1. Information Governance Mission

Nexly.biz (the “Company”) treats information as the fundamental architectural unit of our institution. Our mission is to ensure that every bit of data is identified, classified, and handled with a level of security that is mathematically proportionate to its risk. We balance data liquidty with the uncompromising requirement of institutional confidentiality.

2. Structural Scope

This policy applies to all information assets owned by, processed by, or entrusted to Nexly. It covers automated data streams, source code, financial records, PII, and physical documentation across all global nodes and third-party managed clusters.

3. Governance Roles & Stewardship

• Data Owners: Executive leads who define the classification level and access requirements for specific data sets.
• Data Custodians: IT and Engineering teams who implement the Technical Controls mandated by the Owner.
• Data Users: Every Nexly citizen, responsible for following handling protocols for the data they access.

4. Classification Taxonomy Matrix

Information is classified into four distinct tiers based on the potential impact of its unauthorized disclosure:

• Unrestricted (Public): Data intended for public consumption (e.g., marketing content, public docs). Low impact.
• Operational (Internal): Standard business data. Unauthorized disclosure could cause minor operational friction.
• Confidential: Sensitive logic, strategy, or high-level non-PII customer data. Major impact if compromised.
• Restricted (Highly Confidential): Legislative data (PII/Financials) and trade-secret code. Critical/catastrophic impact if compromised.

5. Tiered Data Handling Matrix

Handling requirements scale exponentially with classification. Restricted data (Tier 4) mandates the highest level of shielding, whereas Internal data (Tier 2) allows for greater operational liquidity within the Nexly firewall.

6. Labeling & Digital Marking Standards

All digital documents and repositories must be "Marked" with their classification level. Our automated systems utilize metadata tags to enforce these labels persistently. Physical documents of Tier 3 or 4 must be clearly stamped and stored in restricted physical silos.

7. Storage, Encryption & Data-at-Rest

Tier 3 and Tier 4 data must be encrypted using AES-256 (or higher) at the hardware or database layer. Decryption keys must be managed in a secure HSM (Hardware Security Module) with access logged to an immutable audit trail.

8. Secure Transmission Protocols

Confidential and Restricted data must never be transmitted via unencrypted channels. Direct transfers require TLS 1.3 or higher. Emailing Tier 4 data is strictly prohibited; users must utilize our "Secure Transfer Node" with time-limited, identity-verified links.

9. Access Orchestration & Need-to-Know

Access is governed by the "Principle of Least Privilege." Tier 4 data requires explicit, time-bounded authorization from the Data Owner and mandatory Multi-Factor Authentication (MFA). Just-in-Time (JIT) access is the default for all sensitive logic access.

10. Re-Classification & Periodic Review

The value and sensitivity of data change over time. Data Owners must review classifications annually. Data that has lost its strategic value should be downgraded to reduce institutional "Handling Debt" and unnecessary security overhead.

11. Forensic Disposal & Purging

When data reaches the end of its retention lifecycle, it must be purged forensically. This involves cryptographic erasure for cloud assets (deleting the master key) or certified physical destruction for local storage media.

12. Continuous Governance Auditing

Nexly utilizes "Active Discovery" agents to scan our data clusters daily. These agents identify misclassified assets (e.g., PII in a Tier 2 folder) and trigger automated remediation logic to re-align the asset with the correct security tier.

13. Data Governance Command

To request an asset classification review, inquire about handling matrix specifics, or report a data labeling anomaly, please connect with the Data Governance Desk.