Data Classification

Every piece of data we hold falls into one of four classifications. The classification determines how it must be stored, who can access it, how it travels between systems, and what happens when it's lost.

The point of having four tiers — not three, not seven — is that engineers, PMs, and Compliance can all answer the same question the same way without reading a thirty-page handbook. The classification of the data drives the requirements; the requirements drive the architecture.

The four tiers

Public

Data we intentionally publish. Marketing pages, blog posts, the Castline App Store listing, public investor materials we've already shared.

Storage: anywhere. Access: anyone. Transit: anywhere. Loss: no impact beyond the news cycle.

Internal

Data that's ours, not sensitive, but not meant for the world. Internal documentation, the Castline backlog in monday.com, draft release notes before publication, organisation charts.

Storage: company-controlled systems (Microsoft 365, monday.com, this repo). Access: anyone with a Media Tech email; SSO enforced. Transit: TLS in flight; no specific encryption-at-rest requirement beyond the platform default. Loss: embarrassing, possibly competitively useful to a rival, but not a regulatory or contractual event.

Confidential

Data that, if leaked, would damage a customer or the business. Customer commercial terms, salaries and compensation, performance reviews, financial forecasts, partner agreements, source code, infrastructure topology, security incident details.

Storage: company-controlled systems with role-based access. Source code in GitHub (private repos). Financials in scoped folders in Microsoft 365 with named-individual access. Access: named individuals or specific groups; no organisation-wide defaults. Transit: TLS in flight; encryption at rest using platform-managed keys. Loss: notification to affected parties; internal post-mortem; legal review.

Restricted

Data subject to regulation: personal data under GDPR, special-category data (health, sexual orientation, beliefs) which Castline AI Diaries may produce inferentially, financial data subject to PCI DSS scope, anything covered by a customer DPA that names it.

Storage: in-region (EU for European users), encrypted at rest with customer-data keys distinct from operational data keys. Production databases in Laravel Cloud, file storage in EU-region S3-compatible storage. Access: strictly need-to-know, individually granted, time-limited where possible, audited. Transit: TLS 1.3 minimum, mutual TLS for service-to-service inside the production VPC. Loss: triggers the breach response runbook (compliance/incident-response); 72-hour regulator notification clock starts the moment we have a reasonable basis to believe data left our control.

Castline mapping

Data	Classification	Notes
User diary content (human-written)	Restricted	Personal data; may contain special-category by inference.
AI-generated diary content	Restricted	Derived from user prompts and behaviour; treated as personal data per GDPR Recital 26.
Uploaded images	Restricted	Personal data; Google Vision moderation results are also Restricted.
User email, display name	Restricted	Personal data.
Account creation timestamp	Restricted	Personal data when joined with user ID.
Aggregated anonymous usage stats	Internal	Pseudonymised; cannot reidentify.
App version & device class telemetry	Internal	Not joined with user ID at rest.
Castline source code	Confidential	Private repos; access via SSO.
Operational metrics (latency, error rate)	Confidential	Could reveal architecture to a competitor.
Marketing copy on castline.app	Public	Intentionally public.

Reclassification

Classification is a property of the data, not the system. If a system starts joining datasets in a way that elevates the classification of the result, the system inherits the higher tier. The engineer who builds the join is responsible for flagging the change; Compliance signs off.

Owned by

Head of Compliance. Audited by the Master skill on a 90-day cadence.