact
Mislabeling	Immediate correction; access review	Prompt correction	Correction	N/A
Improper Disposal	Critical incident; recovery attempt	High incident; log review	Correction	N/A

Storage and Transmission

Approved Storage Locations

Classification	Approved Storage	Prohibited Storage	Encryption Requirement
Restricted	Designated secure systems; HSM for keys	Personal devices; unapproved cloud; email attachments	AES-256 at rest; TLS 1.3 in transit
Confidential	Company systems; approved SaaS	Personal cloud; public shares	AES-256 at rest; TLS 1.2+ in transit
Internal	Company systems; approved SaaS	Public shares	AES-256 at rest; TLS 1.2 in transit
Public	Any business system	N/A	Not required

Transmission Requirements

Method	Restricted	Confidential	Internal	Public
Email	Prohibited (use secure portal)	Encrypted; approved recipients	Standard email	Standard
File Transfer	SFTP/SCP; end-to-end encryption	SFTP or approved services	Approved services	Any
API	mTLS; additional encryption	TLS 1.2+ required	TLS required	TLS recommended
Physical Media	Encrypted; courier with chain of custody	Encrypted	Standard	Standard
Video Conference	Approved platforms; waiting room	Approved platforms	Approved platforms	Any
Chat/Messaging	Prohibited	Approved platforms only	Approved platforms	Any

Cross-Border Transfer

Transfer Scenario	Requirements	Additional Controls	Documentation
EU → US (Customer Data)	Standard Contractual Clauses	Transfer Impact Assessment	DPA addendum
Any → Third Country	Legal basis assessment	Enhanced security	Transfer record
Cloud Processing	Data residency compliance	Regional encryption keys	Processing record
Support Access	Access controls; no data export	Audit logging	Access log

Access Control

Access Principles

Principle	Definition	Implementation
Need-to-Know	Access only when required for job function	Role-based access; approval workflows
Minimum Necessary	Limit access to minimum required data	Data minimization; field-level access
Least Privilege	Minimum permissions required	RBAC; permission boundaries
Segregation of Duties	Separate conflicting responsibilities	Role separation; dual control
Defense in Depth	Multiple layers of access control	Technical + administrative controls

Access Requirements by Classification

Requirement	Restricted	Confidential	Internal	Public
Access Request	Formal request; Data Owner approval	Manager approval	Standard provisioning	Self-service
Access Review	Quarterly	Semi-annual	Annual	None
MFA Required	Yes (hardware key)	Yes	Yes	No
Session Controls	Short timeout; no concurrent	Standard timeout	Standard	None
Access Logging	Full audit; real-time alerts	Full audit	Standard logging	None
Background Check	Enhanced (where permitted)	Standard	Standard	None

Access Revocation

Trigger	Restricted	Confidential	Internal	Public
Role Change	Immediate	Within 24 hours	Within 24 hours	N/A
Termination	Immediate (pre-termination)	Immediate	Same day	N/A
Leave of Absence	Immediate suspension	Suspension	Per policy	N/A
Security Incident	Immediate	Immediate	As warranted	N/A
Access Review Finding	Immediate	Within 24 hours	Within 48 hours	N/A

Retention and Disposal

Retention Periods

Data Category	Minimum Retention	Maximum Retention	Legal Basis
Customer Account Data	Contract term + 3 years	Contract term + 7 years	Contractual; regulatory
Customer Content	Per customer instruction	Per customer instruction	DPA; customer rights
Transaction Records	7 years	10 years	Financial regulations
Employment Records	7 years post-employment	10 years post-employment	Employment law
Security Logs	1 year	3 years	Compliance; forensics
Access Logs	1 year	3 years	Audit requirements
Contracts	Life + 7 years	Life + 10 years	Statute of limitations
Marketing Data	Active + 2 years	Active + 3 years	Consent validity

Disposal Requirements

Classification	Disposal Method	Verification	Documentation
Restricted	Cryptographic erasure + physical destruction	Destruction certificate; witness	Disposal log; certificate
Confidential	Cryptographic erasure	Automated verification	Disposal log
Internal	Secure deletion	Standard verification	System logs
Public	Standard deletion	None required	None

Disposal Procedures

Media Type	Restricted/Confidential	Internal/Public
Digital Storage (SSD/HDD)	Crypto-shred + physical destruction	Crypto-shred or secure wipe
Cloud Data	Deletion + key destruction	Standard deletion
Paper Documents	Cross-cut shredding (DIN 66399 P-4+)	Shredding
Optical Media	Physical destruction	Physical destruction
Backup Media	Encryption key destruction	Standard deletion
Mobile Devices	Factory reset + MDM wipe verification	Factory reset

