Data Classification and Handling Policy
Simple guide to classifying and handling data based on sensitivity.
Data Classification and Handling
| Field | Value |
|---|---|
| Document ID | POL-009 |
| Classification | Internal |
| Owner | CTO (interim CISO) |
| Effective Date | April 2026 |
| Review Cycle | Annual |
This policy helps you understand how to handle different types of data at Wealthy. The goal is simple: protect sensitive stuff, don’t over-complicate the rest.
Classification Levels
All data falls into one of four levels:
| Level | What it means | Examples |
|---|---|---|
| Public | Anyone can see it. No restrictions. | Marketing content, blog posts, public website. |
| Internal | For employees only. Low risk if leaked. | Internal docs, Slack chats, meeting notes. |
| Confidential | Sensitive business info. Needs protection. | Customer lists, financial reports, support tickets. |
| Restricted | Highly sensitive. Strictest controls. | PII (PAN, Aadhaar, bank details), KYC docs, API keys, credentials. |
What Goes Where
Quick reference for common data types:
| Data Type | Classification |
|---|---|
| Customer PII (name, email, phone, PAN, Aadhaar, bank account) | Restricted |
| KYC Documents (ID proofs, address proofs) | Restricted |
| Financial Transactions (orders, trades, payments) | Restricted |
| Auth Data (passwords, PINs, OTPs, tokens) | Restricted |
| API Keys & Secrets | Restricted |
| Customer Portfolio & Holdings | Confidential |
| Business Metrics & Revenue | Confidential |
| Partner Data & Contracts | Confidential |
| Support Tickets | Confidential |
| Internal Docs & Policies | Internal |
| Slack, Email, Meeting Notes | Internal |
| Public Website & Marketing | Public |
Handling Requirements
| Requirement | Public | Internal | Confidential | Restricted |
|---|---|---|---|---|
| Storage | Anywhere | Standard systems | Approved systems only | Approved systems only |
| Transmission | Any channel | Internal preferred | Secure channels | Secure channels only |
| Access | Open | Employees only | Role-based | Need-to-know only |
| Sharing externally | Freely | Don’t | NDA required | CTO approval required |
| Disposal | Normal delete | Normal delete | Secure delete | Secure delete |
Labeling
Keep it simple:
- Documents: Add classification in header/footer — e.g.,
CONFIDENTIAL — Internal Use Only - Emails: For sensitive content, add to subject — e.g.,
[CONFIDENTIAL] Q4 Revenue - Code: Never commit secrets. Use AWS Secrets Manager.
Quick Rules
Storage
- Restricted/Confidential data goes in approved systems only (GCP, AWS)
- No Restricted data on personal devices or USB drives
- Laptops need full-disk protection enabled
Transmission
- Never send Restricted data via email or Slack
- When in doubt, use the most secure option available
Access
- Least privilege — only request access you actually need
- Privileged access (admin, prod) needs extra approval
Third-Party Sharing
- Vendor security assessment required first
- Restricted data needs CTO sign-off
Remote Work
- Use VPN when accessing sensitive data remotely
- Avoid public Wi-Fi for Restricted data
Roles
- Data Owners (Product/Business leads): Decide classification, approve access
- Data Custodians (Engineering/DevOps): Implement technical controls
- Data Users (Everyone): Follow the rules, report issues
- Security Team: Audits, guidance, policy updates
If Something Goes Wrong
Report immediately to security@wealthy.in. Don’t cover it up — quick reporting minimizes damage.
See Data Breach Response Policy (POL-008) for details.