Purpose DraftWise, Inc. (“DraftWise” or “we”) has developed this Data Classification Standard in order to define data categories and provide a matrix of security and privacy controls for the purpose of determining the level of protection to be applied to DraftWise data throughout its life under our responsibility. Scope This Standard affects all employees, contractors, consultants, vendors and other services providers currently working at DraftWise and who handle, manage, store or transmit DraftWise data. The company’s executive team is responsible for ensuring compliance with the Standard and for completing actions prescribed by the Standard. All employees of DraftWise are required to be aware of this data classification standard, their individual responsibilities when present and how to access the resources necessary to carry out their responsibilities. Responsibilities DraftWise DraftWise employees, contractors, consultants, vendors and other service providers are required to review and understand this policy, and to handle data according to the classification levels below unless otherwise noted. Data owners shall determine the classification of data in their responsibility in accordance with this standard. If you as data owner cannot identify the data element or are uncertain of the risk associated with the data and how it should be classified and handled, please contact the executive team. Customers DraftWise customers are responsible for managing their own data as well as any data stored on their equipment or within their networks that has been designated for the use of DraftWise’s products and services. This includes identification and classification according to their internal definitions and requirements. DraftWise handles Customer Data according to our non-disclosure obligations written in active non-disclosure agreements and the controls identified in this Standard.
Definitions Personal Data: As defined by General Data Protection Regulation (GDPR): “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Customer Data: Refers to electronic data uploaded or created by DraftWise customers and processed in DraftWise products and services and subject to legal or contractual obligations.
Data Classification Levels DraftWise has defined the below levels as sufficient for its data classification purposes. RED Restricted and must remain confidential. This is DraftWise’s highest level of classification and access should be considered privileged and must be explicitly approved. Exposure of this data to unauthorized parties could cause extreme loss to DraftWise and/or its customers. In the gravest scenario, exposure of this data could trigger or cause a business extinction event. ORANGE Data subject to applicable laws and regulation that should not be made generally available. Unauthorized access or disclosure could cause significant or financial material loss, risk of harm to DraftWise if exposed to unauthorized parties, break contractual obligations, and/or adversely impact DraftWise, its partners, employees, contractors, and customers. YELLOW Data and information that should not be made publicly available that is created and used in the normal course of business. Unauthorized access or disclosure could cause minimal risk or harm and/or adversely impact DraftWise, its partners, employees, contractors, and customers. GREEN Data that is publicly shareable, and does not expose DraftWise or its customers to any harm or material impact. Standards Credentials and access tokens are classified at the same level as the data they protect. Credentials such as passwords, personal access tokens, encryption keys, and session cookies derive their importance from the data they protect. Combinations of data types will be classified at the highest level of its component data types. If there is more than one data type residing in a system, the system should be classified at the highest data classification level of the data being stored, transmitted or processed on that system.
