Data Classification Policy

1. Purpose and Scope

This Data Classification Policy establishes a framework for identifying, classifying, and handling data held or processed by noIM₃ according to its sensitivity, value, and the risk associated with its exposure. Proper classification ensures appropriate protection controls are applied to each category of data.

This policy applies to all data:

• Created, collected, stored, or processed by noIM₃
• Belonging to or relating to noIM₃ customers, employees, or business operations
• Held by third-party vendors on behalf of noIM₃

2. Classification Levels

Public

Information approved for public release with no restrictions. Includes published content on noIM₃.com, marketing materials, publicly available tool documentation, and blog posts.

Internal

Information intended for internal use only that is not sensitive but should not be publicly disclosed. Includes internal procedures, non-sensitive operational data, and general business communications.

Confidential

Sensitive business information where unauthorised disclosure could harm noIM₃ or its customers. Includes customer personal information, subscription and billing data, API keys and credentials, business strategy documents, and financial information.

Restricted

Highly sensitive information where unauthorised disclosure could cause severe harm, legal liability, or regulatory breach. Includes authentication credentials, encryption keys, database access credentials, and payment card data (if applicable).

[Adjust classification levels and definitions to reflect the actual data types your platform handles.]

3. Data Handling Requirements

Public data

• No special handling requirements
• May be freely shared and published

Internal data

• Accessible only to noIM₃ team members with a legitimate need
• Not to be shared with external parties without authorisation
• Standard access controls apply

Confidential data

• Encrypted in transit (TLS) and at rest
• Access restricted to personnel with explicit authorisation
• Must not be transmitted via unencrypted channels
• Vendor access requires a signed Data Processing Agreement
• Disposal requires secure deletion or certified destruction

Restricted data

• All Confidential controls apply, plus:
• Access limited to the minimum number of individuals required
• Multi-factor authentication required for access
• Access logged and reviewed regularly
• Never stored in plain text under any circumstances
• Immediate incident response if suspected exposure

4. Data Labelling

Where practical, data should be labelled with its classification level in document headers, file naming conventions, or system metadata. Electronic systems should apply classification tags where supported.

[Describe your specific labelling approach if you have one, e.g. document header templates, folder naming conventions.]

5. Data Inventory

noIM₃ maintains a data inventory (register of data assets) identifying the classification, location, owner, and retention period for significant data categories. The inventory is reviewed annually.

[Link to or describe your data inventory process here.]

6. Responsibilities

• Data Owner: Accountable for the classification and protection of specific data assets.
• All team members: Responsible for handling data in accordance with its classification.
• Vendors: Required to apply equivalent or greater protection controls under contractual obligation.

7. Policy Review

This policy is reviewed annually or following any material change to data types processed, a data breach incident, or relevant regulatory updates.