Information Classification Policy

Last reviewed and updated: Jul 15, 2023

Information Classification Policy

1. Introduction

As an AI-ML, deeptech product, and platform company, we recognize the criticality of information security and confidentiality. This Information Classification Policy outlines the framework and guidelines for classifying and safeguarding information assets within our organization. By classifying information appropriately, we ensure its proper handling, protection, and controlled access throughout its lifecycle.

2. Purpose

The purpose of this policy is to:
Define the criteria and process for classifying information according to its sensitivity, value, and potential impact if compromised.
Establish clear responsibilities for information owners, custodians, and users.
Provide guidance on the protection measures required for each classification level.
Promote consistency and uniformity in information handling across our organization.
Support compliance with legal, regulatory, and contractual obligations.

3. Information Classification Levels

Our information assets shall be classified into the following levels, based on their sensitivity:

a. Level 1: Highly Confidential
Information classified at this level involves extremely sensitive and confidential data with a severe impact if disclosed, altered, or destroyed improperly. Examples include trade secrets, financial data, personally identifiable information (PII), intellectual property, and confidential legal documents.

b. Level 2: Confidential
Information classified at this level is sensitive and requires protection from unauthorized access, disclosure, or alteration. Examples include customer data, internal business strategies, proprietary algorithms, and contract-related information.

c. Level 3: Internal Use Only
Information classified at this level is intended for internal use only and may be limited to specific user groups within our organization. Examples include internal communications, employee records, and non-sensitive business operational data.

d. Level 4: Public Information
Information classified at this level is publicly available and does not require any special protection. Examples include marketing materials, general product information, and public announcements.

4. Information Classification Process

a. Responsibilities
Information Owners: Information owners are accountable for the classification, labeling, and protection of their respective information assets. They need to ensure that information is properly classified based on its sensitivity and regularly reviewed for accuracy.
Information Custodians: Information custodians are responsible for implementing and maintaining appropriate security controls in line with the assigned classification level. They must enforce security measures to protect the identified information based on its classification.
Information Users: Information users must comply with the specified handling and protection requirements for the information assets they access. They should report any potential security incidents or breaches promptly.

b. Classification Criteria
The following criteria should be considered when classifying information:
Sensitivity: The potential impact on confidentiality, integrity, and availability if the information is compromised.
Regulatory and Legal Requirements: Compliance obligations dictated by applicable laws, regulations, and contractual agreements.
Business Impact: The potential consequences to our organization if the information is compromised or disclosed to unauthorized parties.
Value: The overall value of the information to our organization and its stakeholders.

c. Classification Labels
Information assets shall be appropriately labeled to reflect their assigned classification level. Labels should be clearly visible and accompany the information wherever it is stored, transmitted, or processed.

5. Protection Measures

The following protection measures shall be applied based on the classification levels:

Level 1 (Highly Confidential): Stringent access controls, encryption, multi-factor authentication, data loss prevention techniques, and physical security measures must be implemented. Access must be restricted to authorized individuals on a need-to-know basis.

Level 2 (Confidential): Strong access controls, encryption where appropriate, user authentication mechanisms, and secure network configurations must be in place to protect the information assets.

Level 3 (Internal Use Only): Access controls, regular user access reviews, and protection measures commensurate with internal data handling requirements must be implemented.

Level 4 (Public Information): No specific protection measures are required beyond standard security controls to ensure the integrity and availability of the information assets.

6. Training and Awareness

Regular training and awareness programs will be conducted to educate employees, contractors, and third-party partners on the importance of information classification, handling procedures, and their responsibilities for safeguarding information assets.

7. Compliance and Policy Review

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract. The policy will be reviewed periodically to ensure its effectiveness and alignment with evolving industry practices and regulatory requirements.

For any inquiries or further information regarding our Information Classification Policy, please contact our Information Security Department at