Skip to content
Shorebird Handbook

Encryption & Key Management Policy

Purpose and Scope

Section titled “Purpose and Scope”

The purpose of this policy is to establish guidelines for the use of encryption and key management to protect the confidentiality, integrity, and availability of sensitive data, including Personally Identifiable Information (PII), Intellectual Property (IP), and other classified data.

This policy covers all employees, contractors, and third parties involved in the processing, storage, or transmission of encrypted data, as well as the management of cryptographic keys.

Policy Statements: Our Commitments

Section titled “Policy Statements: Our Commitments”

The following policy statements outline how we implement and manage encryption and key management processes to protect our information assets. They cover everything from encryption standards to key lifecycle management.

Encryption

Section titled “Encryption”

All sensitive data is encrypted with TLS 1.3 or higher when transmitted over untrusted networks. For data at rest, AES-256 or equivalent encryption is used for sensitive data storage.

Only secure, industry-recognized encryption algorithms (e.g., AES, RSA, TLS) are used and deprecated algorithms are prohibited.

Key Management

Section titled “Key Management”

A secure key management system is used for the entire key lifecycle (generation, distribution, storage, rotation, revocation).

Keys must be generated securely and stored in key vaults. Private keys cannot be stored with encrypted data.

All shared or production access tokens are documented in a key inventory with at least the following information:

  • Key Creator
  • Service description
  • Creation Date
  • Last rotated date
  • Current Key Owner

All keys that have access to production data or customer confidential data must be rotated at least every 90 days. All personal access keys that have access to any staging or test environments must be rotated at least annually.

Keys must be backed up securely for recovery in case of data loss.

Monitoring and Auditing

Section titled “Monitoring and Auditing”

Key usage, encryption events, and unauthorized activities are monitored and tracked. Alerts are triggered for unauthorized access or anomalies.

Regular audits of key management and encryption processes are mandatory to ensure compliance.

Compliance and Enforcement

Section titled “Compliance and Enforcement”

Compliance with this policy is mandatory for all employees, contractors, and third parties with access to Code Town’s data.

In rare cases, business needs, local laws, or regulations may require exceptions. Management will approve any exceptions and define alternative solutions.

Non-compliance may lead to disciplinary action, including termination, as per Code Town’s policies.

Policy Review and Maintenance

Section titled “Policy Review and Maintenance”

This policy will be reviewed annually or when significant changes occur to maintain its continuing suitability, adequacy, and effectiveness.

Reviews must consider changes in the regulatory landscape.