Skip to main content

What data classification does amaise use?

Written by amaise Support

What data classification does amaise use?

amaise classifies all data into three tiers with progressively stricter protection measures. Each tier has a code (C1, C2, C3) used in our architecture diagrams and a semantic name used in policy and customer communication. Both refer to the same tier.

C3 — Sensitive (Strictly Confidential) — Customer documents, processing artifacts (OCR results, thumbnails, extracted text, PDF exports), case data, search indexes, and backups. Protected with tenant-specific encryption keys (per-tenant CMK), strictly tenant-separated, never copied locally, never shared externally.

C2 — Confidential — User access credentials, authentication tokens, API keys, infrastructure secrets, audit trail, and integration agent events. Stored KMS-encrypted, access-controlled, never logged in plaintext, and rotated on a scheduled basis.

C1 — Operational (Internal) — Usage analytics, LLM token metrics, error reports, application logs, session cache, and availability data. These contain no customer document content, are cleansed of personal data, and are subject to defined retention periods.

Input data and derived artifacts inherit the tier of their source — for example, OCR output derived from a customer PDF is treated as C3 / Sensitive. Tier assignments and storage mappings are documented in our internal Security Architecture and reviewed during the ISO 27001 / SOC 2 audit cycle.

Did this answer your question?