Data classification, four levels

Every record in Bizzi systems sits at exactly one classification level. The level decides where it is stored, how it is encrypted, who reads it, and how long it lives. Without this anchor, every downstream control around data residency, PII redaction, and retention becomes a case-by-case argument instead of an enforceable rule.

Context

Most data incidents we have studied across the industry trace back to a record never classified, then placed in a system not matching its sensitivity. An invoice in a marketing analytics workspace. A personal ID number in a debug log. Classification is upstream of every other Pillar IV control. If a record is mislabeled, no amount of encryption or access control downstream will save it.

Principle: The classification rule

Every record carries one of four labels. Public, Internal, Confidential, or PII / Highly Restricted. Classification is assigned at creation, reassessed on every material change, and downgrades require DPO approval.

How we implement

Each level binds to a concrete storage, encryption, access, and retention regime.

• Level 1, Public. Marketing material, public API docs, this BAGF document. Any approved region. TLS in transit. Open access. Unlimited retention.
• Level 2, Internal. Architecture notes, internal performance metrics, employee directory. Approved cloud regions only. AES-256 at rest plus TLS 1.3+ in transit. Access limited to Bizzi staff with a business need. Three to seven year retention.
• Level 3, Confidential. Customer invoices, vendor contracts, customer lists. Storage follows the tenant’s Data Residency configuration (Pillar II §4). AES-256 plus TLS 1.3+. Access limited to staff with specific clearance and logged. Retention per customer contract, typically 5 to 10 years.
• Level 4, PII / Highly Restricted. Personal names, national ID numbers, personal tax IDs, phone numbers, addresses. Storage only in customer-approved regions, with field-level encryption for the most sensitive columns. Access requires business justification plus DPO approval. Every access is logged and alerted. PII is redacted before any LLM call. Placeholders go to the model, and the placeholder-to-real-value mapping lives only in the OLTP database with tight access control.

Automated classification on upload

When a document arrives, classification runs as a pipeline.

1. Format detection (PDF, image, structured text).
2. Content scan, with OCR if the input is image-based.
3. PII detector runs against extracted text. Any match raises the floor to Level 4.
4. Tenant context applies. A banking customer raises the default classification.
5. Final classification is the maximum across components.

Reclassification

Classification is not a one-time decision. You reassess when a document is edited (PII might now be present), when tenant configuration changes, and during periodic audits. Downgrading a classification, for example Confidential to Internal, requires DPO approval and is logged. Upgrading does not.

Standards mapping

Standards Mapping

ISO/IEC 27001. A.8.2 (Information classification). ISO/IEC 42001. A.7.2 (Data quality). NIST AI RMF. MAP-2.3. Decree 13/2023. Article 7 (Classification of personal data).