Data Handling Policy

Lifetime Oy - Data Classification and Storage Guidelines

Version: 1.1
Date: December 2025
Owner: Risto Anton Päärni, CEO
Compliance: GDPR, EU Data Act, NIS2, EU AI Act

1. Data Classification

🔴 CONFIDENTIAL (Highest security)

Definition: Business secrets, financial projections, partnership terms, personal data of partners/customers, unreleased product plans.

Examples:

• Partnership proposals (Lifetime Certified Partners Consortium - Gold, Silver, Bronze tiers)
• Financial models (revenue projections, pricing)
• Customer contracts (NDAs, MSAs)
• Personal data (contact details, phone numbers)
• Technical architecture (security designs)
• Deal data (partnership deals, customer deals)

Storage requirements:

• ✅ ALLOWED: Encrypted local database (Admin/Data/confidential.db - SQLite + SQLCipher)
• ✅ ALLOWED: Proton Drive (zero-knowledge encryption, Switzerland, local sync)
• ✅ ALLOWED: Offline encrypted USB (AES-256)
• ✅ ALLOWED: Google Docs with EU data residency (europe-north1) - for document management only
• ❌ FORBIDDEN: Cloud AI tools (Claude Code, GitHub Copilot, Gemini) - NEVER process CONFIDENTIAL data
• ❌ FORBIDDEN: Public/private GitHub repositories
• ❌ FORBIDDEN: Google Docs (standard plan, non-EU region)
• ❌ FORBIDDEN: Microsoft 365 (without E3 + EU Data Boundary)
• ❌ FORBIDDEN: Plain text .md files (even in Admin/ folder)

🟡 INTERNAL (Medium security)

Definition: Non-sensitive business data, internal processes, non-confidential technical documentation.

Examples:

• Meeting notes (no sensitive details)
• General project plans
• Public API documentation
• Development logs (sanitized)

Storage requirements:

• ✅ ALLOWED: Microsoft 365 E3+ (with EU Data Boundary enabled)
• ✅ ALLOWED: Google Workspace Enterprise (with EU data residency addon, europe-north1)
• ✅ ALLOWED: Proton Drive
• ⚠️ CAUTION: Private GitHub repos (if no CONFIDENTIAL data)
• ❌ FORBIDDEN: Public GitHub repos

🟢 PUBLIC (No restrictions)

Definition: Marketing materials, open source code, public announcements.

Examples:

• README.md (sanitized)
• Public blog posts
• Open source contributions
• Marketing website content

Storage requirements:

• ✅ ALLOWED: Public GitHub repos
• ✅ ALLOWED: Company website
• ✅ ALLOWED: Social media
• ✅ ALLOWED: Any cloud service

2. AI Tools Usage Policy

Cloud AI Tools (Claude Code, GitHub Copilot, Gemini)

🔴 CONFIDENTIAL data:

• ❌ NEVER process CONFIDENTIAL data with cloud AI
• ❌ NEVER paste financial numbers, partner names, or personal data
• ❌ NEVER upload CONFIDENTIAL documents to Claude/ChatGPT
• ❌ NEVER create .md files with real confidential data
• ✅ MUST use encrypted local database (Admin/Data/confidential.db)
• ✅ MUST use local Ollama (Mistral Nemo) for processing

🟡 INTERNAL data:

• ⚠️ Use with caution - sanitize sensitive details first
• ✅ OK for: General code structure, architecture questions
• ❌ NOT OK for: Proprietary algorithms, customer data

🟢 PUBLIC data:

• ✅ Freely use cloud AI for public documentation, blog posts, marketing

Approved AI Tools by Classification

AI Tool	CONFIDENTIAL	INTERNAL	PUBLIC
Claude Code (Anthropic)	❌ Never	⚠️ Sanitized only	✅ Yes
GitHub Copilot (Microsoft/OpenAI)	❌ Never	⚠️ Sanitized only	✅ Yes
Google Gemini (Google)	❌ Never	⚠️ Sanitized only	✅ Yes
Ollama + Mistral Nemo (local)	✅ Yes (offline, GDPR compliant)	✅ Yes	✅ Yes
Ollama + Gemma 3 (local)	⚠️ Fast processing only	✅ Yes	✅ Yes
Groq Llama 3.1 70B (production)	⚠️ EU data residency (europe-north1)	✅ Yes	✅ Yes

3. Storage Locations by Classification

Primary Storage (Active work)

Classification	Primary Storage	Backup	Sharing
CONFIDENTIAL	Encrypted local database (Admin/Data/confidential.db)	Proton Drive (E2EE) + Offline USB (AES-256)	Password-protected Proton links
INTERNAL	M365 SharePoint (E3+) or Google Docs (EU region)	Proton Drive	SharePoint permissions
PUBLIC	GitHub public repos	N/A	Public URLs

