← Back to Docs

Data Classification Standard

K0nsult CNC — Data Handling, Storage, and Retention Framework

Version 1.0 Effective: 2026-03-23 Classification: Internal

1. Classification Overview

All data processed, stored, or transmitted within K0nsult CNC operations must be classified into one of seven categories. Classification determines handling requirements, access controls, storage jurisdiction, and retention periods.

Category Examples Handling Storage Retention
Public Marketing materials, public documentation, blog posts Standard Any location Indefinite
Internal Agent configs, mission details, internal memos Encrypted in transit EU only 24 months
Confidential Client briefs, proposals, strategic plans Encrypted at rest + in transit EU only Per contract
PII Names, emails, PESEL, phone numbers GDPR compliant, minimized EU only Per consent
Financial Invoices, payments, pricing models Encrypted, access-logged EU only 5 years
Regulated Health data, legal records, banking data Per applicable regulation Client infrastructure Per regulation
Training Model inputs, feedback loops, evaluation data Anonymized before use EU only 12 months

2. Detailed Category Specifications

Public
Access
All employees, agents, contractors, and the general public.
Logging
No mandatory logging. Optional analytics tracking permitted.
Deletion Procedure
Standard content removal. No special approval required.
Breach Protocol
Not applicable — data is public by definition. Monitor for unauthorized modification only.
Internal
Access
K0nsult team members, authorized agents, 0n40i4. No client access unless explicitly granted.
Logging
Access logged with timestamp and user identity. Logs retained 12 months.
Deletion Procedure
K02 approval required. Data wiped from all replicas within 30 days. Deletion certificate generated.
Breach Protocol
Internal incident review within 24 hours. No external notification unless data reclassified upward.
Confidential
Access
Named individuals only. Access requires role justification and K02 approval. Time-limited access tokens.
Logging
Full audit trail: read, write, copy, export, delete. Logs immutable, retained for contract duration + 24 months.
Deletion Procedure
Dual approval (K02 + data owner). Cryptographic erasure. Third-party deletion confirmation for shared data.
Breach Protocol
Immediate containment. Client notified within 4 hours. 0n40i4 briefed within 1 hour. Forensic investigation initiated.
PII (Personally Identifiable Information)
Access
Strictly need-to-know. Data minimization enforced at collection. Pseudonymization where possible.
Logging
Every access event logged with purpose justification. Quarterly access review mandatory. Logs retained per GDPR (typically 36 months).
Deletion Procedure
Subject Access Request (SAR) honored within 30 days. Right to erasure enforced across all systems, backups, and third-party processors.
Breach Protocol
GDPR Art. 33 compliance: supervisory authority notified within 72 hours. Data subjects notified if high risk (Art. 34). Full incident report within 14 days.
Financial
Access
Finance team, FinRep, CNCFinCtrl, 0n40i4. Segregation of duties enforced (no single user can create + approve).
Logging
Tamper-proof audit log. Every transaction recorded with full lineage. Logs retained 7 years.
Deletion Procedure
Not permitted during statutory retention period (5 years). Post-retention: approved by 0n40i4 + legal counsel. Certified destruction.
Breach Protocol
Immediate freeze of affected accounts/records. Forensic audit within 48 hours. Regulatory notification per applicable financial regulation.
Regulated
Access
Per regulatory framework (HIPAA, PSD2, etc.). Access controls defined in client-specific DPA. K0nsult acts as processor only.
Logging
Per regulation. Minimum: full audit trail with non-repudiation. Client receives log access.
Deletion Procedure
Per regulatory retention schedule. Client controls deletion timeline. K0nsult confirms destruction within 30 days of instruction.
Breach Protocol
Per sector regulation (e.g., 24h for PSD2, 72h for GDPR). Client is primary notifier to regulator. K0nsult provides full support and forensic data.
Training
Access
ML engineering team, K02, authorized agents. No raw PII — all data anonymized before ingestion into training pipelines.
Logging
Dataset version control. Provenance tracking for all training inputs. Bias audit logs retained 24 months.
Deletion Procedure
Datasets purged after 12 months or upon client withdrawal of consent, whichever is earlier. Model retraining triggered if significant data removed.
Breach Protocol
Assess if anonymization was compromised. If re-identification possible, escalate to PII breach protocol. Notify affected clients within 24 hours.

3. Universal Breach Response Protocol

Regardless of data category, the following master protocol applies upon detection of any suspected or confirmed breach:

  1. Detect & Contain — Isolate affected systems. Preserve forensic evidence. Revoke compromised credentials immediately.
  2. Classify — Determine data categories involved, volume of records, and geographic scope.
  3. Escalate — Notify K02 (immediate), 0n40i4 (within 1 hour), legal counsel (within 2 hours).
  4. Notify — Supervisory authority within 72 hours (GDPR). Affected data subjects if high risk. Client within 4 hours.
  5. Investigate — Root cause analysis. Timeline reconstruction. Attack vector identification.
  6. Remediate — Patch vulnerability. Update access controls. Retrain staff if human error.
  7. Report — Full incident report within 14 days. Lessons learned distributed to all stakeholders.
  8. Review — Post-incident review at 30 and 90 days. Update Data Classification Standard if gaps identified.

4. Access Control Summary

Category Authentication Authorization Encryption Audit Frequency
Public None required Open Optional (TLS recommended) N/A
Internal SSO + MFA Role-based (RBAC) TLS 1.3 in transit Quarterly
Confidential SSO + MFA + device trust Named-user ACL AES-256 at rest + TLS 1.3 Monthly
PII SSO + MFA + device trust Named-user + purpose limitation AES-256 at rest + TLS 1.3 Monthly + quarterly SAR review
Financial SSO + MFA + IP restriction Segregated duties (SoD) AES-256 + HSM key management Monthly
Regulated Per regulation Per regulation + client DPA Per regulation (minimum AES-256) Per regulation
Training SSO + MFA ML team RBAC AES-256 at rest + TLS 1.3 Quarterly + bias audit

5. Governance & Review

ActivityFrequencyOwner
Data classification reviewSemi-annuallyK02 + DPO (Kai)
Access control auditQuarterlyCNCAudit (Fatima)
Breach response drillAnnuallyK02 + Watch (BCM)
Retention compliance checkQuarterlyCNCLegal (Rodrigo)
Training data anonymization auditSemi-annuallyCNCTech (Aiko)