Skip to main content

Data Governance Policy: Our Commitment to Data Integrity and Privacy

1. Introduction: Data as a Strategic Asset

In the XOPS platform, data is not just a byproduct of our operations; it is a strategic asset. Our Knowledge Graph is central to our AI capabilities, powering Cerebro and Sparky. As such, managing this data responsibly, securely, and ethically is paramount. This Data Governance Policy outlines our commitment to data integrity, privacy, security, and compliance.

This policy applies to all data handled by the XOPS platform, including telemetry, user data, operational logs, and AI training datasets. Adherence to these principles is mandatory for all engineers and teams.

Core Mission: To ensure that all data within the XOPS platform is managed with the highest standards of accuracy, security, privacy, and compliance, enabling trust and maximizing data value.

2. Data Classification Policy

We classify data into categories to ensure appropriate handling and security measures are applied.

ClassificationDescriptionHandling RequirementsExample
PublicData intended for public consumption, with no sensitive information.Minimal restrictions.Marketing website content, public API documentation.
InternalData intended for XOPS employees only. May contain non-sensitive business information.Access restricted to XOPS employees. No external sharing.Internal company memos, non-sensitive project plans.
ConfidentialSensitive business data, intellectual property, or data that could cause significant harm if disclosed.Access restricted to authorized personnel based on role. Encryption at rest and in transit required. Audit logging mandatory.Source code, internal financial data, proprietary algorithms.
Restricted (Sensitive Personal Data - SPD)Personally Identifiable Information (PII) or other sensitive data that requires strict protection due to legal or regulatory requirements.Access strictly limited on a need-to-know basis. Strong encryption, fine-grained access controls, regular audits. Must comply with all applicable privacy laws.Customer PII (name, email, address), account details, sensitive customer content.

3. Data Privacy: Respecting Our Users' Information

We are committed to protecting the privacy of our users' data. This means adhering to all applicable data privacy regulations, such as GDPR and CCPA.

  • Privacy by Design: Privacy considerations are integrated into the design and development of all new features and services.
  • Data Minimization: We only collect and retain data that is necessary for a specific, legitimate business purpose.
  • Purpose Limitation: Data collected for one purpose will not be used for another incompatible purpose without explicit consent.
  • User Rights: We have established processes to fulfill user requests related to their data, including:
    • Right to Access: Allowing users to see the data we hold about them.
    • Right to Rectification: Enabling users to correct inaccurate data.
    • Right to Erasure ("Right to be Forgotten"): Processes for securely and permanently deleting user data upon request, where legally permissible. This is a critical workflow managed by the Platform Operations team, often involving automated scripts and manual verification.
  • Consent Management: We obtain explicit consent before collecting or processing personal data where required by law.

4. Data Residency

Data residency refers to the geographical location where data is stored.

  • Default: Wherever possible, customer data is stored within AWS regions designated for the customer's primary operational region to minimize latency and comply with common regulations.
  • Customer Agreements: Specific data residency requirements from enterprise customer contracts are strictly adhered to, often requiring dedicated configurations or regional deployments.
  • Data Sovereignty: For highly sensitive or regulated data, we ensure data remains within specific national borders as required by law. This is managed through AWS region selection and our Platform Operations team.

5. Data Lifecycle Management

Data has a lifecycle, and we manage it from creation to deletion to ensure security, compliance, and cost-efficiency.

  • Data Creation: Data is generated by applications, services, and infrastructure. All data captured is logged and processed according to its classification.
  • Data Storage & Processing: Data is stored in appropriate systems (e.g., Knowledge Graph for structured data, S3 for raw logs, New Relic for metrics) based on its intended use and classification. Access is controlled via StrongDM and IAM policies.
  • Data Retention: Retention periods are defined based on data classification, legal requirements, and business needs.
    • Logs: Typically retained for 90 days for operational troubleshooting.
    • Metrics: Retained for 1 year in New Relic for trend analysis.
    • Knowledge Graph (Gold Layer): Retained indefinitely for AI model training, with PII anonymized or removed where applicable.
    • PII/Restricted Data: Retention is strictly limited to what is legally required or essential for ongoing service delivery, with automated deletion policies.
  • Data Archiving & Deletion:
    • Data older than its defined retention period is moved to lower-cost archival storage (e.g., S3 Glacier) or securely deleted.
    • Automated deletion processes are managed by the Platform Operations team.
    • All deletion processes are logged for auditability.

6. Ensuring Data Integrity and Quality

  • Schema Enforcement: For structured data in the Knowledge Graph, we enforce schemas to maintain consistency. Data quality checks are performed during ingestion and processing.
  • Customer Responsibility: While we ensure data structure and security, the accuracy and truthfulness of the data provided by the customer or their source systems is their responsibility. See our Shared Responsibility Model.
  • Data Validation: All input data is validated against expected formats and constraints.
  • Auditing: Access to and modifications of sensitive data are logged and regularly audited.
  • Referencing Tools: This policy directly references and integrates with guides for StrongDM (access control), Platform Operations (data deletion, lifecycle), and FOSSA (open source compliance for data handling libraries).