Data Management Policy¶
2025.2
This policy outlines the requirements and controls/procedures CAP Index has implemented to manage the end-to-end data lifecycle, from data creation/acquisition to retention and deletion.
Additionally, this policy outlines requirements and procedures to create and maintain retrievable exact copies of PII and other critical customer/business data.
Data backup is an important part of the day-to-day operations of CAP Index. To protect the confidentiality, integrity, and availability of sensitive and critical data, both for CAP Index and CAP Index Customers, complete backups are done daily to assure that data remains available when it needed and in case of a disaster.
Policy Statements¶
CAP Index policy requires that
(a) Data should be classified at time of creation or acquisition according to the CAP Index data classification model, by labeling or tagging the data.
(b) Maintain an up-to-date inventory and data flows mapping of all critical data.
(c) All business data should be stored or replicated to a company controlled repository, including data on end-user computing systems.
(d) Data must be backed up according to its level defined in CAP Index data classification.
(e) Data backup must be validated for integrity.
(f) Data retention period must be defined and comply with any and all applicable regulatory and contractual requirements. More specifically,
- Data and records belonging to CAP Index platform customer must be retained per CAP Index product terms and conditions and/or specific contractual agreements.
(g) By default, all security documentation and audit trails are kept for a minimum of three years, unless otherwise specified by CAP Index data classification, specific regulations or contractual agreement.
Controls and Procedures¶
Data Classification Model¶
CAP Index defines the following four classifications of data:
- Critical
- Confidential
- Internal
- Public
Definitions and Examples¶
Critical data includes data that must be protected due to regulatory requirements, privacy, and/or security sensitivities.
Unauthorized disclosure of critical data may result in major disruption to business operations, significant cost, irreparable reputation damage, and/or legal prosecution to the company.
External disclosure of critical data is strictly prohibited without an approved process and agreement in place.
Example Critical Data Types includes
- PII
- PCI or CHD (cardholder data)
- Production Security data, such as
- Production secrets, passwords, access keys, certificates, etc.
- Production security audit logs, events, and incident data
Confidential and proprietary data represents company secrets and is of significant value to the company.
Unauthorized disclosure may result in disruption to business operations and loss in value.
Disclosure requires the signing of NDA and management approval.
Example Confidential Data Types includes
- Business plans
- Employee/HR data
- News and public announcements (pre-announcement)
- Patents (pre-filing)
- Specialized source codes
- Non-production Security data, including
- Non-prod secrets, passwords, access keys, certificates, etc.
- Non-prod security audit logs, events, reports, and incident data
- Audit/compliance reports, security architecture docs, etc.
Internal data contains information used for internal operations.
Unauthorized disclosure may cause undesirable outcome to business operations.
Disclosure requires management approval. NDA is usually required but may be waived on a case-by-case basis.
Example Internal Data Types includes
- Internal documentation
- Policies and procedures
- Product roadmaps
- Most source codes
Public data is Information intended for public consumption. Although non-confidential, the integrity and availability of public data should be protected.
Example Internal Data Types includes
- News and public announcements (post-announcement)
- Marketing materials
- Product documentation
- Contents posted on company website(s) and social media channel(s)
Data Handling Requirements Matrix¶
Requirements for data handling, such as the need for encryption and the duration of retention, are defined according to the CAP Index Data Classifications.
| Data | Labeling or Tagging | Segregated Storage | Endpoint Storage | Encrypt At Rest | Encrypt In Transit | Encrypt In Use | Controlled Access | Monitoring | Destruction at Disposal | Retention Period | Backup Recovery |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Critical | Required | Required | Prohibited | Required | Required | Required | Access is blocked to end users by default; Temporary access for privileged users only | Required | Required | 7 years for audit trails; Varies for customer-owned data† | Required |
| Confidential | Required | N/R | Allowed | Required | Required | Required | All access is based on need-to-know | Required | Required | 7 years for official documentation; Others vary based on business need | Required |
| Internal | Required | N/R | Allowed | N/R | N/R | N/R | All employees and contractors (read); Data owners and authorized individuals (write) | N/R | N/R | 7 years for official documentation; Others vary based on business need | Optional |
| Public | N/R | N/R | Allowed | N/R | N/R | N/R | Everyone (read); Data owners and authorized individuals (write) | N/R | N/R | Varies based on business need | Optional |
N/R = Not Required
† customer-owned data is stored for as long as they remain as a CAP Index customer, or as required by regulations, whichever is longer. Customer may request their data to be deleted at any time; unless retention is required by law.
