π‘οΈ Data Loss Prevention (DLP) Program
1. Purpose
This document describes Nemu Inc.βs Data Loss Prevention (DLP) program, including policies, procedures, and technical controls for preventing unauthorized disclosure of confidential data.
2. Scope
Covers data that:
- Resides in Supabase databases and storage.
- Is processed by applications hosted on Render.
- Is stored or shared via Google Workspace (Gmail, Drive, Docs).
3. DLP Controls
3.1 Google Workspace DLP
- Data protection and sharing controls are configured to:
- Limit external sharing of sensitive documents.
- Restrict βanyone with the linkβ access by default.
- Optionally apply DLP rules for specific patterns (e.g., identifiers).
3.2 Application and API Controls
- APIs are designed to return only necessary data elements.
- Logging intentionally excludes sensitive fields where possible.
- Export functionality is limited and logged, especially for large data sets.
3.3 Supabase and Storage
- Row Level Security (RLS) enforces user-specific access to records.
- Private storage buckets are accessed via signed URLs with limited lifetime.
- Direct public access to Confidential data is avoided.
4. Evaluation and Improvements
- DLP effectiveness is evaluated as part of:
- Risk assessments.
- Incident reviews.
- Architecture and feature design discussions for new data flows.
5. Audit Evidence
- Google Workspace sharing and DLP configuration screenshots.
- Supabase RLS and storage configuration examples.
- Internal documentation on export/reporting features and their safeguards.
6. Compliance Mapping
- SOC 2: CC6.1, CC6.7
- ISO 27001:2013: A.8.2.3, A.13.2.1
Contact: support@mynemu.com Β© 2025 Nemu Inc.. All rights reserved.
Last updated on