← All Policies

Public Policies

Client Data Handling Policy

Rules for where client data lives, who can touch it, how it moves, and when it gets destroyed.

Client Data Handling Policy

Effective Date: April 15, 2026 Applies To: All employees, contractors, and vendors accessing client data on behalf of the company

Overview

Clients trust us with their infrastructure, which means we regularly see data we have no business keeping. This policy defines what we can hold, where it belongs, who can touch it, and when it must be destroyed.

The default answer to “can I keep a copy of this?” is no.

Data Classification

Client data falls into one of three tiers:

  • Operational — configuration, device inventories, network diagrams, tenant IDs, and documentation needed to support the client. Stored in the client’s record in our documentation platform.
  • Sensitive — credentials, recovery keys, MFA secrets, and anything that grants access to the client’s environment. Stored only in the password manager vault assigned to that client.
  • Restricted — PII, PHI, financial records, or contents of client mailboxes and document stores. Must remain inside the client’s own environment. We do not copy it out for convenience.

Storage

  • All client data lives in approved company systems. Personal email, personal cloud storage, local desktops, and unmanaged USB drives are never acceptable storage locations.
  • Credentials and recovery material go in the password manager under the correct client vault. Never paste them into tickets, chat, email, or documentation.
  • Screenshots for tickets must be cropped to exclude unrelated data. Redact identifiers before attaching.
  • Local caches created by remote support tools are cleared at the end of each session.

Access

  • Access to a client’s systems and data is limited to technicians actively assigned to that client’s work.
  • Standing access is granted by the client lead; break-glass access is logged and reviewed.
  • Sharing credentials between technicians is prohibited — each technician uses their own named account with the client.
  • Access does not imply authorization to read. Do not open mailboxes, files, or records unless the ticket or engagement requires it.

Transmission

  • Client data in motion is encrypted in transit. Unencrypted FTP, HTTP, or plaintext email are never acceptable for client data.
  • Credentials are shared with clients through the password manager’s secure send feature or a client-initiated portal — never pasted into email or chat.
  • When a client sends us sensitive data in an insecure channel, we move it to a secure location and acknowledge the risk with them.

Retention & Disposal

  • Operational documentation is retained for the life of the engagement plus 90 days.
  • Credentials are rotated and vault entries archived within 7 days of losing access need — terminated staff, ended engagements, decommissioned systems.
  • Local copies of client files pulled for troubleshooting are deleted within 24 hours of the ticket closing.
  • At engagement termination, we follow the client’s offboarding checklist: return or destroy data per their contract, revoke all access, and confirm in writing.

Client-Owned vs. Company-Owned

We produce documentation and configuration on the client’s behalf. Unless the contract states otherwise:

  • Work product belongs to the client.
  • Internal runbooks, templates, and playbooks we develop during an engagement belong to us and do not contain client-specific data.
  • Screenshots, logs, and samples used to build those internal assets must be redacted before reuse.

Incident Reporting

Any suspected exposure of client data — accidental email to the wrong recipient, credential paste into the wrong window, lost device with local caches, or unexpected access from an unknown account — must be reported immediately.

IT Security Contact: security@techgarrison.com After-Hours: (253) 341-4233

Policy Compliance

Violations may result in disciplinary action and client notification per our contractual obligations. Where client contracts impose stricter handling requirements than this policy, the contract governs.

Last reviewed: April 2026 — IT Security