Audit evidence packet

Policy

Authoritative metadata for POL-2040. This packet certifies that the policy is currently active, that the current version is v2, and that the attestation roster below reflects the state of compliance as of the printing date. Auditors should verify the publication date matches the reviewer-chain decision dates and that the attestation IP / timestamp pairs are consistent with the audit log.

Code

POL-2040

Title

Data Handling Policy

Category

Privacy & data handling (restricted)

State

Review pending

Effective

—

Next review

—

Expires

—

Substantive flag

Cosmetic only

AI summary (current version)

AI summary: Data Handling Policy v2 — covers privacy & data handling with updates to previous version. Recommended attestation cycle: annual.

Audience(s)

No assignment rules.

# Data Handling Policy

## 1. Purpose

Establishes how Northstar Logistics classifies, stores, transmits, and retains information assets including customer shipment data, employee PII, financial records, and operational telemetry.

## 2. Classification

Data is classified as: Restricted (customer PII, payment data, employee SSN/government IDs), Confidential (internal financials, vendor contracts, route optimization data), Internal (operational dashboards, team communications), Public (marketing collateral, press releases).

## 3. Storage requirements

Restricted data must be encrypted at rest using AES-256 or equivalent. Confidential data must be stored in approved systems (no local-only copies). Access is governed by least-privilege RBAC reviewed quarterly.

## 4. Reviewer chain (RESTRICTED CATEGORY)

This policy is in the **restricted** category. Publication requires approvals from both **Legal** and **Information Security** reviewers before executive approval. Attempts to publish with only one reviewer will be blocked.

Version history

Every version of POL-2040 with author, publication date, and substantive-change classification. Earlier versions are retired when a new one publishes. The substantive-change column reflects the AI classifier's decision on whether the change introduced new obligations (substantive) or only clarifications (cosmetic).

Attestation coverage

0 of 0 assigned employees have attested to POL-2040 version v2, for an overall coverage of 0%. No attestations are overdue. The roster below shows the most recent 25 entries; the full roster is exportable to CSV via the audit-bundle Export action on the policy detail page.

Attestation roster (sample)

Roster shows first 25 of 0 attestations. Full roster: see policy detail page → Export audit bundle (CSV).

Review chain

Reviewer steps and their decisions for the current version of POL-2040. Restricted-category policies (e.g. Information Security, Privacy & Data Handling) require Legal + Security reviewer approvals in addition to SME before executive sign-off; this packet records the reviewer type, identity, decision, comment, and decision timestamp for each step. The Executive approval entry at the bottom records the executive_approver's final sign-off before publication.