Data Classification Policy
Last updated: March 11, 2025
Purpose
ItemIQ ("we," "our," or "us") maintains this Data Classification Policy to ensure consistent handling, protection, and encryption of data based on its sensitivity. This policy defines data classification levels and mandates encryption for sensitive data both in-transit and at-rest.
Data Classification Levels
Confidential (Sensitive/Personal Data)
- Personal identifiable information (PII): names, email addresses, account credentials
- User-uploaded content (photos, product images)
- Payment and billing information
- Authentication tokens and session data
Handling: Must be encrypted in-transit and at-rest. Access restricted per Access Control Policy.
Internal
- Internal business documents, project plans
- Non-customer analytics and operational data
Handling: Encrypted at-rest. Access limited to employees with need-to-know.
Public
- Marketing materials, public website content
- Published documentation intended for external use
Handling: No encryption required; standard access controls apply.
Encryption Requirements
Encryption In-Transit
- All sensitive data transmitted over networks uses TLS 1.2 or higher
- API communications, web traffic, and mobile app data transfer are encrypted
- Third-party integrations handling personal data require encrypted connections
Encryption At-Rest
- Databases storing personal or sensitive data use encryption at-rest (e.g., AES-256)
- Cloud storage (Firebase, object storage) uses provider-managed encryption at-rest
- Backups of sensitive data are encrypted
Data Handling by Classification
- Data is classified at creation or receipt
- Classification labels are applied where supported by systems
- Reclassification occurs when data sensitivity changes
Retention and Disposal
Sensitive data is retained only as long as necessary for business or legal purposes. Secure deletion procedures are followed when data is no longer needed.
Related Documents
Contact