BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key
ISO 27001 SOC 2

Media Handling Policy

Effective: March 17, 2026 · DCF-385/386/388/694

1. Purpose

This policy defines H33.ai's controls for the handling, transport, inventory, and disposal of media in accordance with ISO 27001:2022 controls A.7.10 (Storage media) and A.7.14 (Secure disposal or re-use of equipment), and SOC 2 Common Criteria CC6.5. This is a combined policy covering DCF-385 (Management Approval for Media Transport), DCF-386 (Media Inventory), DCF-388 (Unencrypted Media), and DCF-694 (Media Handling).

2. Scope

This policy applies to all media that may contain H33.ai sensitive data, customer data, protected health information (PHI/ePHI), cryptographic key material, or any information classified as Confidential or higher per H33.ai's Information Classification Policy. This includes both physical media (USB drives, external hard drives, optical media, printed documents) and logical media (cloud storage, virtual volumes, database instances).

3. Policy Statement

H33.ai operates a fully cloud-based, remote-first infrastructure. No physical media containing sensitive data (PHI, ePHI, customer data, cryptographic keys) is used, transported, or stored outside of encrypted cloud systems. This architecture fundamentally eliminates the risks associated with physical media handling, transport, and disposal.

4. Media Classification

All data and the media on which it resides are classified in accordance with H33.ai's Information Classification Policy:

RestrictedCryptographic keys (Dilithium, Kyber, BFV parameters), FHE-encrypted biometric templates, database credentials, API secrets. Highest protection level.
ConfidentialCustomer data, PHI/ePHI, authentication logs, source code, internal security documentation, employee PII.
InternalInternal communications, operational procedures, meeting notes, project plans. Not for public distribution.
PublicMarketing materials, published documentation, website content, public API documentation.

5. Removable Media

The use of removable physical media for storing H33.ai sensitive data is strictly prohibited:

  • USB drives: Not approved for storing any H33 sensitive data, customer data, PHI, or cryptographic material
  • External hard drives: Not approved for storing any H33 sensitive data, customer data, PHI, or cryptographic material
  • Optical media (CD/DVD/Blu-ray): Not approved for data storage or transfer
  • SD cards and memory cards: Not approved for data storage or transfer
  • Printed documents: Printing of Restricted or Confidential data is prohibited unless specifically approved by the CISO with documented business justification

Removable media may be used for non-sensitive operational purposes (e.g., software installation from verified vendor media) with CISO awareness.

6. Media Transport (DCF-385)

Physical media transport is not applicable to H33.ai's operations. All data transfer occurs via encrypted network channels:

In TransitAll data transmitted over TLS 1.3 with Kyber hybrid key exchange for post-quantum protection
API CommunicationsHTTPS only; HTTP Strict Transport Security (HSTS) enforced
Internal ServicesAWS VPC private networking with security groups; inter-service communication encrypted
EmailMicrosoft 365 with TLS enforcement for all external email
Source CodeGitLab with SSH key authentication; all transfers over encrypted channels

In the unlikely event that physical media transport becomes necessary (e.g., legal discovery, regulatory request), the following controls apply:

  • Written approval from the CISO (Eric Beans) is required before any data is transferred to physical media
  • All data must be encrypted with AES-256-GCM before transfer to physical media
  • Media must be transported via bonded courier with chain-of-custody documentation
  • Recipient must be verified and authorized in writing
  • Media must be tracked from creation through delivery and eventual destruction

7. Media Inventory (DCF-386)

No physical media inventory is required, as all H33.ai data assets are cloud-hosted:

ComputeAWS EC2 (Graviton4 c8g.metal-48xl) — no local persistent storage; EBS volumes encrypted with AWS-managed keys
DatabaseAWS RDS PostgreSQL — encryption at rest enabled (AES-256); automated backups encrypted
CacheAWS ElastiCache Redis — encryption at rest and in transit enabled
Object StorageAWS S3 (where used) — default encryption (SSE-S3 or SSE-KMS); versioning enabled
Source CodeGitLab (SaaS) — encrypted at rest and in transit by provider
EmailMicrosoft 365 — encrypted at rest and in transit per Microsoft HIPAA BAA
SecretsAWS Secrets Manager — encrypted with KMS; access logged via CloudTrail

A logical asset inventory is maintained in Drata and reviewed quarterly.

