Skip to content
Clicki Referrals Trust Center
Clicki Referrals Trust Center

Clicki Data Handling and Classification Policy

Purpose

This Data Handling and Classification Policy defines how Clicki Referrals identifies, classifies, stores, processes, transmits, and retains data, including personal and customer data. The goal is to reduce risk, prevent unauthorized disclosure, and ensure consistent handling of sensitive information across all systems and workflows.

Scope

This policy applies to all Clicki personnel, systems, applications, infrastructure, logs, integrations, and third-party services that store, process, or transmit data on behalf of Clicki or its customers.

Policy Statement

All data handled by Clicki must be classified, protected according to its sensitivity, and managed throughout its lifecycle. Sensitive data, including personal data and referral-related data, must be handled with heightened controls to prevent unauthorized access, exposure, or misuse.

Data Classification Levels

Clicki defines the following classification levels:

Public

Information that is approved for public disclosure and does not pose risk if exposed.

Examples:

  • Marketing content

  • Public website information

  • Published documentation

Internal

Information intended for internal use that would not cause significant harm if disclosed but should not be publicly available.

Examples:

  • Internal documentation

  • Non-sensitive operational data

Confidential

Sensitive business or customer data that could cause harm if exposed.

Examples:

  • Customer account data

  • Referral program data

  • Business metrics and reports

  • Internal system configurations

Restricted (Highly Sensitive)

Data that requires the highest level of protection due to regulatory, financial, or privacy impact.

Examples:

  • Personally identifiable information (PII) such as names, emails, phone numbers

  • Payment-related data and payout details

  • Authentication credentials, API keys, tokens, and secrets

  • Security logs and incident data

Data Handling Requirements

General Requirements

  • Data must be handled in accordance with its classification level

  • Access to data must follow least privilege and need-to-know principles

  • Data must not be copied, exported, or shared outside approved systems without authorization

  • Sensitive data must not be stored in unsecured or unauthorized locations

Storage

  • Data must be stored in approved systems (e.g., AWS-managed services such as DynamoDB, S3, RDS)

  • Encryption at rest must be enabled where supported

  • Secrets must be stored in approved secret management systems and not in source code or plaintext

  • Backups must follow the same classification protections as primary data

Transmission

  • Data must be transmitted over encrypted channels (e.g., HTTPS/TLS)

  • Sensitive data must not be transmitted over insecure or unapproved channels

  • Integrations with third-party systems must use secure authentication methods and approved endpoints

Processing

  • Systems must limit exposure of sensitive data during processing

  • Applications should use masking, tokenization, or partial display where full data is not required

  • Batch jobs, workflows, and automation systems must follow the same handling standards as interactive systems

Logging (Critical Control Area)

  • Sensitive data must not be logged in plaintext where avoidable

  • Logs should exclude or redact PII, credentials, tokens, and financial data

  • Debug logging must be restricted in production environments

  • Logging configurations should be reviewed to prevent accidental data exposure

Examples:

  • ❌ Logging full request/response bodies containing user data

  • ✅ Logging request IDs, event types, and masked identifiers

Data Minimization

  • Only the minimum necessary data should be collected and stored

  • Systems should avoid duplicating sensitive data across multiple locations

  • Retention of unused or unnecessary data should be avoided

Data Retention and Deletion

Clicki defines retention periods based on business and operational needs.

  • Logs should be retained for a limited period (e.g., 7–30 days unless otherwise required)

  • Customer and referral data should be retained only as long as necessary to provide services and meet contractual obligations

  • Data should be deleted or anonymized when no longer required

  • Automated lifecycle policies should be used where possible (e.g., S3 lifecycle rules, TTL)

Customer Data and PII

  • Access to customer data and PII must be restricted to authorized personnel

  • PII must be masked or partially displayed where full visibility is not required

  • PII must not be exported, downloaded, or shared outside approved systems without authorization

  • Customer data must not be used for purposes outside of providing the service unless explicitly authorized

Third-Party and Subprocessor Handling

Clicki uses third-party providers to deliver services. These may include cloud providers, messaging platforms, and payout systems.

  • Third parties must be reviewed and approved before handling sensitive data

  • Data shared with third parties must be limited to what is necessary

  • Contracts or agreements should include appropriate data protection expectations

  • Known subprocessors should be documented and disclosed where required

Incident Handling and Data Exposure

Any suspected or confirmed data exposure must be handled according to Clicki’s incident response procedures.

  • Incidents must be reported promptly

  • Access should be restricted or revoked as needed

  • Logs and audit trails should be preserved for investigation

  • Impacted data and systems should be assessed and remediated

Prohibited Activities

The following activities are prohibited unless explicitly authorized:

  • Storing sensitive data in plaintext in source code, tickets, chat tools, or documentation

  • Logging full PII payloads or credentials

  • Using production data in non-production environments without proper controls

  • Downloading or exporting customer data without a valid business purpose

  • Sharing sensitive data via personal email or unapproved tools

Enforcement

Violations of this policy may result in access removal, disciplinary action, termination of engagement, or other appropriate actions.

Exceptions

Exceptions must be documented, justified, approved by authorized personnel, and reviewed periodically.

Ownership and Review

This policy is owned by Clicki management and/or the designated security owner. It must be reviewed at least annually or upon significant system or regulatory changes.

Powered by Plain