Long-term Archival

Classification	Archive Location	Retention Period	Encryption
CONFIDENTIAL	Proton Drive + Encrypted local database	7 years (GDPR)	Zero-knowledge E2EE + SQLCipher
INTERNAL	M365 Archive	3 years	Microsoft-managed
PUBLIC	GitHub	Indefinite	None required

4. Data Sharing Guidelines

Sharing CONFIDENTIAL Data with Partners

✅ APPROVED methods:

1. Proton Drive password-protected link:
   • Create link in Proton Drive
   • Enable password protection
   • Send link via email, password via SMS
2. Microsoft 365 E3+ (with EU Data Boundary):
   • Upload to SharePoint
   • Share with specific email addresses only
   • Set expiration date (30 days)
3. Encrypted email (Proton Mail):
   • Use Proton Mail E2EE
   • Recipient must have Proton account OR use password-protected email
4. Google Docs (EU data residency - europe-north1):
   • Only for document management
   • Ensure EU data residency enabled
   • Share with specific email addresses only

❌ FORBIDDEN methods:

• Google Docs (standard plan, non-EU region)
• Slack/Teams file uploads (without E2EE)
• Personal email (Gmail, Outlook.com)
• Cloud AI chat interfaces (Claude.ai, ChatGPT)
• GitHub repositories (public or private)

5. EU Compliance Requirements

GDPR (General Data Protection Regulation)

Personal data in CONFIDENTIAL documents:

• Partner contact details (name, phone, email, address)
• Customer information
• Employee data

Requirements:

• ✅ Consent: Obtain explicit consent before processing with cloud tools
• ✅ Data minimization: Only store necessary personal data
• ✅ Right to erasure: Delete personal data on request (Article 17)
• ✅ Data transfers: Only to countries with adequacy decision (Switzerland ✅, USA ❌)
• ✅ Storage: Encrypted local database + Proton Drive (EU-compliant)

EU AI Act (Regulation 2024/1689)

DWS IQ 6 = Limited Risk AI system (Annex III: construction safety)

Requirements:

• ✅ Article 10: Document all AI tools used (Claude, Copilot, Groq, Ollama)
• ✅ Article 52: Transparency - inform users about AI usage
• ✅ Article 11: Technical documentation (AI systems inventory)

NIS2 Directive (EU 2022/2555)

Lifetime Oy = Essential entity (construction sector)

Requirements:

• ✅ Article 21: Cybersecurity risk management
• ✅ Encryption: E2EE for CONFIDENTIAL data (Proton Drive + SQLCipher)
• ✅ Access control: Multi-factor authentication (MFA)
• ✅ Incident reporting: Data breaches reported within 24h

6. Incident Response

If CONFIDENTIAL Data Leaked to Cloud AI

Immediate actions (within 1 hour):

1. Stop further exposure:
   • Do not continue session with AI tool
   • Close browser/application
2. Request data deletion:
   • Anthropic (Claude): privacy@anthropic.com (GDPR Art. 17)
   • OpenAI (ChatGPT/Copilot): dsar@openai.com
   • Google (Gemini): https://support.google.com/policies/troubleshooter/9009584
3. Notify affected parties:
   • Partners (if their data was exposed)
   • Customers (if GDPR personal data breach)
   • Finnish Data Protection Authority (if required by GDPR Art. 33)

Reporting timeline (GDPR):

• 72 hours: Report to supervisory authority (if high risk)
• Immediately: Notify data subjects (if high risk to rights/freedoms)

7. Quick Reference

CONFIDENTIAL Data Workflow

1. Store data:

   # Add to encrypted database
   .\Admin\scripts\add-partner-to-database.ps1 -Tier "Gold" -Company "Company Name"

2. Backup to Proton Drive:

   .\Admin\scripts\sync-proton-drive.ps1

3. Process with local AI:

   # Use Mistral Nemo for confidential data
   ollama run mistral-nemo -f Admin/Documents/Proposal.md

4. NEVER:
   • ❌ Use cloud AI (Claude Code, Copilot, Gemini)
   • ❌ Create .md files with real data
   • ❌ Commit to git

Technology Partners (Public Information)

Allowed to mention (with logos):

• NVIDIA (NVIDIA Jetson technology)
• Google Cloud (Google Cloud Run, Vertex AI)
• Groq (Groq LPU)
• AWS (AWS IoT, EC2, S3)
• Microsoft (Microsoft Agent Framework)
• OpenAI (GPT-4)
• Anthropic (Claude Sonnet 4.5)
• Supabase (Supabase database)

Text to use:
"DWS IQ partners with the leading brands in the AI and Cloud Services. Upon request we can provide information about our partner deals and their current statuses."

8. Contact and Questions

Policy owner:

• Risto Anton Päärni, CEO
• Email: risto@lifetime.fi

Report security incident:

• Urgent: CEO directly (risto@lifetime.fi)

---

Document history:
2025-12-13: v1.0 - Initial policy created
2025-12-XX: v1.1 - Updated with encrypted database requirements, Proton Drive, Google Docs EU, removed partner names
Next review: 2026-03-13 (quarterly)