Data classification
Last reviewed 2026-05-18
Classification tiers
| Tier | Definition | Examples at HiringCoachAI | Handling |
|---|---|---|---|
| Public | Intentionally disclosed; no harm from publication | Marketing site copy, blog posts, pricing page, published policies in this directory | May be hosted on CDN; no encryption required beyond TLS |
| Internal | Non-public but low-sensitivity business information | Internal roadmaps, commit history, non-customer telemetry, build logs | Access limited to personnel; stored in authenticated systems |
| Confidential | Personal data or proprietary information; breach would harm users or business | User resumes, cover letters, contacts, job applications, chat/audio transcripts, email addresses, names, phone numbers, usage analytics tied to identity | Encrypted at rest; TLS in transit; access logged; retention bounded |
| Restricted | Highest-sensitivity; breach is reportable or materially damaging | Authentication secrets, Firebase service-account keys, Stripe live keys, OAuth refresh tokens, encrypted LinkedIn cookies, NextAuth session tokens, backup encryption keys, payment card data (we never store: Stripe tokenizes) | Encrypted at rest with strong keys; minimum-access principle; rotation schedule; 2-person review for changes |
Handling matrix
| Requirement | Public | Internal | Confidential | Restricted |
|---|---|---|---|---|
| HTTPS/TLS in transit | ✅ | ✅ | ✅ | ✅ |
| At-rest encryption | ✅ | ✅ | ✅ | ✅ |
| Field-level encryption (e.g., AES-GCM on top of platform encryption) | — | — | Recommended for OAuth tokens, phone | Required |
| Access logging | — | — | ✅ | ✅ |
| Authorization | — | Employee | User-scoped or admin | Tightly-scoped role; current administrative accounts required by policy to use Google Account MFA |
| Storage duration | Indefinite | Indefinite | Bounded (see data map) | Minimum needed |
| May leave approved regions | ✅ | ✅ | Only via DPA-signed sub-processors | Never without approval by the Security Officer |
| Logging into Sentry/analytics | ✅ | ✅ | Redacted or hashed only | Never |
Labeling
Data is classified by where it lives, not by field-level tagging:
users/*+ subcollections → ConfidentiallinkedinCookies/(encrypted field),accounts/(OAuth tokens),sessions/*→ Restricted- Stripe customer/subscription IDs → Confidential (identifiers, not card data)
- Firestore backups → inherit classification of source data
- Environment variables containing keys/secrets → Restricted
- Sentry error payloads → Confidential (PII scrubbed via
@sentry/nextjsbeforeSend in production) - Audit log (
auditLog/*) → Confidential
Responsibilities
- Engineering ensures new collections/fields are classified on introduction; the SDLC checklist requires this.
- Security Officer reviews classifications quarterly in the internal audit.
- All personnel handle data according to its tier.
Examples of misuse
- Pasting a customer resume into a public issue tracker → violation (Confidential → Public).
- Emailing a service-account JSON to a vendor → violation (Restricted).
- Adding a field to the user document without classifying it → violation of SDLC.
Related
- data map: per-field inventory with classification
- access control policy: who accesses what
- data retention policy: retention schedule