Purpose and Scope

This policy outlines expected behavior of employees to keep confidential information about customers, clients, partners, and our organization secure. This policy applies to all employees, board members, investors, and contractors, who may have access to confidential information. This policy must be made readily available to all whom it applies to.

Background

The organization’s confidential information must be protected for two reasons:

  • It may be legally binding (i.e. sensitive customer data)

  • It may be fundamental to our business (i.e. business processes)

Common examples of confidential information in our company includes, but is not limited to:

  • Unpublished financial information

  • Sensitive Customer Personal Data (PII)

  • Customer/partner/vendor/external party data

  • Patents, formulas, new technologies, and other intellectual property

  • Existing and prospective customer lists

  • Undisclosed business strategies including pricing & marketing materials

  • Materials & processes explicitly marked as “confidential”

Employees will have varying levels of authorized access to confidential information.

Policy

  • Employee procedure for handling confidential information

    • Lock and secure confidential information at all times

    • Safely dispose and delete documents when no longer needed

    • View confidential information only on secure devices

    • Disclose information only when authorized and necessary

    • Do not use confidential information for personal gain, benefit, or profit

    • Do not disclose confidential information to anyone outside the organization or to anyone within the organization who does not have appropriate privileges

  • Offboarding measures

    • The Hiring Manager should confirm the off-boarding procedure has been completed by final date of employment.

  • Confidentiality measures

    • the organization will take the following measures to ensure protection of confidential information:

      • Store and lock paper documents

      • Encrypt electronic information and implement appropriate technical measures to safeguard databases

      • Require employees to sign non-disclosure/non-compete agreements

      • Consult with Managing Partners before granting employees access to certain confidential information

  • Exceptions

    • Under certain legitimate conditions, confidential information may need to be disclosed. Examples include:

      • If a regulatory agency requests information as part of an audit or investigation

      • If the organization requires disclosing information (within legal bounds) as part of a venture or partnership

    • In such cases, employee must request and receive prior written authorization from their hiring manager before disclosing confidential information to any third parties.

  • Disciplinary consequences

    • Employees who violate the confidentiality policy will face disciplinary and possible legal action.

    • A suspected breach of this policy will trigger an investigation. Intentional violations will be met with termination and repeated unintentional violations may also face termination.

    • This policy is binding even after the termination of employment.

Standard Controls Satisfied

TSC C1.1, C1.2


Did this answer your question?