Data Inventory and Lifecycle Management¶
CAP Index Security team uses an automated system to query across our cloud-based infrastructure, including but is not limited to Azure, to obtain detailed records of all data repositories, including but not limited to:
- Azure Storage Acccounts
- Azure Disk Volumes
- Source code repositories
- Office 365
- On-premise storage systems (manually maintained)
The records are stored in a database system maintained by CAP Index security team. Records are tagged with owner/project and classification when applicable. All records are kept up to date via automation. The system is also designed to track movement of data and update/alert accordingly.
Azure Lifecycle Management
Azure lifecycle policies are used to manage the storage class for certain types of data. This standard is currently being implement with the use of Microsoft Purview.
CAP Index performs regular full backups of all production data. We leverage Microsoft Azure retention policies to automatically remove old backup data. This allows older data to “age out” instead of having to explicitly delete it. Azure lifecycle policies are also used to adjust the storage class of data backups based on the age of the backup.
Other Business Data
All internal and confidential business records and documents, such as product plans, business strategies, presentations and reports, are stored outside of an employee workstation or laptop.
-
Official records are stored in record management systems such as
- Jira (tickets),
- Team Foundation Services (source code),
- QuickBooks (HR),
- SharePoint and OneDrive (documents)
- (expense reports), etc.
-
Unstructured business documents such as Word documents, Excel spreadsheets and PowerPoint presentations are stored on CAP Index internal file share.
-
Confidential business documents/records are stored in encrypted form and with access control enabled on a need-to-know basis.
Transient Data Managemet
Data may be temporarily stored by a system for processing. For example, a storage device may be used to stage temp/raw files prior to being uploaded to the production environment in Microsoft Azure. These transient data repositories are not intended for long term storage, and data is purged immediately after use.
CAP Index currently does NOT use transient storage for any sensitive data.
Backup and Recovery¶
Customer Data¶
CAP Index stores data in a secure production account in Microsoft Azure, using a combination of Storage Accounts and Microsoft Azure SQL databases. By default, Microsoft Azure provides durable infrastructure to store important data and is designed for durability of 99.999999999% of objects. On an ongoing basis, the Azure SQL engineering team automatically tests the restore of automated database backups. Upon point-in-time restore, databases also receive DBCC CHECKDB integrity checks.
Any issues found during an integrity check will result in an alert to the engineering team. For more information, see Data integrity in SQL Database.
All database backups are taken with the CHECKSUM option to provide additional backup integrity.
CAP Index performs automatic backup of all customer and system data to protect against catastrophic loss due to unforeseen events that impact the entire system. An automated process will back up all data to a separate Microsoft Azure region in the same country (e.g. US East to US West). By default, data restore to point in time within 35 days. Long term backups policies are first of month up to 3 months and 1 annual backup with 3 year rentation. The backups are immutable and encrypted at rest.
Customers can also utilize the CAP Index Application Programming Interface (API) to extract and store their data elsewhere. Standard API usage fees will apply.
Source code¶
CAP Index stores its source in git repositories hosted by Team Foundation Services.
Source code repositories are backed up to CAP Index’s Microsoft Azure infrastructure account on a daily basis with a common set of configuration for each repository to enforce SDLC processes.
In the event that Team Foundation Services suffers a catastrophic loss of data, source code will be restored from the backups in Microsoft Azure.
Because Microsoft Azure and Team Foundation Services can both host git repositories, we are able to leverage git’s ability to maintain a full history of all changes to our git repos via the commit log.
Business records and documents¶
Each data owner/creator is responsible for maintaining a backup copy of their business files local on their laptop/workstation to the appropriate location on CAP Index SharePoint team site. OneDrive is used in providing backup protection. Examples of business files include, but are not limited to:
- Documents (e.g. product specs, business plans)
- Presentations
- Reports and spreadsheets
- Design files/images/diagrams
- Meeting notes/recordings
- Important records (e.g. approval notes)
Unless the local workstation/device has access to Critical data, backups of user workstations/devices are self managed by the device owner. Backups may be stored on an external hard drive or using a cloud service such as Microsoft’s OneDrive if and only if the data is both encrypted and password protected (passwords must meet CAP Index requirements).
Data Deletion Procedures¶
For Platform Customers¶
CAP Index has created and implemented the following procedures to make it easier for CAP Index Customers to support data retention laws.
Customer data is retained for 5 years from the time of creation. Inactive users are permanently removed from their accounts after 5 years. Inactive accounts are permanently removed after 5 years. Unregistered accounts (accounts created but the user never logged in) are deleted after one year. Customers that wish to close their account voluntarily may do so in writing. However, they should download their data manually or via the API prior to closing their account. Once the request for data removal and destruction is received, customer information will be unretrievable.
*Customers may adjust their retention policies through a written request.