1.0 Purpose

The purpose of this policy is to assist Roboto Studio employees in determining what information can be disclosed to non-employees, as well as the relative sensitivity of the information that should not be disclosed outside of Roboto Studio without proper authorization.

2.0 Scope

This policy covers all information assets owned and operated by Roboto Studio including (but not limited to) information (electronic and non-electronic), and associated IT infrastructures such as software, networks, desktops, laptops, and servers. This policy applies to the owners, custodians and all users (employees, consultants, and contractors) of such information assets.

3.0 High-Level Policy

All information assets (electronic and non-electronic) shall have designated owners and be classified following the information classification guidelines stated in this document. All Roboto Studio employees, consultants, and contractors who handle information in Roboto Studio’s custody or under its control are responsible for understanding and implementing this policy. Where a third party is responsible for handling the information on behalf of Roboto Studio, the third party shall be required by contract to adhere to this policy prior to the sharing of information.

4.0 Detailed Policy

4.1 Asset Identification

All information and related IT assets in Roboto Studio shall be clearly identified and owned. This shall include information assets, physical IT assets and IT services. For the purpose of this policy generative-AI prompts and fine-tuning data are information assets.

4.2 Asset Classification

Roboto Studio shall classify, record, and maintain an inventory of information assets. The asset inventory shall include a list of all information assets owned and operated by Roboto Studio including, but not limited to, information in both electronic and non-electronic forms.

4.2.1 Information Classification

Information in a final or published state that is either in the custody of or produced and owned by Roboto Studio must be classified into one of the following three categories:

• Public: Information that is not confidential and can be made public without any implications for the organization.
• Internal: Information that is available to employees and authorized non-employees (consultants and contractors) possessing a need to know for business-related purposes.
• Confidential: Information that is sensitive within Roboto Studio and is intended for use only by specified groups of employees.

4.2.2 Information Safeguards

The following safeguards shall be put in place to classify and protect information:

• All Roboto Studio information must be classified as soon as possible after the creation or acceptance of ownership.
• Information must be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction.
• Confidential information must not be exchanged via unsecured media.
• Destruction of information or systems storing information must be done in a secure manner.

4.3 Asset Labelling and Handling

The information and its related assets shall be classified and clearly labelled so that all users are aware of the ownership and classification of the information. Information and its related IT assets shall be processed and stored strictly in accordance with the classification levels assigned to those assets. Access to the information assets shall be the responsibility of a designated owner or custodian.