← All policies

Data Classification & Handling Policy

1. Purpose

To define how information processed by the Company is classified, labelled, stored, transmitted, shared, and disposed of, in proportion to its sensitivity. Consistent classification is the foundation of every other security control: encryption, access control, retention, and disclosure.

2. Scope

All information assets handled by the Company, regardless of format (electronic, paper, verbal) or storage location (production systems, source code, email, the founder's workstation, third-party SaaS).

3. Classification levels

The Company uses four classification levels. Every information asset is classified at the most sensitive level any portion of it warrants.

3.1 Public

Information approved for unrestricted disclosure.

Examples: content of the marketing site (cadences.work), the trust page, the public sub-processor list, this policy when released to a customer under NDA (Note: this policy itself is Internal, but the sub-processor list is Public).

Handling: no special restrictions. Verify approval before publication.

3.2 Internal

Routine operational information. Disclosure outside the Company would be undesirable but not catastrophic.

Examples: internal documentation, draft policies, build logs, technical metrics, financial planning models.

Handling: stored on Company-controlled systems (Google Drive, Notion, GitLab private repo) with access limited to personnel and authorised contractors. Not posted to public channels.

3.3 Confidential

Information whose unauthorised disclosure would cause harm: contractual breach, competitive disadvantage, reputational damage, or moderate regulatory liability.

Examples: signed customer contracts, sub-processor agreements, internal financials, investor materials, the full Technical and Organisational Measures (TOMs) documentation, full incident post-mortems, the Risk Register, Vendor Risk Assessment results.

Handling:

• Stored only on Company-controlled systems with access restricted by role and need-to-know.
• Encrypted at rest (provider default) and in transit (TLS 1.2+).
• Shared with third parties only under a written confidentiality agreement (NDA, DPA, contract).
• Not transmitted by personal email, consumer messaging apps (WhatsApp without end-to-end-encrypted business mode), or unencrypted channels.
• Disposed of by secure deletion (system-level shred for files; account deletion for cloud assets).

3.4 Restricted

Information whose unauthorised disclosure would cause severe harm or significant regulatory liability.

Examples: Customer Personal Data of any kind (employee feedback content, time-tracking entries, identifying information of customer employees), authentication credentials, encryption keys, Stripe keys / payment tokens, OpenAI / Postmark / Vercel / Supabase API keys, individual incident details before sanitised disclosure, Customer financial data.

Handling:

• Stored only in production systems (Supabase EU, Vercel) and in the Company password manager (for keys/secrets) with MFA enforced.
• Encrypted at rest and in transit at all times.
• Access logged to the application audit log.
• Never transmitted by email, chat, screenshots, or shared documents.
• Never copied to local workstations except through ephemeral, authenticated sessions; no persistent local copies.
• Never used in development or testing environments — production data must not be cloned to non-production. Test data shall be synthetic.
• Disposed of by:
  • Deletion in the application via the customer's self-service tools, or
  • Cryptographic erasure for Customer-Managed Keys (when offered),
  • and confirmation in writing on customer request, per the Data Processing Agreement §11.

4. Customer Personal Data — special handling

All Customer Personal Data is Restricted by default.

4.1 In production

• Resident in Supabase Ireland (eu-west-1).
• Encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Access by Cadences personnel logged in the application audit log.
• Access requires a documented support purpose recorded in the audit-log entry.

4.2 In transit to sub-processors

• OpenAI: only the relevant feedback text needed for the requested AI operation. No identifiers added by Cadences. Customer can disable AI features.
• Postmark: recipient email plus message body content (which may contain employee names and feedback context). Email links are short-lived and require authentication on Cadences to dereference.
• Vercel: data in transit through edge functions; no persistent storage.
• Other sub-processors: per the Sub-processors list.

4.3 In logs and analytics

• Application logs do not record full user records. Authentication tokens and password hashes are never logged.
• Vercel and Supabase platform logs record metadata (request IDs, IP, status) but not request bodies. Reviewed only during incidents.
• Google Analytics 4 receives anonymised IP and pseudonymous identifiers — no Customer Personal Data fields.

4.4 In backups

• Backups are encrypted at rest with provider-managed keys.
• Backup retention: 30 days, see Business Continuity & Disaster Recovery Plan.
• Restored data inherits the original classification.

5. Labelling

Documents at the Confidential or Restricted level shall include a classification label in the header (e.g. "Classification: Restricted"). Public and Internal documents are not required to carry a label, but unlabelled documents are presumed Internal.

6. Cross-border transfer

Restricted data subject to GDPR shall not be transferred outside the EEA except under the safeguards documented in the Sub-processors list, the Data Processing Agreement, and the Transfer Risk Assessments (Singapore, United States).

7. Retention

Detailed per-system retention is captured in the (forthcoming) Data Retention Schedule.

8. Compliance and references

ISO/IEC 27001:2022 Annex A: A.5.12 (classification of information), A.5.13 (labelling), A.5.14 (information transfer), A.8.10 (information deletion), A.8.11 (data masking).

GDPR Articles 5(1)(c) (data minimisation), 5(1)(e) (storage limitation), 17 (right to erasure), 32 (security).

Singapore PDPA — Retention Limitation Obligation (Section 25).

9. Version history