Numbered Policy Statements

Classification Requirement: All information assets must be classified according to this policy before creation, storage, or transmission.
Default Classification: Information without explicit classification must be treated as Internal until properly classified by the Data Owner.
Labeling Obligation: Confidential and Restricted information must be clearly labeled using the standards defined in this policy.
Handling Compliance: All personnel must handle information according to the controls specified for its classification level.
Need-to-Know Enforcement: Access to Confidential and Restricted information must be limited to individuals with a documented need-to-know.
Access Logging: All access to Restricted information and security-relevant access to Confidential information must be logged and monitored.
External Sharing Restriction: Restricted information may not be shared externally without VP-level approval and appropriate contractual protections.
Encryption Mandate: Confidential and Restricted information must be encrypted at rest and in transit using approved algorithms.
Approved Systems Only: Restricted and Confidential information may only be stored on approved, managed systems with appropriate security controls.
Mobile Device Restrictions: Restricted information may only be accessed from approved, managed mobile devices with full-disk encryption and remote wipe capability.
Disposal Verification: Disposal of Restricted information requires documented verification and destruction certificates.
Incident Reporting: Any suspected unauthorized access, disclosure, or loss of classified information must be reported immediately to Security.
Training Requirement: All personnel handling Confidential or Restricted information must complete information classification training annually.
Third-Party Obligations: Third parties receiving classified information must agree to equivalent protection requirements via contract.
Classification Review: Classification levels must be reviewed at least annually and updated when circumstances change.
Aggregation Assessment: When combining information from multiple sources, the combined classification must be assessed and may be higher than individual components.

Framework Appendix

Compliance Mapping

Requirement	SOC 2 Criteria	ISO 27001 Control	GDPR Article	Implementation
Information classification	CC6.1	A.8.2.1	Art. 5(1)(f)	This policy
Asset labeling	CC6.1	A.8.2.2	Art. 5(1)(f)	Labeling requirements
Asset handling	CC6.1	A.8.2.3	Art. 32	Handling requirements
Information transfer	CC6.7	A.13.2.1	Art. 32	Transmission requirements
Disposal of media	CC6.5	A.8.3.2	Art. 17	Disposal requirements
Access control policy	CC6.1	A.9.1.1	Art. 25	Access control section

NIST CSF Mapping

CSF Category	Subcategory	Policy Implementation
ID.AM-1	Physical devices inventoried	Asset classification
ID.AM-2	Software platforms inventoried	System classification
ID.AM-5	Resources prioritized	Classification levels
PR.DS-1	Data at rest protected	Storage controls
PR.DS-2	Data in transit protected	Transmission controls
PR.DS-5	Protections against data leaks	Handling controls
PR.IP-6	Data destroyed per policy	Disposal requirements

HIPAA Security Rule Mapping

HIPAA Requirement	Provision	Policy Implementation
Data classification	§164.312(c)(1)	Classification framework
Access controls	§164.312(a)(1)	Access control matrix
Encryption	§164.312(a)(2)(iv)	Encryption requirements
Media disposal	§164.310(d)(2)(i)	Disposal procedures
Transmission security	§164.312(e)(1)	Transmission requirements

Document revision history

Version	Date	Author	Summary of changes
1.0	2024-06-01	Legal & Compliance	Initial Trust Center publication
2.0	2025-03-15	GRC Program	SOC 2 Type II alignment refresh; expanded subprocessors
2.5	2025-09-01	Security Engineering	Encryption standards update; ISO 27001 mapping
3.0	2026-01-15	Trust Center Program	Full procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

Channel	Email	Use case
Trust & procurement	trust@acmecloud.com	Security questionnaires, trust reviews
Security	security@acmecloud.com	Incidents, vulnerabilities, control questions
Privacy	privacy@acmecloud.com	DSRs, privacy assessments
Legal	legal@acmecloud.com	Contractual, DPA, legal notices

Classification Support Contacts

Contact	Role	Use Case
security@acmecloud.com	Security Team	Classification questions; incident reporting
data-governance@acmecloud.com	Data Governance	Data owner assignment; policy interpretation
privacy@acmecloud.com	Privacy Team	Personal data classification; regulatory questions
legal@acmecloud.com	Legal	Contractual classification; legal hold

Appendix: Quick Reference Classification Guide

If the data includes...	Likely Classification	Verify With
Passwords, API keys, secrets	Restricted	Security Team
Payment card numbers	Restricted	Security Team
Health information (PHI)	Restricted	Privacy Team
Social Security numbers	Restricted	Privacy Team
Customer personal data	Confidential	Privacy Team
Employee personal data	Confidential	HR
Source code	Confidential	Engineering
Contracts, legal documents	Confidential	Legal
Internal communications	Internal	Data Owner
Published marketing	Public	Marketing

Document Version: 3.0 Last Updated: January 15, 2026

Information Classification Policy

Definitions and Key Terms

Scope and Purpose

Classification Objectives

Scope Applicability

Classification Levels

Level Definitions

Classification Criteria

Data Type Classification Matrix

Roles and Responsibilities

Data Governance Roles

Classification Authority Matrix

Escalation Path

Labeling Requirements

Labeling Standards

Labeling Implementation

Labeling Exceptions

Handling Requirements

Handling Controls by Classification

Handling Procedures

Incident Handling

Storage and Transmission

Approved Storage Locations

Transmission Requirements

Cross-Border Transfer

Access Control

Access Principles

Access Requirements by Classification

Access Revocation

Retention and Disposal

Retention Periods

Disposal Requirements

Disposal Procedures

Numbered Policy Statements

Framework Appendix

Compliance Mapping

NIST CSF Mapping

HIPAA Security Rule Mapping

Related Trust Center documents

Document revision history

Contact

Classification Support Contacts

Appendix: Quick Reference Classification Guide