8. Unencrypted Media (DCF-388)

Unencrypted media containing H33.ai sensitive data is strictly prohibited. All data at rest and in transit must be encrypted:

8.1 Data at Rest Encryption

Storage EncryptionAES-256-GCM for all data stored in AWS (RDS, ElastiCache, EBS, S3)
Biometric DataBFV Fully Homomorphic Encryption (N=4096, t=65537) — data remains encrypted even during computation; never decrypted at rest on servers
Cryptographic KeysAWS Secrets Manager with KMS envelope encryption
Employee EndpointsFull-disk encryption required (FileVault for macOS, BitLocker for Windows)

8.2 Data in Transit Encryption

External APIsTLS 1.3 with CRYSTALS-Kyber hybrid key exchange
Internal ServicesTLS 1.2+ within AWS VPC
Authentication TokensSigned with CRYSTALS-Dilithium (ML-DSA); transmitted over TLS
Database ConnectionsSSL/TLS enforced for all RDS connections

9. Media Disposal

Since H33.ai does not use physical media for data storage, disposal procedures focus on cloud resource decommissioning and endpoint lifecycle:

9.1 Cloud Resource Decommissioning

  • EC2 instances: Terminated via AWS console or API. AWS guarantees secure erasure of underlying storage per their shared responsibility model and SOC 2 report.
  • RDS instances: Final snapshots taken before deletion (retained per backup policy). Instance deletion triggers AWS secure erasure of underlying storage.
  • S3 objects: Deleted objects are unrecoverable after deletion. Bucket lifecycle policies enforce automatic cleanup of expired data.
  • ElastiCache: Cache nodes terminated via AWS; in-memory data is volatile and non-persistent by design.
  • Secrets Manager: Secrets deleted with mandatory 7-day recovery window, after which deletion is permanent and irreversible.

9.2 Employee Endpoint Disposal

  • All company data must be removed from employee devices upon termination per the offboarding checklist
  • Full-disk wipe performed using manufacturer-recommended secure erasure (e.g., Apple Erase All Content and Settings for macOS)
  • Wipe verification documented and retained in the employee offboarding record
  • If physical destruction is required, devices are destroyed via NIST 800-88 compliant methods with certificate of destruction

10. Exceptions

Any exception to this media handling policy requires:

  • Written request with documented business justification
  • Risk assessment identifying threats and compensating controls
  • Written approval from the CISO (Eric Beans)
  • Time-limited exception with defined expiration date
  • Exception logged in Drata with full audit trail
  • Quarterly review of all active exceptions

11. Compensating Controls

The following compensating controls reinforce H33.ai's media handling posture:

  • Endpoint security policies: All company devices must have full-disk encryption enabled, automatic screen lock (5 minutes), and remote wipe capability
  • DLP awareness: Security awareness training covers data handling and the prohibition on removable media for sensitive data
  • Cloud-first architecture: H33.ai's infrastructure is designed to eliminate the need for physical media entirely; all workflows operate within encrypted cloud environments
  • Network controls: USB mass storage device access may be restricted via endpoint management policies where technically feasible
  • Monitoring: DataDog monitors for anomalous data transfer patterns that could indicate unauthorized data exfiltration

12. Responsibilities

CISO (Eric Beans)Policy owner; approves exceptions; authorizes any physical media use; oversees endpoint lifecycle
All PersonnelComply with media handling policy; report any unauthorized media use; maintain full-disk encryption on endpoints
Compliance TeamMaintain logical asset inventory in Drata; track exceptions; provide audit evidence

13. Review Schedule

This policy is reviewed annually, or sooner if:

  • H33.ai's infrastructure architecture changes to include physical media components
  • A security incident involves physical media or data exfiltration
  • Regulatory requirements change regarding media handling or disposal
  • New endpoint types are introduced into the H33.ai environment

The next scheduled review is March 2027.

Questions?

Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.

H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945