How SketchDeck keeps your data safe and private.
To ensure that information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.
All SketchDeck data, information and information systems.
SketchDeck classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.
Information systems and applications shall be classified according to the highest classification of data that they store or process.
To help SketchDeck and its employees easily understand requirements associated with different kinds of information, the company has created three classes of data.
Highly sensitive data that requires the highest levels of protection; access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner, or a company executive. Example include:
SketchDeck proprietary information requiring thorough protection; access is restricted to employees with a “need-to-know” based on business requirements. This data can only be distributed outside the company with approval. This is default for all company information unless stated otherwise. Examples include:
Documents intended for public consumption which can be freely distributed outside SketchDeck. Examples include:
Confidential data should be labeled “confidential” whenever paper copies are produced for distribution.
Our application only accesses Google user data that is directly provided to us, including the account name and email address. We may also access files that are explicitly shared with us by the user on a case-by-case basis. We do not collect, use, or store any other Google user data without the user’s direct consent. All data accessed from Google is handled in accordance with our existing privacy and security policies, ensuring protection and confidentiality.
We use the Google user data you provide, specifically your account name, email address, and any files you share with us, solely for the purpose of delivering the services you have hired us for. Your email address is used to communicate with you regarding project updates, deliverables, and other relevant information. Files you provide are used exclusively as inputs by our design teams to execute your project. We do not use your Google data for any other purposes beyond the scope of your project, and we ensure it is handled securely and in accordance with our data management and privacy policies.
We may share your Google user data, specifically your email address, with our third-party processors (as listed in our sub-processors resource) strictly for the purpose of facilitating the delivery of your design projects. These processors are contractually obligated to handle your data securely and only in accordance with our instructions. We do not transfer, sell, or disclose your Google user data to any other third parties without your explicit consent, except as required by law or to comply with legal obligations.
Confidential data is subject to the following protection and handling requirements:
Restricted data is subject to the following protection and handling requirements:
No special protection or handling controls are required for public data. Public data may be freely distributed.
Data received via the google drive API will not be used to develop, improve, or train generalized AI and/or ML models.
SketchDeck shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Retention periods shall be documented in the Data Retention Matrix in Appendix B to this policy.
Data classified as restricted or confidential shall be securely deleted when no longer needed. SketchDeck shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet SketchDeck requirements for secure data disposal shall be used for storing and processing restricted or confidential data.
SketchDeck shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of disposal.
Management shall review data retention requirements during the annual review of this policy. Data shall be disposed of in accordance with this policy.
Under certain circumstances, SketchDeck may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by SketchDeck legal counsel. Such records and information are exempt from any other requirements specified within this Data Management Policy and are to be retained in accordance with requirements identified by the Legal department. All such holds and special retention requirements are subject to annual review with SketchDeck’s legal counsel to evaluate continuing requirements and scope.
SketchDeck will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.
Requests for an exception to this policy must be submitted to the IT manager for approval.
Any known violations of this policy should be reported to the . Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
SketchDeck’s Engineering Team is responsible for setting and enforcing the data retention and disposal procedures for SketchDeck managed accounts and devices.
Customer Accounts:
Devices:
Destroying devices or electronic media
In cases where a device is damaged in a way that SketchDeck cannot access the Recovery Partition to erase the drive, SketchDeck may optionally decide to use an E-Waste service that includes data destruction with a certificate. SketchDeck will keep certificates of destruction on record for one year. Physical destruction can be optional if it is verified that the device is encrypted with Full Disk Encryption, which would negate the risk of data recovery.
Management will review this procedure at least annually.
System or Application | Data Description | Retention Period |
---|---|---|
SketchDeck SaaS Products (AWS & GCP) | Customer Data | Indefinite |
SketchDeck Customer Support Tickets | Support Tickets and Cases | Indefinite |
SketchDeck Customer Support Phone Conversations (Zoom) | Support Phone Conversations | Indefinite |
SketchDeck Security Event Data (Loggly) | Security and system event and log data, network data flow logs | 1 year |
SketchDeck Customer Sales (Hubspot) | Opportunity and Sales Data | Indefinite |