Marfeel is committed to ensuring the confidentiality, integrity, and availability of the information assets it manages or processes on behalf of its clients. This Information Security and Data Classification Policy establishes a comprehensive framework to classify, protect, handle, and monitor information according to its level of sensitivity and associated risks. It reflects Marfeel’s dedication to data protection, compliance with applicable regulations such as the General Data Protection Regulation (GDPR), and adherence to best industry practices.
1. Classification Levels
All information within Marfeel’s control must be appropriately classified into one of three categories based on its sensitivity, value, and the potential impact that unauthorized disclosure, modification, or loss could cause. These classifications are defined as follows:
Public: This category includes information that is intended for public disclosure or that may be shared freely without risk of harm to Marfeel, its clients, or third parties. Examples may include publicly posted website content or marketing materials.
Internal Use Only: Information that is not confidential but should be restricted to internal use within Marfeel. Unauthorized access or distribution of such data could potentially result in reputational or operational risks. This includes internal communications, operational procedures, and work-in-progress documentation.
Confidential: This classification includes all information that is highly sensitive and whose unauthorized disclosure could lead to significant financial, legal, or reputational damage. It includes personal data regulated by GDPR, proprietary business information, client-related data, and all data shared under NDAs. Access to confidential data is strictly limited to individuals with explicit authorization.
2. Criteria for Classification
The classification of information is determined based on a risk assessment approach that evaluates the confidentiality, integrity, and availability requirements of the data. Additional factors such as regulatory obligations, contractual commitments, and business impact in the event of compromise are also taken into account. Marfeel ensures that information is not only properly classified at the time of creation but is also reviewed periodically to reflect changes in its sensitivity or regulatory landscape.
3. Roles and Responsibilities
The successful implementation of this policy requires coordinated effort across various stakeholders within the organization. Senior management is responsible for endorsing the policy and providing the necessary resources to support its implementation. Data Owners are tasked with ensuring that all information under their authority is accurately classified and appropriately secured. All users are expected to understand and apply the classification policy in their daily activities, including reporting any concerns related to data handling or security to their supervisors or the Data Protection Officer.
4. Handling and Storage
Classified information must be handled and stored with care appropriate to its classification level. Confidential and Internal Use Only data must be protected through the use of secure storage environments such as Google Drive with restricted, role-based access. Encryption is used to secure data at rest and in transit. Physical access to sensitive areas, such as the Marfeel offices, is controlled via biometric authentication, and visitors are always escorted. Documents must be clearly labeled with their classification level to prevent mishandling.
5. Transmission and Sharing
Sharing of classified information, whether internal or external, must be done using secure communication channels that guarantee data integrity and confidentiality. Confidential information may only be shared with external entities who have been authorized and where appropriate data sharing agreements or NDAs are in place. Internally, sharing is permitted strictly on a need-to-know basis, as dictated by the principle of least privilege.
6. Access Controls
Access to classified information is governed by robust access control mechanisms. All users must be authenticated through unique credentials, with multi-factor authentication implemented where appropriate. Access rights are assigned based on job responsibilities and reviewed regularly to ensure ongoing relevance. These controls are documented and monitored to prevent unauthorized access or misuse of data.
7. Retention and Disposal
Information must be retained only for as long as necessary to fulfill its intended purpose or to comply with legal or contractual obligations. Once data has exceeded its retention period, it must be disposed of securely. Digital information is erased using industry-standard methods, and physical documents are shredded or destroyed in a certified manner. Marfeel maintains documented procedures to govern both data retention and secure disposal.
8. Training and Awareness
To ensure effective implementation of this policy, all employees are required to undergo information security and data classification training as part of their onboarding and on a recurring basis. Awareness initiatives, led by the Director of System Operations, reinforce key principles, foster a culture of responsibility, and ensure staff understand their obligations related to information protection.
9. Compliance and Monitoring
Compliance with this policy is enforced through periodic audits, technical monitoring, and review processes conducted by the relevant internal teams. Any deviations from this policy are investigated and may result in corrective actions or disciplinary measures, depending on the nature and severity of the non-compliance. The Data Protection Officer ensures that this policy remains aligned with applicable legislation and industry best practices.