**Tags:** #Process #OPSEC > [!info] > This information is shared as part of Decombine's commitment to [[Open Core]] practices. ## Overview Decombine is committed to protecting Member data through transparency and defense-in-depth strategies designed to limit risk in the event of compromise. Part of that commitment is to take document and data management strategies inspired by the most sensitive agencies in the world and adapt them to our business processes. Confidential data and documents, even outside of our backend systems, are encrypted using industry leading data sensitivity labeling and data loss prevention systems. Our [[#Document & data classifications]] correspond with sensitivity labels that are programmatically applied to documents using encryption software or metadata tagging to alert end users. Unauthorized users are unable to access these documents, regardless of whether they have the data physically stored on a device. Every time a classified document is opened, an authentication and permissions check is performed to determine if the accessing user has rights to it. If not, the file is inaccessible to them. ## Terms **Personally Identifiable Information (PII)**: Any data containing information that can be used to personally identify an individual person. **Confidential**: Business secrets that are not intended for public release. **Open Source**: Publicly releasable information/data with an associated open source license. ## Document & data classifications ^0736f3 Business documents are split into the following categories: ### Proprietary **Proprietary** classification documents are internal business documents that are sensitive in nature. These may contain proprietary data or processes that is not intended for public dissemination. Examples include confidential financial reporting, confidential agreements, confidential plans, etc. This classification is considered **Confidential**. ### Proprietary - PII **Proprietary - PII** classification documents are internal documents containing employee or contractor PII. Examples include employee tax information, confidential employee records, etc. This classification is considered **Confidential**. ### Operational **Operational** classification documents are internal-external mix documents containing details on process, procedure, styling, public architecture, and more. This classification is considered **Open Source**. ### Operational - Proprietary **Operational - Proprietary** classification documents are internal documents containing sensitive architectural or operational information. Examples may include private network addressing, confidential regulatory reporting procedures, etc. This classification is considered **Confidential**. ### Member PII Member PII classification documents are internal documents generated through irregular processes that contain any amount of PII. Examples include a customer support artifacts, custom regulatory compliance such as cooperation with a law enforcement subpoena, legal holds, etc. This classification is considered **Confidential**. ## Document Repositories Business documents are maintained in four systems: - GitHub Enterprise Cloud - Obsidian Sync/Publish - Microsoft 365 Commercial Cloud - Managed Employee and contractor devices ### GitHub Enterprise Cloud **Authorized for**: *Operational*, *Operational - Proprietary* GitHub is used to store technical documentation directly alongside source code. It also stores a copy of the Decombine Handbook. ### Obsidian Sync/Publish **Authorized for**: *Operational*, *Operational - Proprietary* Obsidian is used to author and host the Decombine Handbook. Source code is stored in GitHub and synchronized to Obsidian end-to-end encrypted hosting. ### Microsoft 365 Commercial Cloud **Authorized for**: *Decombine Proprietary*, *Decombine Proprietary - PII*, *Operational*, *Operational - Proprietary*, *Member PII* Microsoft 365 is the primary document management solution for Decombine for all non-technical and non-handbook data. This includes company business reports, dashboards, etc. Microsoft 365 should be used as the default selection when GitHub or Obsidian are not suitable. ### Managed Employee and contractor devices **Authorized for**: *Decombine Proprietary*, *Decombine Proprietary - PII*, *Operational* Employee and contractor devices containing any classification of Decombine Proprietary data must be onboarded to our enterprise device management solution to apply security policies, tools, and controls before this data can be accessed or consumed. Employee and contractor devices may hold Decombine data while it is in process of being consumed or updated. This data is synchronized with either GitHub or Microsoft 365 and is not a separate solution. Details regarding employee and contractor device security can be found in the Vulnerability Management section.