Run: Data Classification and Handling Policy

This policy establishes a consistent framework for classifying and handling company data based on sensitivity, legal requirements, and business impact. It is intended to reduce unauthorized access, prevent accidental disclosure, support lawful retention and disposal, and ensure employees use approved controls when creating, storing, transmitting, or destroying data.

This policy applies to all employees, contractors, temporary workers, interns, consultants, and third parties who create, access, process, store, transmit, or dispose of company data on company systems or on behalf of the company. **Jurisdiction-specific carve-outs:** - **California employees:** Personal information must be handled in accordance with the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) where applicable. - **EU/EEA personnel or data subjects:** Personal data must be handled in accordance with the General Data Protection Regulation (GDPR) where applicable. - **United States employment records:** Employee records must be retained and handled in a manner consistent with applicable federal and state employment laws, including the FLSA recordkeeping requirements and EEOC-related documentation practices.

All company data must be assigned a classification level at the time it is created, received, or materially changed. The default classification should be the least restrictive level that accurately reflects the data's sensitivity and business impact. **Classification levels:** 1. **Public** — Approved for external release with no expected harm if disclosed. 2. **Internal** — For routine business use; not intended for public distribution. 3. **Confidential** — Sensitive business, employee, customer, or operational information that requires limited access. 4. **Restricted** — Highly sensitive information requiring the strongest access controls and handling restrictions. Data owners must review classification when data is combined with other information, shared externally, or subject to new legal or contractual obligations.

**Labeling** - Mark documents, files, and records with the correct classification label when practical and supported by the system. - Do not remove or alter a classification label without approval from the data owner. **Storage** - Store data only in company-approved systems and repositories. - Confidential and Restricted data must be protected with access controls based on least privilege. - Restricted data must be encrypted at rest where technically feasible and required by policy. **Transmission** - Use approved secure methods for sharing data externally or internally, such as encrypted email, secure file transfer, or approved collaboration tools. - Do not transmit Restricted data through unapproved messaging apps, personal email accounts, or public links. **Retention** - Retain records only as long as needed for business, legal, tax, audit, or regulatory purposes. - Follow the applicable retention schedule for employee records, payroll records, customer records, and operational records. - Do not keep data longer than required unless a documented legal hold or business justification applies. **Disposal** - Dispose of data using approved secure disposal methods appropriate to the medium and classification level. - Paper records containing Confidential or Restricted data must be shredded or otherwise destroyed securely. - Electronic records must be securely deleted or wiped using approved methods before device reuse, transfer, or retirement.

**Policy holder** - Owns the policy, approves updates, and ensures periodic review. **Managers** - Ensure team members complete required training and follow classification and handling rules. - Escalate suspected mishandling of data to HR, Legal, Security, or Compliance as appropriate. **Data owners** - Assign and confirm classification levels for the data they own. - Approve exceptions, access requests, and retention changes where permitted. **Employees and contractors** - Classify and handle data according to this policy and related procedures. - Report suspected loss, unauthorized access, or improper disclosure immediately. **Security / IT** - Maintain approved systems, access controls, encryption standards, logging, and secure disposal processes. **Legal / Compliance** - Maintain retention guidance, legal hold procedures, and jurisdiction-specific requirements.

Violations of this policy may result in access removal, corrective action, retraining, written warning, a documented warning, a PIP where performance issues are involved, contract termination, or other discipline up to and including termination of employment, subject to applicable law and any collective bargaining obligations. Exceptions must be approved in writing by the policy holder or designated authority, must state the business justification, and must include compensating controls and an expiration date. Nothing in this policy is intended to interfere with employees' rights under the NLRA to engage in protected concerted activity, or with rights under applicable wage-and-hour, leave, accommodation, or anti-discrimination laws.

This policy will be reviewed at least annually and updated as needed to reflect changes in business practices, technology, retention requirements, privacy obligations, and applicable law. Revisions must be approved by the policy holder and communicated to affected employees and contractors.