Document ID: SOC2-DCP-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: CISO / Data Protection Officer
Purpose
This policy establishes how [Organisation Name] classifies, handles, and protects information assets based on sensitivity. It implements C1.1 (identify and maintain confidential information) and C1.2 (dispose of confidential information) of the SOC 2 Confidentiality Trust Services Category.
1. Data Classification Tiers
| Tier | Definition | Examples |
|---|---|---|
| Public | Approved for unrestricted external disclosure | Marketing materials, public documentation, job listings |
| Internal | For employee use only; not for external disclosure | Internal policies, meeting notes, employee directories |
| Confidential | Sensitive business or customer information; restricted to authorised individuals | Customer data, contracts, financial records, source code, security configurations |
| Restricted | Highest sensitivity; very limited access; breach could cause severe damage | Encryption keys, access credentials, penetration test reports, personal health/financial data |
2. Handling Requirements by Tier
| Requirement | Public | Internal | Confidential | Restricted |
|---|---|---|---|---|
| Encryption at rest | Not required | Recommended | โ Required | โ Required |
| Encryption in transit | Not required | โ TLS 1.2+ | โ TLS 1.3 | โ TLS 1.3 + additional controls |
| Access control | Open | Employee SSO | Role-based; need-to-know | Named individuals; CISO approval |
| Logging of access | Not required | Recommended | โ Required | โ Required + alerting |
| Sharing externally | โ Permitted | Not permitted without approval | NDA required; DPA for customer data | Not permitted without CISO sign-off |
| Third-party processing | โ | With standard contract | DPA required; Tier 1/2 vendor only | Prohibited without explicit CISO approval |
| Backup | Not required | Standard | โ Encrypted backup | โ Encrypted + offsite + access-controlled |
| Retention | N/A | Per retention schedule | Per retention schedule + contract | Per retention schedule; minimum retention enforced |
| Disposal | Standard deletion | Secure deletion | Certified secure deletion | Certified secure deletion + destruction log |
3. Customer Data Handling
All customer data is classified as Confidential at minimum. Customer data that includes personal identifiable information (PII) is classified as Restricted.
Customer data must:
- Never be used in development or test environments without anonymisation
- Never be accessed by employees for purposes other than providing the contracted service
- Never be shared with third parties without a DPA and CISO approval
- Be deleted within 30 days of contract termination (or per contractual terms)
- Be subject to data subject rights procedures (access, deletion, portability) where applicable
4. Labelling Requirements
All documents and data stores containing Confidential or Restricted data must be labelled:
- Electronic documents: classification header or footer on each page
- Data stores: tagged in cloud console with data classification and data owner
- Emails containing Confidential data: subject line prefix
[CONFIDENTIAL] - Restricted data transfers: encrypted container with access log
5. Data Disposal
| Method | Applicable To |
|---|---|
| Standard deletion | Public / Internal digital files |
| Secure overwrite (DoD 5220.22-M or equivalent) | Confidential digital files; disk drives before repurposing |
| Certified destruction (shredding / degaussing) | Restricted data; hardware containing customer data |
| Certificate of destruction | Required for all hardware disposal; retained for 7 years |
6. Review
This policy is reviewed annually or when significant changes to data processing activities occur.
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [Author] | Initial issue |