Appcircle Asset Management and Data Classification Policy¶
Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)
Purpose¶
This policy defines Appcircle's requirements for managing information assets and classifying data according to its sensitivity. Effective asset management and data classification support the confidentiality, integrity, and availability of Appcircle's systems and customer data by ensuring appropriate protections are applied based on the nature and sensitivity of each asset.
Scope¶
This policy applies to:
- All Appcircle information assets, including people, endpoint devices, documented information, databases, source code repositories, and software systems.
- All personnel who access, handle, or manage Appcircle information assets.
- Third-party services that process or store Appcircle or customer data, where applicable.
Asset management¶
Asset inventory¶
Information assets are tracked to support compliance, monitoring, and effective security controls. Appcircle maintains an inventory of its key information assets, including:
- People: The employee list managed through HR systems serves as the authoritative record of personnel with access to Appcircle systems and data.
- Endpoint devices: Devices used by personnel to access Appcircle systems are inventoried and managed.
- Databases and data stores: Production databases are tracked; databases containing non-public data require encryption at rest.
- Source code repositories: All source code is maintained in GitHub under access controls consistent with the System Access Control Policy.
- Software systems: Corporate and production software systems are subject to authentication and access management practices to ensure only authorised users can access information assets.
- Documents and policies: Key documents including policies, procedures, and plans are reviewed and updated at least annually or when significant changes occur.
Device management¶
Endpoint devices may process, handle, and store sensitive data and authentication credentials. All endpoint devices and their operators must comply with the Acceptable Use Policy and Endpoint Device Security Policy.
Asset disposal follows an established process to ensure sensitive data, files, and stored authentication secrets are completely and effectively erased or destroyed before disposal.
Third-party software¶
Third-party software used by Appcircle is subject to risk assessments and ongoing monitoring to ensure appropriate security protections are applied, consistent with the Vendor Management Policy.
Data classification¶
The following classification scheme defines the sensitivity of data and the corresponding level of protection required. When the term "sensitive" is used, it encompasses all non-public data categories.
Restricted¶
The most sensitive category — accessed only on a strict need-to-know basis. Unauthorised disclosure may cause material harm to Appcircle, its customers, partners, or suppliers. Examples include:
- Board reports and strategic business plans.
- Customer data that is commercially sensitive.
- Information subject to regulatory protection requirements.
Confidential¶
Business information that is not publicly disclosed and must be protected from unauthorised access. Examples include:
- Customer data not classified as commercially sensitive.
- Customer and third-party contracts.
- Internal documentation not approved for public release.
Internal¶
Not publicly available; accessible only to Appcircle employees, approved stakeholders, and authorised third parties. Examples include:
- Service and pricing information not approved for public release.
- Appcircle policies and procedures.
- Customer and partner listings.
Public¶
Information that is publicly available or has been approved by management for public release. Examples include:
- User guides and published system documentation.
- Published customer references.
- Press releases and approved announcements.
Data handling requirements¶
All personnel must handle data in accordance with its classification. Key requirements include:
- Data is only collected when there is a legitimate business need.
- The security and confidentiality of all data is protected by default unless explicitly approved otherwise.
- Sensitive data is restricted to approved and secure storage locations.
- Sensitive data must not be stored on end-user devices.
- Management approval is required before making any sensitive data publicly available.
- Key information and documents are backed up regularly to separate and secure locations.
Data retention and disposal¶
Retention¶
Data is retained for periods consistent with its operational purpose and applicable regulatory requirements:
- Account management data (interaction history, contact details, agreements): retained until deletion is requested.
- Service information (confidential data shared during service delivery): retained until deletion is requested.
- Appcircle usage data (user activity for debugging and improvement): anonymised where possible; retained until deletion is requested.
Disposal¶
When systems, devices, or documents are decommissioned, all sensitive data must be completely erased, destroyed, or rendered unreadable before disposal. This applies to both physical and digital assets.
Roles and responsibilities¶
- Engineering Management (Policy Owner): Accountable for this policy; ensures implementation, enforcement, and annual review.
- Engineering / Platform / Operations: Responsible for monitoring and enforcing policy requirements; handles reported breaches or policy issues.
- All personnel: Read, acknowledge, and adhere to this policy; handle data according to its classification; report policy violations to Engineering Management.
Regulatory alignment¶
This policy supports compliance with:
- SOC 2 (Trust Services Criteria — Confidentiality, Availability, Common Criteria)
- ISO/IEC 27001:2022 (A.5.9–A.5.14 Asset management, information classification and handling)
- GDPR (Article 5 — Principles of data processing; Article 25 — Data protection by design)
- KVKK (Article 12 — Data security obligations)
Exceptions¶
Exceptions to this policy must be:
- Documented with justification, scope, duration, and compensating controls.
- Approved by the policy owner or an authorised delegate.
- Reviewed before expiry and retired when no longer required.
Policy review and updates¶
This policy is reviewed at least annually and when significant changes occur to systems, data types handled, or regulatory requirements.
Note
This public policy describes Appcircle's asset management and data classification posture at a high level. Detailed internal procedures (including the asset inventory register, data handling guidelines, and disposal processes) are maintained separately and may be shared under appropriate agreements when required.
Related policies¶
- Information Security Policy
- System Access Control Policy
- Acceptable Use Policy
- Endpoint Device Security Policy
- Network Security Policy
- Vendor Management Policy
- Data Retention and Disposal Policy