Skip to main content
The Data Classification Policy is the canonical scheme for how botBrains classifies, labels, and handles information by sensitivity. It assigns every piece of data to one of four levels so that each receives a proportionate level of protection across its lifecycle, from creation to deletion.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy applies to all information that botBrains creates, receives, stores, or transmits in any form (electronic or physical), and to every system that processes it. A system inherits the classification of the highest-sensitivity data it holds.

Classification levels

botBrains uses four levels. When the level isn’t obvious, choose the higher one.
LevelDefinitionExamples
PublicApproved for release to anyone. No damage from disclosure.Marketing material, product documentation, published trust pages, release notes.
InternalOwned by botBrains, shared only among personnel with a business need. Moderate impact if disclosed. This is the default for any data not explicitly classified otherwise.Internal notes, meeting records, draft plans, non-sensitive operational data.
ConfidentialHighly sensitive business or security data. Significant impact if disclosed.Source code, secrets and private keys, authentication credentials, account and billing data, financial records, security and incident reports, contracts.
Customer DataPersonal and conversation data that customers send to the botBrains platform, processed under the Data Processing Agreement. botBrains is the processor; the customer is the controller. Highest protection.End-user messages and conversation transcripts, knowledge-base content, model inputs and outputs, anything a customer uploads.

Labeling

Repository and platform context establishes the level for most data: GitHub private repositories hold Confidential source code, the production multi-tenant database and object storage hold Customer Data, and the shared password manager holds Confidential secrets. Personnel apply an explicit “Confidential” label only when a document leaves its default context, for example a security report shared outside the platform.

Handling rules

Handling requirements increase with sensitivity. The Cryptography Policy defines encryption standards once; retention periods and secure deletion live in the Data Retention Policy.
ControlPublicInternalConfidentialCustomer Data
AccessUnrestrictedPersonnel with a business needSpecific roles with explicit need-to-knowLogical tenant isolation; no direct database access for users; personnel access only for support, operations, or recovery
StorageAny approved systemApproved company systemsEncrypted at rest on company-approved systems onlyEncrypted at rest in the EU production environment only
Encryption in transitRecommendedRequired over public networksRequired (TLS 1.3, min 1.2)Required (TLS 1.3, min 1.2)
Non-production useAllowedAllowedAvoid; never store real secrets in test systemsProhibited in local, staging, or test environments, except temporarily to remediate a specific production issue, then removed
External transferFreeBusiness need onlyOnly under a contract or NDA with CISO approvalOnly as instructed by the controller and the DPA; no third-country transfer
DevicesNo special controlFull-disk-encrypted laptopsFull-disk-encrypted laptops; never on personal devices or removable mediaNot stored on endpoints; resides in EU cloud only
DisposalNoneStandard deletionSecure deletion when no longer neededSecure deletion per the Data Retention Policy
botBrains processes Customer Data only within the EU, using the subprocessors listed at Subprocessors, with no transfer to a third country.

Exceptions and enforcement

The CISO approves any exception to this policy and records it in the risk register. Personnel report suspected mishandling to the CISO. Violations can lead to revoked access and disciplinary action under the Code of Conduct.

ISO 27001 mapping

This policy supports Annex A 5.12 (classification of information), 5.13 (labelling of information), 5.14 (information transfer), 8.10 (information deletion), 8.11 (data masking), and 8.12 (data leakage prevention).

Review

The CISO owns this policy and reviews it at least annually and on any material change.