ποΈ Data Classification & Handling
Nemu Inc. β Updated 2025
1. Purpose
This document defines Nemu Inc.βs data classification framework and the handling requirements for each classification level.
Its purpose is to ensure appropriate protection of all customer and internal data.
2. Data Classification Levels
2.1 Confidential (Highest Sensitivity)
Data that requires the strongest safeguards.
Examples:
- Customer PII
- Household & estate settlement data
- Device identifiers & authentication tokens
- Internal security configurations
- Billing or financial data
Controls Required:
- Encryption at rest & in transit
- Strict RBAC
- Limited retention
- Cannot be stored in unauthorized systems
- Cannot be shared externally without authorization
2.2 Internal
Data intended for internal use by Nemu Inc.
Examples:
- Internal documentation
- Operational metrics
- Slack discussions
- Product planning documents
Controls Required:
- Store only in approved systems
- Domain-restricted sharing
- No external publishing without permission
2.3 Public
Data approved for public release.
Examples:
- Marketing content
- Public documentation
- Social media and website content
Controls Required:
- Required review before publication
3. Data Handling Requirements
3.1 Confidential Data
Permitted only in:
- Supabase (DB/Storage)
- Google Workspace
- Render-hosted services
Requirements:
- Access limited to business-need-to-know
- Encrypted exports only
- Mandatory deletion after use
- Prohibited:
- Storing in personal cloud accounts
- Copying to personal devices
- Sending over personal messaging apps
3.2 Internal Data
- Stored in internal systems only
- Default domain-only sharing enforced
3.3 Public Data
- Must go through a release review
- Cannot contain Confidential or Internal data
4. Acceptable Use & Accountability
- Employees acknowledge Acceptable Use & Data Handling policies at onboarding.
- Violations can lead to disciplinary action.
- Employees must:
- Use only company-approved systems
- Protect all credentials
- Report any improper data handling incidents
5. Encryption Requirements
5.1 Data in Transit
- All traffic must use TLS 1.2+
- HTTPS enforced on all systems
- Postgres connections use
sslmode=require
5.2 Data at Rest
- Supabase: AES-256 encryption for DB & Storage
- Google Workspace: encrypted by default
- Render: encrypted volumes and disks
- All endpoints: full-disk encryption (FileVault, BitLocker)
6. Access Control Requirements
- Role-based access for all sensitive data
- Privileged access restricted and monitored
- Supabase Row Level Security used where applicable
- Access reviewed periodically
7. Restrictions on Uploading / External Sharing
Confidential data may not be uploaded to:
- Personal Dropbox
- Personal iCloud
- WhatsApp / Telegram
- WeTransfer
- Any unapproved external tool
Google Workspace enforces domain restrictions to block unauthorized sharing.
8. Handling Scoped Data (SIG Requirements)
8.1 Scoped Data Transmission
Scoped data may only be sent electronically when required and must use encryption.
8.2 Scoped Data Storage
Only allowed in approved, encrypted platforms.
8.3 File Sharing Controls
Google Workspace prevents unauthorized uploads through:
- Domain policies
- External sharing restrictions
9. USB / Removable Media
- USB usage for Confidential data is restricted.
- Any authorized use requires encryption.
10. Audit Evidence
Examples:
- Google Workspace admin logs
- Supabase access logs
- Render secret configuration screenshots
- RBAC permission matrices
- RLS configuration examples
11. Compliance Mapping
- SIG: D.2 β D.2.4, D.7, D.7.11, D.9.3
- SOC 2: CC6.1, CC6.7
- ISO 27001: A.8.2.1βA.8.2.3, A.9
Contact: support@mynemu.com
Β© 2025 Nemu Inc.