Sensitive Data Handling Policy

This policy establishes requirements for handling sensitive data including the prohibition of payment card information and controls for managing personally identifiable information in project contexts.
Print this page

Purpose

The purpose of this policy is to:

  • Establish clear requirements for handling sensitive data types
  • Prohibit Vaxa from collecting, processing, storing, or transmitting Payment Card Information (PCI)
  • Define appropriate controls for handling Personally Identifiable Information (PII) in limited project contexts
  • Ensure compliance with risk management and insurance requirements
  • Protect Vaxa from the compliance burden and security risks associated with sensitive data

Scope

This policy applies to:

  • All Vaxa employees, contractors, consultants, and third parties
  • All systems, applications, and services operated by or on behalf of Vaxa
  • All client projects, engagements, and business relationships
  • All data handling activities, regardless of format or medium

This policy does not apply to employee personal information handled for employment purposes, which is governed by the Privacy Policy.

Roles & Responsibilities

RoleResponsibility
Managing DirectorApprove any exceptions to this policy and ensure organizational compliance.
CTO/Security OfficerEnforce this policy, provide guidance on data handling, and monitor compliance.
Project ManagersEnsure projects comply with PCI prohibition and PII handling requirements. Assess data handling needs during project scoping.
All Employees and ContractorsComply with this policy and report any violations or situations where payment card data may be encountered.
Sales and Business DevelopmentEnsure this policy is communicated during client engagement discussions and contract negotiations.

Policy Statements, Standard, or Procedure

Payment Card Information (PCI) Prohibition

Vaxa strictly prohibits the collection, processing, storage, transmission, or access to Payment Card Information in any form. This prohibition includes, but is not limited to:

  • Credit card numbers (full or partial)
  • Debit card numbers
  • Card Verification Values (CVV/CVV2/CVC)
  • Personal Identification Numbers (PINs)
  • Cardholder names in conjunction with card data
  • Magnetic stripe data
  • Chip data or equivalent
  • Any other data elements covered by the Payment Card Industry Data Security Standard (PCI-DSS)

Prohibited Activities

The following activities are explicitly prohibited:

  • Developing or operating payment processing systems or applications
  • Storing payment card data on any Vaxa systems or devices
  • Accepting payment card data from clients, partners, or third parties
  • Providing consulting or advisory services that require access to payment card data
  • Processing payments directly via credit or debit cards (all payments must be via bank transfer or approved third-party payment gateways)

Payment Processing Methods

All payment transactions involving Vaxa must use one of the following approved methods:

  • Bank transfers (Electronic Funds Transfer, wire transfer, etc.)
  • Third-party payment gateways (e.g., Stripe, PayPal, Square) where Vaxa does not receive, transmit, or store any payment card data
  • Invoicing through accounting systems that do not capture payment card details

Under no circumstances should Vaxa employees request, accept, or store payment card information directly.

Personally Identifiable Information (PII) Handling

While Vaxa does not handle large-scale consumer PII databases or operate as a data processor for PII, we recognize that certain projects may require temporary access to PII for specific purposes.

Permitted PII Handling

Vaxa may collect, process, or store PII in the following limited contexts:

  1. Employee and Contractor Information: Personal information about Vaxa employees and contractors for employment, payroll, and HR purposes (governed by the Privacy Policy)

  2. Business Contact Information: Names, job titles, business email addresses, and phone numbers of client contacts, partners, and vendors for legitimate business relationship purposes

  3. Project-Specific Data Processing: Temporary access to client PII for specific project deliverables such as:

    • Data analysis and reporting
    • System migration services
    • Software development and testing
    • Business intelligence and analytics

PII Handling Requirements for Projects

When projects require access to PII, the following controls must be implemented:

  1. Data Minimization:

    • Collect and process only the minimum PII necessary to achieve the project objectives
    • Use anonymized or pseudonymized data wherever possible
    • Request clients provide de-identified data sets when feasible

