home

ACST Policies & Guidelines

HelpDrawerRealmRealm AccountingMinistryPlatformGivingTest Giving_VersionsPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsiteACST Content StandardsACST Policies & Guidelines
HelpDrawerRealmRealm AccountingMinistryPlatformGivingTest Giving_VersionsPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsiteACST Content StandardsACST Policies & Guidelines

What would you like to know more about?

Show Contents

thumbnailACST Policies & Guidelines

Corporate Policies

Data and Content Classification Policy

DRAFT

Purpose

This policy classifies and defines the data and content that is used within ACS Technologies Group, Inc. (“ACST”) and delineates how that information must be handled. The classification of data and content is intended to help safeguard confidential information for all identified assets, both corporate and customer-based. Information must be consistently protected from its origination to its destruction. This policy also outlines the measures we will take to protect data throughout its lifecycle.

Scope and Applicability

This policy applies to ACST staff, as well as vendors.1

Policy

All data assets must be labeled using one of the following categories: assets must be labeled using one of the following categories: Public, Internal Use Only, Customer Use Only, Confidential. Different types of data require different lengths of retention. Anyone responsible for data must determine the retention period that minimizes risk to ACST, meets business objectives, and meets legal requirements.

ClassificationResults of unauthorized disclosureExamples areData Retention Recommendations

Confidential information is intended for compartmentalized or limited use within ACST.

Would adversely impact the company, its shareholders, its business partners, and/or its customers.

Employee health records, personally identifiable information (“PII”), source code, customer data, passwords, encryption keys, intellectual property, bank account information, Internal Use Only market research, audit reports, mergers and acquisitions, etc.Financial Data: 7 years
Internal Use Only information is company information which is intended for use solely within ACST and by ACST staff. Could adversely impact the company and/or its team members.Examples of Internal Use Only information include policies and procedures, procedure metrics, etc.

  • Policies should be reviewed / updated annually.

  • KPI metrics may be retained forever.

Customer Use Only information is company information which is intended for use solely by ACST customers. ACST staff will also have access to this information for the purpose of customer support.Could adversely impact the company and our products if certain information was made available to our competitors.Examples of Customer Use Only information include APIs, Help / UI content, webinars ,and training videos.Content should be reviewed at least annually, but more often if product releases are frequent.
Public information is any information that doesn’t fit into either of the above classifications, and may be made publicly available. Public information must be authorized and published by ACST’s content community.Isn't expected to seriously or adversely impact the company. Publicly available corporate websites, marketing materials, and help content.3 years.

As explained in our Data Security FAQ, customer data backups of all hosted products are stored for no longer than (6) months.

  • Sensitive data must be stored only for the time for which it is needed for business, legal, or regulatory purposes.

  • All procedures for storage of sensitive data must include a description of the business, legal, or regulatory reasons for storing the data.

  • ACST must conduct an annual review of all stored sensitive data and verify that stored sensitive data does not exceed business, legal, or regulatory requirements.

ACST Confidential and Internal Use Only information must be used solely for the defined business purpose(s) and expressly authorized by management. All ACST staff must keep Confidential and Internal Use Only information protected. The obligation to keep such information confidential continues after employment is terminated, as documented in our Non-Disclosure Policy that each employee is required to agree to and sign.

Note:

Internal Use Only and Confidential information may be accessed only by authorized personnel and to perform their jobs.

If Internal Use Only or Confidential data is (or is suspected of being) lost or disclosed to unauthorized parties, ACST's Executive Leadership Team ("ELT") must be notified immediately.

Ownership and Succession

All ACST data must have an owner and be classified by the data owner. All ACST staff can create information and, therefore, are considered to be data owners.

  1. Data owners must determine appropriate sensitivity classifications for data stored.

  2. Data owners must also determine who will be allowed to access the data , and the purposes this information will be used.

  3. Data owners must apply the available control for the sensitivity of the data in the regular use of the information, as well as how to store, handle, and distribute it.

Classifying, Labeling, and Storing Data

  • All data stored on paper or electronic media must be designated as Public, Internal Use Only, Customer Use Only, or Confidential. Internal Use Only and Confidential data should be secured while not in use.

  • Physical data must be clearly labeled or tagged, or stored in a clearly labeled file or container.

Lifecycle and Management of Data

Data has a lifecycle, and over time may become less relevant. Some information will become obsolete, and must have an end of life.

  1. Hard copy materials must be destroyed by cross-cut shredding. Hard copy materials awaiting shredding must be stored in locked containers within a secure area of ACST.

  2. Confidential data stored electronically must be rendered unrecoverable.

If IT declares certain media2 obsolete and no longer viable, that media must be destroyed. (If Confidential or Internal Use Only data is held here and it is still needed, it may be transferred to a new media.)

Data Security Measures

Our approach to data classification will be system agnostic. If data is classified as Confidential, it must be protected by the following measures:

  1. Required periodic auditing (how often?)

  2. Cloud storage: Google Labels

Enforcement

Any employee found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Service Providers found to have violated this policy may be subject to financial penalties, and termination of contract.

Variance Process

System Operators who maintain database integrity, overall system health, and routine database maintenance are exempt from this policy but must maintain an audit log. The Chief Ventures Officer, as Executive Sponsor, is responsible for ensuring the review, documentation, and management of any and all exceptions to this policy.

1 As conveyed in the Non-Disclosure of Confidential Business Information and Assignment of Property Rights clause in the Independent Contractor Agreement.
2 Media is anything that can hold or contain data (e.g. a piece of paper, a thumb drive, disc drive, a computer, a file, etc.)

Last updated: May 28, 2025