Data Classification PII & PHI Handling Policy

🔒 eXpress badging®

Data Classification PII & PHI Handling Policy

Policy ID: EBS-SEC-DC-001
Owner: Security & Compliance
Version: 1.0
Effective Date: 11/22/2025 JF
Applies To: Veonics® Portal, Veonics® IDentity Store, and all related eXpress badging® systems

🧭 1. Purpose

This policy defines how eXpress badging® (EBS) classifies, manages, stores, and protects data within the Veonics® ecosystem, including the Veonics® Portal and the Veonics® IDentity Store.

EBS does not process, store, or accept HIPAA-regulated Protected Health Information (PHI), except for limited employee, contractor, or visitor identity data strictly required to produce and/or ship an identification credential.

🚫 2. PHI Handling Prohibition

EBS systems are not designed or approved for storage or processing of clinical or medical PHI. Customers are prohibited from entering or storing any HIPAA PHI in any EBS platform.

Permitted data is identity-only, such as:

Name
Photograph
Department / role
Badge number
Organizational ID
Business or residential shipping address

No healthcare, diagnostic, billing, or treatment information may be stored.

🗂️ 3. Data Classification Levels

EBS organizes data into four classification levels:

• Public

Non-sensitive information approved for public release.

• Internal

Routine internal business information not for public distribution.

• Confidential

Contractual, operational, or business data shared under agreement.

• Restricted

Identity-related PII used for credential issuance, including names, images, badge IDs, metadata, and shipping information. Restricted data receives the highest level of security controls.

🔐 4. Restricted Data Protections

All Restricted data is secured with the following controls:

AES-256 encryption at rest
TLS 1.2+ encryption in transit
AWS KMS-managed encryption keys
Logical separation of app, DB, and file layers
Role-based access controls (RBAC)
Least-privilege access for authorized staff only
MFA required for all privileged accounts
Logged and monitored access
No offshore access permitted

Restricted data includes the identity information of employees, contractors, visitors, and end users required solely for badge issuance and shipping.

🧑‍💻 5. Access Controls

Access to Restricted data is limited to authorized U.S.–based personnel and follows strict least-privilege principles.

Access requires documented business need
Access is approved by management
Activities are logged and auditable
Access is reviewed regularly
Access is revoked immediately when no longer required

Customers control their own user access within the Portal and assign their own roles.

🗑️ 6. Data Retention & Purging

EBS retains data based on:

Customer contractual requirements
Regulatory considerations
Operational needs

Data is deleted or anonymized upon:

Customer request
Contract termination
Expiration of retention requirements

Encrypted backups follow AWS lifecycle policies and are automatically purged on schedule.

🚫 7. Prohibited Data Types

The following may not be stored in any EBS system:

Medical histories or treatment notes
Lab or imaging results
Insurance or claims data
Billing records
Medical record numbers
ANY HIPAA PHI beyond minimal identity attributes for ID issuance

If prohibited data is detected, EBS may suspend access until remediation.

⚖️ 8. Enforcement

EBS monitors adherence to this policy.

Internal violations may result in corrective action or termination
Customer violations may result in suspension or termination of access per contractual terms
EBS reserves the right to require immediate removal of prohibited PHI

📝 9. Policy Ownership & Review

This policy is owned by eXpress badging® Security & Compliance.
It is reviewed annually, or upon material changes in systems, regulations, or customer requirements.