Skip to content

Data Classification & Storage

Status: CURRENT
Last updated: 2026-02-12

Purpose

Defines sensitivity tiers for COOWN data and where each tier is stored. All team members and agents must follow this classification when handling data.

Sensitivity Tiers

Tier Content Storage (current) Storage (planned) Access
Critical Financial keys, legal docs, contracts, signing keys Proton Drive + encrypted OneDrive Proton Drive + encrypted OneDrive Simon only
Sensitive Team PII (real names, phones, personal emails), portal credentials, API keys for paid services Notion (managed-trust.com workspace) Bitwarden (self-hosted on Hetzner, Tailscale-only) Simon + authorized team
Internal Roles, project assignments, org structure, agent configs Dev-Ops (private GitHub repo) Dev-Ops (private GitHub repo) Agent swarm + Simon
Public Policies, procedures, product docs, compliance frameworks Tech-Pub (GitHub repo) Tech-Pub (GitHub repo) Anyone

Storage Locations

Proton Drive + encrypted OneDrive (Critical)

  • What: Weekly baselines, legal documents, financial records, signing keys
  • Access: Simon only, manual management
  • Backup: Cross-replicated between Proton and OneDrive

Notion (Sensitive — transitional)

  • What: Team directory with PII, shared portal credentials, internal contact lists
  • Domain: managed-trust.com workspace
  • Status: ⚠️ Transitional — migrating to Bitwarden
  • Risks: No self-hosted encryption, US-hosted (Notion Inc.), limited access controls

Bitwarden / Vaultwarden (Sensitive — planned)

  • What: Replaces Notion for all sensitive shared data
  • Hosting: Self-hosted on Hetzner (100.69.45.36), Tailscale-only access
  • Vault structure:
  • team-directory — real names, phones, roles (read: all team, write: Simon)
  • portal-credentials — shared logins for minor services (read: relevant team, write: Simon)
  • api-keys-dev — development API keys (read: agents, write: Simon)
  • Status: Planned — pending setup

Dev-Ops (Internal)

  • What: Project data, team profiles (first name + role only), technical specs, reports
  • Hosting: Private GitHub repository (coown-box/Dev-Ops)
  • Access: Simon + agent swarm (via GitHub sync)

Tech-Pub (Public)

  • What: IMS — policies, procedures, work instructions, compliance docs, technical references
  • Hosting: GitHub repository (coown-box/Tech-Pub)
  • Access: Public

Rules

  1. Never store Critical or Sensitive data in Tech-Pub or Dev-Ops — no credentials, PII, or financial keys in Git
  2. Never store credentials in Notion long-term — migrate to Bitwarden when available
  3. Team data in Dev-Ops uses first names + roles only — no phone numbers, personal emails, or addresses
  4. When in doubt, classify up — treat ambiguous data as the higher sensitivity tier
  5. Agents must not exfiltrate Sensitive or Critical data into logs, memory files, or chat messages

Cross-References