Data Management Policy
Purpose
To ensure that information is classified, protected, retained and securely disposed of in accordance with its
importance to the organization.
Scope
All Puppeteer AI data, information and information systems.
Policy
Puppeteer AI classifies data and information systems in accordance with legal requirements, sensitivity, and
business criticality in order to ensure that information is given the appropriate level of protection. Data
owners are responsible for identifying any additional requirements for specific data or exceptions to
standard handling requirements.
Information systems and applications shall be classified according to the highest classification of data that
they store or process.
Data Classification
To help Puppeteer AI and its employees easily understand requirements associated with different kinds of
information, the company has created three classes of data.
Confidential
Highly sensitive data requiring the highest levels of protection; access is restricted to specific employees or
departments, and these records can only be passed to others with approval from the data owner, or a
company executive. Example include:
- Customer Data
- Personally identifiable information (PII)
- Company financial and banking data
- Salary, compensation and payroll information
- Strategic plans
- Incident reports
- Risk assessment reports
- Technical vulnerability reports
- Authentication credentials
- Secrets and private keys
- Source code
- Litigation data
Restricted
Puppeteer AI proprietary information requiring thorough protection; access is restricted to employees with a
"need-to-know" based on business requirements. This data can only be distributed outside the company
with approval. This is default for all company information unless stated otherwise. Examples include:
- Internal policies
- Legal documents
- Meeting minutes and internal presentations
- Contracts
- Internal reports
- Slack messages
- Email
Public
Documents intended for public consumption which can be freely distributed outside Puppeteer AI. Examples
include:
- Marketing materials
- Product descriptions
- Release notes
- External facing policies
Labeling
Confidential data should be labeled "confidential" whenever paper copies are produced for distribution.
Data Handling
Confidential Data Handling
Confidential data is subject to the following protection and handling requirements:
- Access for non-preapproved roles requires documented approval from the data owner
- Access is restricted to specific employees, roles and/or departments
- Confidential systems shall not allow unauthenticated or anonymous access
- Confidential Customer Data shall not be used or stored in non-production systems/environments
- Confidential data shall be encrypted at rest and in transit over public networks in accordance with the
- Cryptography Policy
- Mobile device hard drives containing confidential data, including laptops, shall be encrypted
- Mobile devices storing or accessing confidential data shall be protected by a log-on password (or
equivalent, such as biometric) or passcode and shall be configured to lock the screen after five (5)
minutes of non-use
- Backups shall be encrypted
- Confidential data shall not be stored on personal phones or devices or removable media including
- USB drives, CD's, or DVD's
- Paper records shall be labeled "confidential" and securely stored and disposed of in a secure,
approved manner in accordance with data handling and destruction policies and procedures
- Hardcopy paper records shall only be created based on a business need and shall be avoided
whenever possible
- Hard drives and mobile devices used to store confidential information must be securely wiped prior to
disposal or physically destroyed
- Transfer of confidential data to people or entities outside the company shall only be done in
accordance with a legal contract or arrangement, and the explicit written permission of management
or the data owner
Restricted Data Handling
Restricted data is subject to the following protection and handling requirements:
- Access is restricted to users with a need-to-know based on business requirements
- Restricted systems shall not allow unauthenticated or anonymous access
- Transfer of restricted data to people or entities outside the company or authorized users shall require
management approval and shall only be done in accordance with a legal contract or arrangement, or
the permission of the data owner
- Paper records shall be securely stored and disposed of in a secure, approved manner in accordance
with data handling and destruction policies and procedures
- Hard drives and mobile devices used to store restricted information must be securely wiped prior to
disposal or physically destroyed
Public Data Handling
No special protection or handling controls are required for public data. Public data may be freely distributed.
Data Retention
Puppeteer AI shall retain data as long as the company has a need for its use, or to meet regulatory or
contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data
owners, in consultation with legal counsel, may determine retention periods for their data.
Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a
business use.
Retention periods shall be documented in the Data Retention Matrix in Appendix B to this policy.
Data & Device Disposal
Data classified as restricted or confidential shall be securely deleted when no longer needed. Puppeteer AI
shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party
Management Policy. Only third-parties who meet Puppeteer AI requirements for secure data disposal shall
be used for storage and processing of restricted or confidential data.
Puppeteer AI shall ensure that all restricted and confidential data is securely deleted from company devices
prior to, or at the time of, disposal.
Confidential and Restricted hardcopy materials shall be shredded or otherwise disposed of using a secure
method.
Personally identifiable information (PII) shall be collected, used and retained only for as long as the
company has a legitimate business purpose. PII shall be securely deleted and disposed of following
contract termination in accordance with company policy, contractual commitments and all relevant laws and
regulations. PII shall also be deleted in response to a verified request from a consumer or data subject,
where the company does not have a legitimate business interest or other legal obligation to retain the data.
Annual Data Review
DManagement shall review data retention requirements during the annual review of this policy. Data shall be
disposed of in accordance with this policy.
Legal Requirements
Under certain circumstances, Puppeteer AI may become subject to legal proceedings requiring retention of
data associated with legal holds, lawsuits, or other matters as stipulated by Puppeteer AI legal counsel.
Such records and information are exempt from any other requirements specified within this Data
Management Policy and are to be retained in accordance with requirements identified by the Legal
department. All such holds and special retention requirements are subject to annual review with Puppeteer
AI's legal counsel to evaluate continuing requirements and scope.
Policy Compliance
Puppeteer AI will measure and verify compliance to this policy through various methods, including but not
limited to, business tool reports, and both internal and external audits.
Exceptions
Requests for an exception to this policy must be submitted to the CTO for approval.
Violations & Enforcement
Any known violations of this policy should be reported to the CTO. Violations of this policy can result in
immediate withdrawal or suspension of system and network privileges and/or disciplinary action in
accordance with company procedures up to and including termination of employment.
Web Analytics:
We use Google Analytics to collect data about your activities on our site. This data helps us understand how visitors engage with our content and improve the user experience. Google Analytics collects data such as the pages you visit, the time spent on each page, and the type of device you're using. All data collected is anonymous and does not personally identify you.
Puppeteer
hello@getpuppeteer.ai
Backed by