  2. Temporary Storage:

    • PII must be stored only for the duration necessary to complete the project deliverables
    • All PII must be securely deleted upon project completion or as agreed with the client
    • Maximum retention period must not exceed 90 days after project completion unless explicitly agreed otherwise in writing

  3. Security Controls:

    • Apply appropriate security controls based on the Data Classification Policy
    • Use encryption for data at rest and in transit
    • Implement access controls to limit PII access to authorized personnel only
    • Maintain audit logs of PII access and processing activities

  4. Contractual Protections:

    • Ensure appropriate data handling clauses are included in client contracts
    • Obtain written authorization before processing client PII
    • Document the scope, purpose, and duration of PII processing
    • Establish clear data deletion timelines

  5. Client Notification:

    • Inform clients of Vaxa’s data handling practices
    • Provide transparency about how PII will be processed, stored, and deleted
    • Respect client data residency and sovereignty requirements

Project Risk Assessment

Before commencing any project that may involve PII handling:

  1. Project managers must assess whether PII will be involved
  2. If PII is required, document:
    • Type and volume of PII
    • Purpose and legal basis for processing
    • Security controls to be applied
    • Data retention and deletion schedule
  3. Obtain approval from the CTO/Security Officer for projects involving sensitive PII or large volumes of PII
  4. Ensure compliance with client requirements and relevant privacy legislation

Scope Restrictions

Vaxa will not:

  • Operate as a payment service provider (PSP) or payment gateway
  • Provide services that require PCI-DSS compliance
  • Store or maintain databases of consumer PII on behalf of clients (beyond temporary project-specific needs)
  • Process payment card transactions on behalf of third parties
  • Engage in activities that would classify Vaxa as a “merchant” or “service provider” under PCI-DSS

Detection and Response

If any employee or contractor encounters payment card data or identifies a situation where Vaxa may inadvertently be exposed to PCI data:

  1. Immediate Actions:

    • Do not collect, process, or store the data
    • Notify the CTO/Security Officer immediately
    • Document the incident
    • Cease any activities that may lead to PCI data exposure

  2. Investigation:

    • Assess the source and scope of the exposure
    • Determine if any payment card data was stored or transmitted
    • Review project scoping and client communications

  3. Remediation:

    • Implement measures to prevent recurrence
    • Securely delete any inadvertently collected payment card data
    • Update client contracts or project scope as necessary
    • Consider whether the business relationship should continue

Exceptions

Exceptions to this policy are strongly discouraged and will only be granted in extraordinary circumstances.

Any request for an exception must:

  • Be submitted in writing to the Managing Director and CTO/Security Officer
  • Include detailed justification and business case
  • Specify proposed compensating controls and security measures
  • Demonstrate compliance with PCI-DSS if payment card data handling is required
  • Undergo a comprehensive risk assessment

Even with approval, no exception will be granted that would:

  • Expose Vaxa to unreasonable legal or security risks
  • Require PCI-DSS compliance without adequate resources and expertise
  • Compromise the integrity of Vaxa’s security posture

Compliance & Monitoring

Training and Awareness

  • All employees and contractors must be trained on this policy during onboarding
  • Annual refresher training will be provided
  • Project managers receive specialized training on assessing PII handling requirements

Monitoring

  • The CTO/Security Officer will review project scoping documents to ensure compliance
  • Regular audits of data handling practices will be conducted
  • PII retention and deletion schedules will be monitored
  • Any suspected violations will be investigated promptly

Enforcement

Non-compliance with this policy may result in:

  • Immediate project suspension
  • Disciplinary action up to and including termination of employment or contracts
  • Legal action if violations result in regulatory penalties or data breaches
  • Termination of client relationships if non-compliance originates from client requirements

Reporting

  • Annual compliance reporting to the Managing Director
  • Immediate notification of any policy violations or near-misses
  • Documentation of all PII handling activities in project records

References

Last modified December 19, 2025: Merge pull request #18 from vaxa-tech/add-new-policies (681b088)