| Document Number | POL-GL-COM-DATAC-V1.0 |
| Target audience | <<intended recipients>> |
| Effective Date | Twelve months |
Cover page layout
This policy establishes a standardised data classification framework for LEAP to ensure that information assets are consistently identified, labelled, protected, and handled according to their sensitivity and business value. It supports legal, regulatory, contractual, and audit obligations and enables risk-appropriate controls across people, process, and technology.
This policy applies to all LEAP entities, employees, contractors, vendors, and systems that store, process, transmit, or access LEAP information, including but not limited to:
All information assets must be assigned one of the following classifications.
| Classification | Description | Typical Examples |
|---|---|---|
| Sensitive | Data with the most limited access, requiring a high degree of confidentiality, integrity, and availability. Unauthorised disclosure or alteration could cause severe harm to LEAP or its clients. This includes customer data and Personally Identifiable Information (PII). | Client matter data, special/sensitive personal data, authentication secrets, production credentials, security keys, regulated financial records tied to clients. |
| Confidential | Internal data whose unauthorised disclosure could cause material harm to LEAP's operations, finances, legal standing, or reputation. | Internal financials, internal strategy documents, internal security procedures, incident response playbooks, vendor assessments. |
| Private | A department data not intended for broad internal distribution and protected for privacy, contractual, or P&C reasons. | HR records, performance reviews, compensation data, employee health or leave information (non-public). |
| Proprietary | Information disclosed outside LEAP on a limited basis or that could reduce competitive advantage if broadly disclosed. | Source code repositories, configuration files, technical specifications, non-public product roadmaps, Marketplace integration details. |
| Public | Data approved for public release. Unauthorised disclosure causes minimal or no harm. | Published marketing content, website materials, publicly released policies, job postings, product brochures. |
| Area | Sensitive | Confidential | Private | Proprietary | Public |
|---|---|---|---|---|---|
| Access Control | Strict least-privilege, role-based access, MFA, quarterly access reviews, break-glass approvals | Least-privilege, role-based, MFA, semi-annual access reviews | Need-to-know, role-based, MFA where feasible | Role-based, approval to external share | No restriction beyond authenticity of source |
| Encryption | Mandatory encryption in transit and at rest. | Encryption in transit and at rest | Encryption in transit, at rest strongly recommended | Encryption in transit, at rest recommended | Encryption in transit recommended |
| Storage/Location | Approved secure stores only, production segments, no non-prod without masking | Approved internal stores | Restricted HR/functional stores | Approved internal repos or controlled shares | Public repositories approved by Communications/Marketing |
| Data in Non-Prod | No raw production data, use synthetic/masked datasets | Mask where feasible, owner approval required | Mask where feasible | Owner approval | Not applicable |
| Sharing/Transfer | Approved channels only, vendor DPAs required | Approved channels, DLP where available | Approved HR/functional channels | Limited distribution, NDAs as required | Public channels as approved |
| Logging/Monitoring | Security logging with alerting and retention, anomaly detection | Security logging and periodic review | Logging per system standard | Logging per system standard | Minimal |
| Backup/Restore | Backups encrypted, tested restores, segregation from non-sensitive data | Encrypted backups, periodic restore tests | Backups per function, protect HR data | Backups per team standard | Optional per business need |
| Disposal | Cryptographic erasure or secure deletion, vendor attestation if external | Secure deletion method | Secure deletion method | Standard deletion | As needed |
All AWS resources that store or cache data must be tagged with Key: DataClassification and Value equal to one of: Sensitive, Confidential, Private, Proprietary, Public.
Use the prompts below and choose the highest risk answer encountered.
Exceptions in this policy will be risk-assessed by LEAP's Leadership Committee with valid business justification and Policy Owner's approval. Exceptions will be time bound.
Any LEAP employee, contractor, third-party found to have violated any part of this policy may be subject to HR disciplinary action, up to and including termination of employment.
Compliance with this policy will be monitored through periodic reviews, audits, and management oversight.
This policy is an organisational record. A copy of LEAP security policies is made available to all staff/business units currently employed, or when they join LEAP. Employees requiring further information on any aspects of this Policy should discuss their needs with Trust at LEAP Legal Software trust@leaplegalsoftware.com. Any changes or updates to the policy are immediately communicated to Team Governance, Risk and Compliance (GRC).
| Version Number | Date | Section Changes | Author | Approver |
|---|---|---|---|---|
| 1.0 | <<enter date>> | Initial Release | <<Title>> | <<Title>> |