1. Purpose

This policy defines how Varigence Inc. (“Varigence”) classifies, processes, and safeguards data within its BimlFlex product and associated services. The intent is to provide clear guidelines for employees, contractors, partners, and customers regarding acceptable data types and the level of protection each data type requires.

‍

2. Scope

This policy applies to all information, data, and metadata received, processed, stored, or transmitted by Varigence. It covers:

• BimlFlex product deployments

• Support and consulting engagements

• Any other service provided by Varigence that involves data handling
  ‍
  

3. Data Categories

Varigence recognizes the following high-level data categories for classification and handling purposes:

1. Customer Metadata (Accepted Data)

• Definition: Database schema information, file schemas, structure of ETL processes, business logic, transformation logic, and other descriptive information required to create or update data integration or data analytics systems.

• Examples: Table names, column names, data types, indexes, constraints, procedural logic, workflows, high-level transformation rules.

• Policy:  

• Varigence will accept and process only Customer Metadata by default.

• This data is critical for configuring and using BimlFlex, but does not include any actual customer records (e.g., personal information, financial data, etc.).

• Customer Metadata is classified as “Confidential” and must be protected accordingly.
  ‍
  

2. Customer Production Data (Restricted Data)

• Definition: Actual, non-sensitive production data stored within a customer’s systems (e.g., non-personal transactional data, system logs, or other business data that does not contain PII, PHI, or other sensitive information).

• Policy:  
• Varigence does not typically collect or require access to any actual production data.

• Accepting actual production data is prohibited except under the most extreme circumstances requiring a separate, formal, written agreement with the customer.

• If shared under special circumstances (e.g., troubleshooting or specialized consulting), it must be handled under strict Non-Disclosure Agreements (NDAs) and with explicit, limited-scope data-sharing arrangements.
  

3. Sensitive Personal / Health Information (SPI/PHI)

• Definition: Any data that directly or indirectly identifies an individual, or that relates to an individual’s health or medical records. This includes, but is not limited to, Personally Identifiable Information (PII) such as names, Social Security numbers, email addresses, financial account details, and Protected Health Information (PHI) governed by laws such as HIPAA (in the United States) or GDPR (in the EU).

• Policy:  

• Varigence does not accept or process PII, PHI, or any other regulated or highly sensitive personal data in the normal course of business.

• If, under extraordinary and necessary circumstances, such data transfer is required, it must be governed by the highest level of written agreements (e.g., Business Associate Agreements under HIPAA, Data Processing Agreements under GDPR) with explicit controls, time-bound use, and secure destruction of data after completion of the contracted purpose.

• Additional industry-standard safeguards (e.g., encryption at rest and in transit, strict access control, continuous monitoring, etc.) must be implemented for any accepted SPI/PHI.
  

4. Internal Varigence Data

• Definition: Internal data generated or owned by Varigence for its own operational use, including corporate financials, product roadmaps, employee records, and marketing strategies.

• Policy:  

• Governed by Varigence’s internal policies and procedures.

• Classified at least as “Confidential” or “Restricted”, depending on sensitivity.

• Not accessible to customers or external parties except on a strict “need to know” basis.
  ‍

5. Public Data

• Definition: Data or information readily available to the public or intended for public release (e.g., marketing brochures, product documentation, white papers, website content, etc.).

• Policy:  

• While minimal protection is required, the data must be reviewed prior to public release to ensure it contains no confidential or restricted information.
  ‍

4. Data Classification Levels

To align with industry standards and our internal policies, Varigence employs the following classification levels:

• Public: Information freely available or intended for public dissemination.

• Internal Use: Information not intended for public release; may be shared internally without undue risk.

• Confidential: Sensitive information requiring restricted access; includes Customer Metadata and most Varigence internal data.

• Restricted: Highly sensitive information requiring the strictest security controls; includes Customer Production Data (when exceptionally shared under special agreement) and any shared SPI/PHI.
  ‍

5. Acceptance and Handling Guidelines

1. Default Acceptable Data

• Varigence and BimlFlex will, by default, only accept Customer Metadata that describes database objects, schemas, transformations, or business logic (but not the actual data or records stored in these databases).

2. Prohibition on Actual Customer Data (Production or SPI/PHI)

• Actual customer data of any type (e.g., transactional data, PII, PHI) must never be transferred to or shared with Varigence, except under a separate, formal, written agreement that specifically addresses the handling, security, and destruction of such data.

3. Access Control Measures

• Access to data is granted strictly on a “least privilege” and “need to know” basis.

• Employees, contractors, and partners must be trained to recognize sensitive or prohibited data and to escalate any requests involving actual customer data that deviate from standard policy.

4. Data Storage and Retention

• BimlFlex-specific metadata will be stored in secure repositories adhering to industry standards (e.g., encryption at rest, role-based access controls).

• If actual production data or SPI/PHI is exceptionally accepted under a special agreement, it must be:  

• Segregated into isolated, encrypted environments.

• Monitored with strict logging and audit trails.

• Retained only for the duration of the project or legal requirement, then securely destroyed.

5. Data Transmission

• All metadata transmissions to or from Varigence must use secure communication channels (e.g., TLS-encrypted channels, SFTP).

• If, under a special agreement, any production data or SPI/PHI is transmitted, it must be encrypted end-to-end and shared only via approved channels with explicit authorization.
  ‍

6. Training and Awareness

• All Varigence personnel and relevant contractors must receive data handling and classification training, including specific instructions on prohibitions relating to SPI/PHI.

• New hires must be trained on this policy as part of their onboarding.

• Ongoing refresher training will be provided to ensure consistent understanding of these requirements.
  ‍

7. Incident Response and Escalation

• Any suspected or actual breach of this policy must be immediately reported to Varigence’s Security or Compliance team.

• Varigence will promptly investigate all incidents, mitigate risks, and notify affected parties as required by law and contractual obligations.
  ‍

8. Compliance and Enforcement

• Non-compliance with this policy can result in disciplinary actions, up to and including termination of employment or contracts.

• Regular audits and reviews will be conducted to ensure that data classification practices are properly followed.
  ‍
  

9. Policy Review

• This policy is subject to periodic review (at least annually) to ensure alignment with evolving business practices, legal requirements, and industry standards.

• Updates or amendments to this policy must be approved by Varigence management and communicated to all relevant stakeholders.