Purpose and Scope
This policy outlines expected behavior of employees to keep confidential information about customers, clients, partners, and our organization secure. This policy applies to all employees, board members, investors, and contractors, who may have access to confidential information. This policy must be made readily available to all whom it applies to.
Background
The organization’s confidential information must be protected for two reasons:
It may be legally binding (i.e. sensitive customer data)
It may be fundamental to our business (i.e. business processes)
Common examples of confidential information in our company includes, but is not limited to:
Unpublished financial information
Sensitive Customer Personal Data (PII)
Customer/partner/vendor/external party data
Patents, formulas, new technologies, and other intellectual property
Existing and prospective customer lists
Undisclosed business strategies including pricing & marketing materials
Materials & processes explicitly marked as “confidential”
Employees will have varying levels of authorized access to confidential information.
Policy
Employee procedure for handling confidential information
Lock and secure confidential information at all times
Safely dispose and delete documents when no longer needed
View confidential information only on secure devices
Disclose information only when authorized and necessary
Do not use confidential information for personal gain, benefit, or profit
Do not disclose confidential information to anyone outside the organization or to anyone within the organization who does not have appropriate privileges
Offboarding measures
The Hiring Manager should confirm the off-boarding procedure has been completed by final date of employment.
Confidentiality measures
the organization will take the following measures to ensure protection of confidential information:
Store and lock paper documents
Encrypt electronic information and implement appropriate technical measures to safeguard databases
Require employees to sign non-disclosure/non-compete agreements
Consult with Managing Partners before granting employees access to certain confidential information
Exceptions
Under certain legitimate conditions, confidential information may need to be disclosed. Examples include:
If a regulatory agency requests information as part of an audit or investigation
If the organization requires disclosing information (within legal bounds) as part of a venture or partnership
In such cases, employee must request and receive prior written authorization from their hiring manager before disclosing confidential information to any third parties.
Disciplinary consequences
Employees who violate the confidentiality policy will face disciplinary and possible legal action.
A suspected breach of this policy will trigger an investigation. Intentional violations will be met with termination and repeated unintentional violations may also face termination.
This policy is binding even after the termination of employment.
Standard Controls Satisfied
TSC C1.1, C1.2