Data Classification and Security Policy

1 1. Data Classification Levels
2 2. Data Handling and Security Standards
- 2.1 2.1 Access Control
- 2.2 2.2 Data Storage and Encryption
- 2.3 2.3 Data Transmission
- 2.4 2.4 Data Retention and Disposal
- 2.5 2.5 Incident Response and Reporting
3 3. Data Classification Implementation for Cloud Maven Services
- 3.1 3.1 Metadata and Tagging
- 3.2 3.2 Regular Data Audits
4 4. Employee Responsibilities and Training
- 4.1 4.1 Training Requirements
- 4.2 4.2 Policy Adherence and Violations
5 5. Policy Governance and Review

Purpose
This policy establishes a framework for classifying, managing, and protecting data within Cloud Maven’s systems. It aims to safeguard sensitive information and ensure compliance with legal, regulatory, and contractual obligations relevant to loan origination and servicing for MCA and specialty finance industries.

Scope
This policy applies to all data created, stored, processed, or transmitted by Cloud Maven, including internal employees, contractors, and third-party vendors with access to company systems and data.

1. Data Classification Levels

Data is classified based on sensitivity, regulatory requirements, and business impact:

Public: Information that is freely available, such as marketing materials and press releases. Unauthorized disclosure carries no risk.
Internal Use: Non-sensitive information intended for Cloud Maven employees and authorized partners. Unauthorized disclosure poses minimal risk.
Confidential: Sensitive information, including customer data, business strategies, and employee information. Unauthorized disclosure could lead to financial loss, reputational harm, or regulatory penalties.
Restricted: Highly sensitive information, such as financial records, loan servicing data, and credit analysis reports. Unauthorized access or disclosure could result in significant legal, financial, or operational risks.

2. Data Handling and Security Standards

2.1 Access Control

Role-Based Access: Access to data is restricted to authorized personnel based on their role and responsibilities.
Authentication: Multi-factor authentication (MFA) is required to access Confidential and Restricted data.

2.2 Data Storage and Encryption

Public and Internal Use Data: May be stored on standard shared drives or cloud storage with basic security.
Confidential and Restricted Data: Must be stored in encrypted formats using approved encryption methods (e.g., AES-256) and access-controlled systems, such as encrypted databases and secure cloud storage.
Platform-Specific Controls: Use Salesforce Shield or similar platforms for field-level encryption and compliance tagging as applicable.

2.3 Data Transmission

Secure Channels: All data classified as Confidential or Restricted must be transmitted over secure channels, such as HTTPS, TLS, or SFTP.
Email Encryption: Email communication involving Confidential or Restricted data must use secure email solutions or be encrypted.

2.4 Data Retention and Disposal

Retention Periods: Data is retained based on classification level and business needs. For example, loan servicing and compliance data are retained as per regulatory requirements.
Secure Disposal: No longer required data must be securely deleted or anonymized. Physical documents should be shredded, and digital data must be wiped or degaussed according to industry standards.

2.5 Incident Response and Reporting

Breach Reporting: Suspected data breaches involving Confidential or Restricted data must be reported immediately to the Information Security team.
Incident Response: A dedicated response team will assess, mitigate, and document any data exposure or unauthorized access incidents.

3. Data Classification Implementation for Cloud Maven Services

3.1 Metadata and Tagging

Data Tagging: Data fields within Cloud Maven platforms (Salesforce, proprietary systems) should be tagged according to their classification level.
Compliance Tags: Where applicable, data should be tagged for regulatory compliance (e.g., GDPR, CCPA) to facilitate adherence to legal obligations.

3.2 Regular Data Audits

Conduct regular audits to review data classifications, ensuring accurate and updated categorization across all systems.
Confirm that access controls and encryption protocols align with classification levels.

4. Employee Responsibilities and Training

4.1 Training Requirements

All Cloud Maven employees, contractors, and third-party partners must undergo annual training on data classification, handling, and security protocols.
Specific training will be provided for handling Confidential and Restricted data, especially related to financial and regulatory information.

4.2 Policy Adherence and Violations

Employees are responsible for following this policy and immediately reporting any suspected policy violations or security concerns.
Violations may result in disciplinary actions or termination, as per Cloud Maven’s HR policies.

5. Policy Governance and Review

Review Cycle: This policy will be reviewed annually or as necessary to reflect changes in business operations, technology, or regulatory requirements.
Compliance Monitoring: The Compliance and Information Security teams are responsible for monitoring adherence to this policy and conducting periodic audits to ensure ongoing effectiveness.

This Data Classification and Security Policy ensures that Cloud Maven’s data is protected at every stage, supporting secure loan origination and servicing processes while maintaining compliance with industry standards and regulations.