Data Protection Policy

Usermuse, Inc., a Delaware public benefit corporation, doing business as Evermuse

Last Updated: November 24, 2025

1. Purpose

This policy defines the administrative, technical, and operational controls Evermuse uses to protect customer and company data from unauthorized access, disclosure, alteration, or destruction. The goal is to preserve the confidentiality, integrity, and availability of data.

2. Scope

This policy applies to all production systems and supporting services that create, receive, store, process, or transmit Evermuse or customer data (“Production Systems”). It also applies to workforce members and service accounts that access or administer Production Systems.

3. Roles and Responsibilities

Security Officer: Owns this policy, reviews annually, approves exceptions, and oversees monitoring and incident response.
Engineering / IT: Implements and operates technical controls described here.
System Owners: Ensure systems and data under their control follow this policy.
CEO: Approves this policy and is informed of material data protection incidents.

4. Data Protection Requirements

Evermuse requires that:

Data Handling by Classification. Data is handled per the Data Classification Policy. Repositories with mixed data must meet the highest classification present.
Approved Systems Only. Business-critical and customer data must be stored only in company-approved systems.
Least Privilege & Production Data Access. Access is role-based; admin access to production data is disabled by default. Temporary break-glass access is time-bound and logged.
Secure Configuration. Production Systems disable non-required services and follow secure configuration and change standards.
Logging. All access to Production Systems and sensitive data is logged and retained.
Monitoring. Production Systems have risk-appropriate security monitoring.

5. Customer Data Protection in Production

5.1 Hosting and Redundancy

Production Systems are hosted in GCP.
Data is replicated and backed up per the Backup Policy and DR Plan.

5.2 Segmentation / Tenant Separation

Customer data is logically separated to prevent cross-customer access via:

Tenant identifiers enforced at API/datastore level, or
Dedicated resources per customer where required.

6. Production Access Controls

Production access requires explicit approval by Head of Engineering or Security Officer.
Access is temporary, time-boxed, and revoked promptly after use.
Production access is reviewed at least quarterly.

7. Data Leakage Prevention (Practical Controls)

Evermuse reduces leakage risk through least privilege, approved tools, encryption, monitoring, and training. Suspected leakage is handled via Incident Response procedures.

8. Cryptographic Protection

8.1 Data at Rest

Restricted/Internal data in production stores is encrypted at rest per the Encryption Policy.
Keys are protected and managed in approved KMS tooling.

8.2 Data in Transit

All external transmission of Evermuse/customer data is encrypted end-to-end.
Internal connections are encrypted where practical and required for Restricted data.

9. Data Deletion and Secure Disposal

Deletion Triggers. Data is deleted when no longer required per business/legal/contract needs.
Deletion Method. Deletion occurs through authenticated workflows or approved admin tools; actions are logged. Data is removed from active systems and backups per retention policies.
Physical and Electronic Media. Removable media for Restricted data is prohibited unless approved and encrypted. Devices/media with Restricted data are wiped or destroyed per Asset Management Policy.
De-identification. If deletion is infeasible, data may be de-identified; remains Internal Use unless reclassified.

10. Secure Information Exchange

Data is exchanged only under approved agreements (Customer Contracts, DPAs, Vendor Agreements) defining scope, obligations, classification, and incident notice. Agreements are reviewed annually or upon material change.

11. End-User Messaging Channels

Restricted data must not be shared in public/unapproved channels. Allowed methods include private company chat channels, secure file links, encrypted email, or approved ticketing/support systems.

12. Evidence and Audit Support

Evidence includes access approvals/logs, monitoring alerts/incidents, encryption configs, deletion logs, access reviews, and exception records.

13. Policy Review

Reviewed annually and after major infrastructure, regulatory, or contractual changes.

3. Roles and Responsibilities

Security Officer: Owns this policy, reviews annually, approves exceptions, and oversees monitoring and incident response.

Engineering / IT: Implements and operates technical controls described here.

System Owners: Ensure systems and data under their control follow this policy.

CEO: Approves this policy and is informed of material data protection incidents.

4. Data Protection Requirements

Evermuse requires that:

Data Handling by Classification. Data is handled per the Data Classification Policy. Repositories with mixed data must meet the highest classification present.

Approved Systems Only. Business-critical and customer data must be stored only in company-approved systems.

Least Privilege & Production Data Access. Access is role-based; admin access to production data is disabled by default. Temporary break-glass access is time-bound and logged.

Secure Configuration. Production Systems disable non-required services and follow secure configuration and change standards.

Logging. All access to Production Systems and sensitive data is logged and retained.

Monitoring. Production Systems have risk-appropriate security monitoring.

5. Customer Data Protection in Production

5.1 Hosting and Redundancy

Production Systems are hosted in GCP.

Data is replicated and backed up per the Backup Policy and DR Plan.

5.2 Segmentation / Tenant Separation

Customer data is logically separated to prevent cross-customer access via:

Tenant identifiers enforced at API/datastore level, or

Dedicated resources per customer where required.

8. Cryptographic Protection

8.1 Data at Rest

Restricted/Internal data in production stores is encrypted at rest per the Encryption Policy.

Keys are protected and managed in approved KMS tooling.

8.2 Data in Transit

All external transmission of Evermuse/customer data is encrypted end-to-end.

Internal connections are encrypted where practical and required for Restricted data.

9. Data Deletion and Secure Disposal

Deletion Triggers. Data is deleted when no longer required per business/legal/contract needs.

Deletion Method. Deletion occurs through authenticated workflows or approved admin tools; actions are logged. Data is removed from active systems and backups per retention policies.

Physical and Electronic Media. Removable media for Restricted data is prohibited unless approved and encrypted. Devices/media with Restricted data are wiped or destroyed per Asset Management Policy.

De-identification. If deletion is infeasible, data may be de-identified; remains Internal Use unless reclassified.