1. Purpose
This policy assigns every piece of data SlashLogixx holds to one of four classification tiers, so that handling, storage, transmission, and disposal can be governed consistently across teams and systems.
2. Classification Tiers
| Tier | Definition | Examples |
|---|---|---|
| Public | Information intended for public consumption. Disclosure causes no harm. | Marketing pages, published policies, open-source contributions. |
| Internal | Day-to-day operational information not intended for the public, low harm on disclosure. | Internal wiki, non-sensitive product roadmaps, employee directory. |
| Confidential | Information whose disclosure would harm SlashLogixx, a customer, an employee, or a partner. | Customer business data, financial records, contract terms, source code, internal AI prompts and tool configurations. |
| Restricted | The most sensitive category. Disclosure causes severe regulatory, financial, or reputational harm. | Authentication credentials, API keys, encryption keys, personal data (PII), payment card data (PCI), protected health information (PHI), customer audit logs. |
3. Handling Requirements
| Tier | Storage | Transmission | Access | Disposal |
|---|---|---|---|---|
| Public | Any approved system | Any channel | Anyone | Standard deletion |
| Internal | SlashLogixx-managed systems | Authenticated channels | Employees, contractors with NDA | Standard deletion when no longer needed |
| Confidential | Encrypted at rest; access-logged | TLS 1.2+ only | Need-to-know, MFA required | Cryptographic erasure; logged |
| Restricted | Encrypted at rest with KMS-managed keys; access-logged and reviewed | TLS 1.3 preferred; never email or chat | Smallest possible group, MFA + audit; never on personal devices | Cryptographic erasure; verified; logged |
4. Customer Data
- By default, all customer data SlashLogixx processes on the Spark platform is treated as Confidential at minimum.
- Customer data that includes authentication credentials, PII, PCI, or PHI is treated as Restricted.
- Customers may instruct SlashLogixx in writing to treat a specific data set at a higher classification than the default; SlashLogixx will not treat customer data at a lower classification than the default.
5. AI Inputs and Outputs
Data that flows into or out of the platform's AI agents inherits the classification of the underlying source data. Confidential or Restricted inputs are not used to train shared models. Outputs that may reveal a customer's underlying data are tagged with the source classification.
6. Labeling
Confidential and Restricted data carry an explicit label in storage where the system supports it (object metadata, database column annotations, repository topic). Where labeling is infeasible, the default classification is the more restrictive of any data the system may contain.
7. Retention & Disposal
- Customer data is retained for the term of the subscription and for thirty (30) days after termination, after which it is cryptographically erased unless a longer retention is required by law or contract.
- Backup copies of Restricted data follow the same disposal schedule as primary copies, accounting for backup-retention windows.
8. Exceptions
Exceptions to handling requirements require a written request, business justification, stated expiration date, and Security owner approval. Open exceptions are reviewed quarterly.