Skip to main content
Last reviewed: March 5, 2026 Owner: Security + Engineering Review cadence: Quarterly Status: In progress This policy defines data classification levels and handling requirements used across product and operations.

What this policy answers

  • Which classification levels are used
  • What baseline handling controls apply to each level
  • What is already operating versus still being formalized

Implementation status (March 5, 2026)

Classification controls are active. We are finalizing policy language and evidence mapping as part of the SOC 2 workstream.

Classification levels

Handling controls enforced today

  • Access by least privilege and role scope
  • Encryption in transit and at rest
  • Secrets in managed secret systems
  • Retention and deletion per policy expectations

In progress

  • Final policy language and control-to-evidence mapping completion target: July 2026.

Exceptions and governance

Classification exceptions require documented risk, approval, and a time-bound remediation plan. Questions: