Information Classification and Handling Policy

Updated: December 03, 2025

This Information Classification and Handling Policy (the “Policy”) outlines the principles and guidelines for classifying and handling information within Eagle Eye Power Solutions (EEPS). The purpose of this Policy is to protect EEPS sensitive and confidential information from unauthorized access, disclosure, alteration, or destruction. All employees, contractors, and third-party partners who handle or have access to EEPS information must comply with this Policy.

Scope

This Policy applies to all forms of information, regardless of format or medium, including but not limited to electronic, physical, oral, and visual information. It covers information created, received, stored, processed, transmitted, or disposed of by EEPS, regardless of whether it is owned by EEPS or entrusted to EEPS by a third party.

Information Classification Levels

EEPS classifies information into the following levels based on its sensitivity, criticality, and potential impact on EEPS’ business:

1. Public Information (Level 1): Information intended for public dissemination and does not require protection from unauthorized access or disclosure. Public information does not require any special handling or labeling. Examples include:
   • Press releases
   • Marketing materials
   • Public website content
2. Internal Use Only (Level 2): Information intended for internal use within EEPS. It should be protected from unauthorized access or disclosure, and access should be limited to authorized personnel. Internal Use Only information requires special handling and clear labeling. This information type should only be available or transferred to Eagle Eye Power Solutions employees. Examples include:
   • Internal memos
   • Non-sensitive reports
   • Meeting minutes
3. Confidential (Level 3): Information requiring a higher level of protection due to its sensitivity. Unauthorized access, disclosure, or alteration of this information could have a significant adverse impact EEPS. Confidential information requires an approval process to transfer in any way and clear labeling, and should always be transferring via secure and encrypted means. Examples include:
   • Trade secrets
   • Financial records
   • Customer data
   • Intellectual property

Responsibilities

1. Management: Management is responsible for ensuring the implementation, enforcement, and regular review of this Policy. They must promote a culture of information security and provide appropriate resources to support compliance.
2. Employees: All employees must be aware of and comply with this Policy. They should understand the classification criteria and handle information in accordance with its assigned level. Employees should report any suspected or actual breaches of this Policy to their immediate supervisor or the designated information security officer.
3. Director of Technology (functioning as Information Security Officer): The information security officer is responsible for overseeing the implementation and maintenance of this Policy. They should provide guidance, training, and awareness programs to employees to ensure proper information handling.

Information Handling Procedures

1. Classification: Information owners or custodians must classify the information they create or handle in accordance with the classification levels defined in this Policy. They should clearly label or mark the information with the appropriate classification level.
2. Access Control: Access to information should be granted on a need-to-know basis. Employees must ensure that information at a higher classification level is not shared with individuals who do not have the appropriate clearance. Access controls, such as passwords and encryption, should be implemented to protect sensitive information.
3. Storage and Transmission: Information should be stored and transmitted using secure methods appropriate to its classification level. Encryption and secure communication channels must be used when transmitting confidential information outside EEPS network. Physical documents should be stored in locked cabinets or secure areas when not in use.
4. Disposal: Information and all backups of said information should be disposed of securely when it is no longer required. Paper documents should be shredded, and electronic files should be permanently deleted or securely wiped to prevent unauthorized recovery.

Credential Transmission & Distribution

1. Encryption in transit (required).
   All passwords and secrets must be transmitted only over encrypted channels (e.g., TLS 1.2+ HTTPS, SSH, VPN). Plaintext channels (unencrypted email, SMS, chat, voicemail) are prohibited.
2. Approved sharing method.
   Passwords must be shared only via the approved enterprise password vault (Keeper) with item-level access controls. Direct person-to-person disclosure of passwords (email/Slack/plaintext) is prohibited.
3. Separate-media distribution (fallback only).
   If the password vault is temporarily unavailable and a credential must be issued (e.g., initial bootstrap, emergency “break-glass”):
   • Split the secret using separate media (e.g., username via email; temporary password by phone call, or the decryption key via a different channel).
   • Mark the password temporary and require immediate rotation upon first use (within 24 hours).
   • Document the exception in a ticket and migrate the credential into Keeper at the earliest opportunity.
4. No shared disclosure of multi-factor data.
   Second factors (OTP seeds, recovery codes, hardware tokens) must never be sent in the same channel as the password, and should not be distributed together under any circumstance.
5. Scope limits for shared credentials.
   Where shared or “generic” accounts are business-justified, they must reside in Keeper, be restricted by role (RBAC/least privilege), and have auditing enabled (access/view events). Shared credentials must be rotated:
   • On first use, quarterly at minimum, and immediately upon role change or termination of any authorized user.
6. Prohibited practices.
   • Storing passwords in documents, tickets, chat, or notes outside Keeper.
   • Sending passwords or recovery codes together in a single channel.
   • Using personal email or messaging apps for credential transfer.
7. Ownership, monitoring, and enforcement.
   Security owns the approved methods; IT reviews Keeper audit logs and exception tickets monthly. Violations may result in access revocation and disciplinary action per the Acceptable Use Policy.

Training and Awareness

EEPS will provide training and awareness programs to ensure that all employees understand their responsibilities and obligations under this Policy. Training should cover information classification, handling procedures, and the importance of protecting sensitive and confidential information.

Policy Violations

Any violation of this Policy may result in disciplinary action, up to and including termination of employment or termination of business contracts, as applicable. EEPS may also pursue legal action against individuals who breach this Policy or applicable laws.

Policy Review

This Policy will be reviewed periodically to ensure its effectiveness and compliance with applicable laws and regulations. Updates or amendments to this Policy may be made as deemed necessary.

Policy Distribution and Acknowledgment

A copy of this Policy will be provided to all employees, contractors, and third-party partners who handle or have access to EEPS information. They must acknowledge their understanding and compliance with this Policy in writing.

By implementing and adhering to this Information Classification and Handling Policy, Eagle Eye Power Solutions aims to safeguard its information assets, maintain the trust of its stakeholders, and mitigate potential risks associated with unauthorized access or disclosure of sensitive information.