Data Classification Matrix
Data Type | Definition / Description | Access Restrictions | Minimum Security Controls |
|---|---|---|---|
Public | Data meant for public consumption (e.g., marketing materials, public APIs) | Open to all users and staff | Basic integrity checks, no encryption required |
Internal | Company internal data not shared externally (e.g., internal docs, non-sensitive configs) | Employees only | Role-based access, internal network protection |
Sensitive | Data that can identify a user or business info (e.g., usernames, email addresses, usage logs) | Limited to authorized backend developers and support staff | Encrypted at rest (AES-256), encrypted in transit (TLS), access logging |
Confidential | Highly sensitive user info (e.g., access tokens, refresh tokens, payment info) | Strictly limited to necessary backend developers | AES-256 encryption, multi-factor authentication, strict access control, audit trails |
Regulated / Compliance | Data subject to regulatory control (e.g., GDPR personal data, HIPAA health info) | Only authorized personnel per compliance policy | Encryption at rest/in transit, compliance audits, data anonymization/pseudonymization |
