Sensitive Data Handling Policy

1. Purpose

Valstorm LLC is committed to protecting the confidentiality and integrity of all sensitive data entrusted to us. This policy outlines the required procedures and controls for handling sensitive data throughout its entire lifecycle, from collection to disposal, to prevent unauthorized access, use, or disclosure.

2. Definition of Sensitive Data

For the purposes of this policy, sensitive data includes, but is not limited to:

  • Personally Identifiable Information (PII): Names, email addresses, physical addresses, phone numbers, IP addresses, or any other data that can be used to identify an individual.
  • Protected Health Information (PHI): Any health-related information that is subject to HIPAA regulations.
  • Financial Information: Credit card numbers, bank account details, and payment history.
  • Authentication Credentials: Passwords, API keys, and access tokens.
  • Proprietary Customer Data: Any business-critical data that a customer uploads to our service.

All of these data types are marked at the Schema/Object level in our database to ensure they are treated with the appropriate level of security.

3. Data Handling Lifecycle

We apply strict security controls at every stage of the data lifecycle:

  • Collection: We practice data minimization, ensuring we only collect sensitive data that is strictly necessary to provide our services.
  • Transit: All sensitive data transmitted between our customers and our platform, or between our internal systems, is encrypted using strong, industry-standard protocols such as TLS (Transport Layer Security).
  • Storage (At Rest): Sensitive data stored on our servers, databases, and backups is encrypted using robust encryption standards like AES-256.
  • Processing (In Use): We enforce the Principle of Least Privilege. Access to sensitive data in our production environment is restricted to authorized personnel who have a legitimate business need. We maintain detailed audit logs of all access to sensitive data.
  • Destruction: When sensitive data is no longer required for legitimate business or legal purposes, it is securely and permanently destroyed in accordance with our Data Retention Policy.

4. Employee Training

All employees who handle sensitive data as part of their job responsibilities are required to complete regular data security and privacy training. This ensures they are aware of their responsibilities and are equipped to protect customer data effectively.