Enterprise Data Classification Policy

Last updated: 28th June, 2024

Introduction

At Simreka, we recognize the importance of properly classifying and managing data to ensure its confidentiality, integrity, and availability. As a leading Deep Tech AI company focused on accelerating the development of sustainable products, we handle various types of data that require distinct levels of protection. This policy outlines our data classification framework and the associated handling requirements.

Purpose

1. The purpose of this policy is to:
2. Define the different classifications of data within Simreka (Devtaar GmbH)
3. Establish guidelines for handling, storing, and transmitting data based on its classification.
4. Ensure compliance with legal, regulatory, and contractual obligations.
5. Protect sensitive and proprietary information from unauthorized access and disclosure.

Scope

This policy applies to all employees, contractors, and third-party partners who access, handle, or manage Simreka (Devtaar GmbH) data. It covers all forms of data, including digital, printed, and verbal communications.

Data Classification Levels

Data at Simreka (Devtaar GmbH) is classified into four categories based on its sensitivity and the potential impact of unauthorized disclosure or misuse:

Public Data

Description: Information intended for public dissemination.
Examples: Marketing materials, press releases, public reports.
Handling Requirements: May be freely distributed without restrictions.

Internal Data

Description: Information intended for internal use within Simreka (Devtaar GmbH).
Examples: Internal communications, internal process documentation, internal policies.
Handling Requirements: Access restricted to employees and authorized contractors. Should not be shared outside the organization without permission.

Confidential Data

Description: Information that, if disclosed, could harm Simreka (Devtaar GmbH) or its clients.
Examples: Client data, project plans, financial information, intellectual property.
Handling Requirements: Access limited to employees and contractors with a legitimate need to know. Must be stored in secure locations and transmitted using encryption.

Restricted Data

Description: Highly sensitive information that, if disclosed, could cause significant harm to Simreka (Devtaar GmbH), its clients, or partners.
Examples: Proprietary AI algorithms, strategic business plans, undisclosed R&D data, personal data protected under privacy laws.
Handling Requirements: Access restricted to a limited number of authorized individuals. Must be stored in highly secure environments and transmitted using strong encryption. Regular audits and monitoring required.
Data Handling Guidelines

Storage

Public Data: Can be stored on public websites and shared drives with no restrictions.
Internal Data: Should be stored on internal networks or secured cloud services with access controls.
Confidential Data: Must be stored in encrypted formats on secure servers or encrypted cloud storage.
Restricted Data: Should be stored in highly secure environments with encryption and multi-factor authentication (MFA).

Transmission

Public Data: Can be transmitted through any means, including email and public websites.
Internal Data: Should be transmitted over secure, internal networks or through encrypted email.
Confidential Data: Must be transmitted using encryption protocols (e.g., TLS) and secure file transfer methods.
Restricted Data: Should be transmitted only through highly secure channels with end-to-end encryption and recipient authentication.

Access Control

1. Access to Internal, Confidential, and Restricted Data must be controlled based on the principle of least privilege.
2. Role-based access control (RBAC) and multi-factor authentication (MFA) should be implemented for accessing sensitive data.
3. Regular access reviews should be conducted to ensure appropriate access levels.

Disposal

1. Data must be disposed of securely based on its classification.
   Public Data: Can be discarded in regular trash or deleted from public websites.
2. Internal Data: Should be shredded or securely deleted.
3. Confidential and Restricted Data: Must be shredded, securely deleted, or destroyed using methods that ensure data cannot be recovered.
   Responsibilities
   Employees and Contractors: Responsible for understanding and adhering to this policy and reporting any security incidents or policy violations.
4. Managers: Ensure their teams comply with the data classification policy and provide necessary training.
5. IT Department: Implement and maintain technical controls to enforce the policy, conduct regular security audits, and assist with incident response.
   Security Officer: Oversee the data classification policy, conduct regular reviews, and update the policy as needed.
   Policy Review and Updates

This policy will be reviewed annually or as needed to ensure its relevance and effectiveness. Changes to this policy will be communicated to all employees and contractors.

Proper data classification is essential to protecting Simreka’s valuable information assets. By following this policy, we ensure the security of our data, compliance with regulations, and the continued trust of our clients and partners.

For questions or additional information, please contact us at hello[at]simreka.com