In the event of any conflict between this Policy and Macro's SLA, MSA, or other Signed Agreement with Your organization, the terms of that Signed Agreement shall govern.
Macro employs an Information Classification Policy to best organize, classify, and restrict organizational data based on levels of sensitivity and risk pertaining to data collected regarding our employees and customers. All employees of the company, and third-party entities with authorized access for contracted work or partnership with Macro, are adherent to this policy.
Scope
This policy applies to any form of collected data, whether physical or digital, taken from:
- Internal employees, contractors, and consultants
- Enterprise, corporate, and individual clients and customers
- Third-parties providing services for Macro services or software
Roles and Responsibilities
Macro assigns authority for modification and analysis of collected data based on 3 defined roles within the company.
- Data Administrators are individuals responsible for the data and information being collected from relevant parties.
- Categorization & Classification – organizes subject data and segments into distinct groups, later assigning to appropriate security labels
- Security – ensures each tier of security classification is stored under measures consistent with state/provincial, federal, and internal security guidelines
- Authorization – develop and enforce authorization protocols fir each security classification label, to regulate control future access and destruction activities
- Data Custodians are individuals responsible for maintaining security systems, technical deployment of the designated controls outlined by Data Administrators, and backing up any databases, servers, or physical copies of assets containing organizational data
- Access – implements technical access controls for Macro information systems and maintains system to address potential updates, changes, or translation of data
- Backups – periodically backs up relevant data that is saved or stored digitally and physically
- Compliance – ensure data requirements per security classification labels follow Macro security policies and any related governing laws or regulations
- Data Validation – regularly validate data integrity collected from relevant sources
- Data Users are individuals within Macro who access and utilize the data in a fashion consistent with the intended original purpose of collection, and must comply with both Macro's internal policies and those security policies employed by relevant enterprises, users, and relevant third-parties.
Impact Level Determination
Class | Low | Medium | High |
---|---|---|---|
Confidentiality Restrict access to and disclosure of data to authorized users. | Unauthorized disclosure of the data can have limited adverse effects on services and individuals. | Unauthorized disclosure of the data can have serious adverse effects on services and individuals. | Unauthorized disclosure of the data can have crippling or catastrophic adverse effects on services and individuals. |
Integrity Guard against inappropriate changes or destruction to data. | Unauthorized changes or destruction to the data can have limited adverse effects on services and individuals. | Unauthorized changes or destruction to the data can have serious adverse effects on services and individuals. | Unauthorized changes or destruction to the data can have crippling or catastrophic adverse effects on services and individuals. |
Availability Ensure reliable and efficient access to and use of data. | Lack of reliable access to or use of data can have limited adverse effects on services and individuals. | Lack of reliable access to or use of data can have serious adverse effects on services and individuals. | Lack of reliable access to or use of data can have crippling or catastrophic adverse effects on services and individuals. |
From the above table, each classification label is given the following restrictions:
- High – Restricted
- Medium – Confidential
- Low – Public
Macro access controls for these restriction tiers is private information not to be disclosed outside company employees.
Incident Response
Access to the Macro app and its services are never affected by any processes, physical or digital, that occur within the company.
Our internal protections for information ensure none of your data is ever leaked to malicious parties. Should any potential threat arise, Macro employs a 5 step process for safeguarding important information:
- Identify
- Contain
- Eradicate
- Recovery
- Solidify
Should concerns arise for our internal security controls that are critical for your business or usage of the app, please reach out to support@macro.com for further inquiries.
Appendix
The following table demonstrates examples of information that, upon collection, are immediately classified as Restricted.
Authentication | Payment | Identification |
---|---|---|
Information related to Macro user accounts:
| Information of compensation for Macro services:
| Personal information that can identify users or clients:
|