# Data Governance

## What data does Rockhopper store?

Understanding exactly what data Rockhopper holds is important for any security evaluation. Here's a clear breakdown:

### Data Rockhopper stores

| Data type             | What it includes                                                  | Purpose                                         |
| --------------------- | ----------------------------------------------------------------- | ----------------------------------------------- |
| **User profile**      | Name and email address (sourced from Microsoft or Google account) | Identify users, display names, enable @mentions |
| **Team membership**   | Which users belong to which teams, and their roles                | Access control and collaboration                |
| **File metadata**     | File names, drive/file IDs, enrollment timestamps                 | Track which files are managed by Rockhopper     |
| **Version snapshots** | Point-in-time copies of enrolled spreadsheets                     | Enable version comparison and revert            |
| **Change records**    | Which cells changed, old/new values, who made the change, when    | Change tracking and audit trail                 |
| **Comments**          | Comment text, author, timestamps, version associations            | Team collaboration                              |
| **Review records**    | Review requests, reviewer assignments, approval status            | Formal review workflow                          |
| **Activity logs**     | Who did what and when (audit trail)                               | SOC 2 compliance and traceability               |

### Data Rockhopper does NOT store

* **User passwords or credentials** — Authentication is fully delegated to Microsoft or Google
* **Email, calendar, or contacts** — Rockhopper only accesses files, not other Microsoft 365 or Google Workspace data
* **Spreadsheet contents beyond change tracking** — Rockhopper does not index, search, or analyze the contents of your files

## Data classification

Rockhopper classifies all data into three tiers to ensure appropriate handling, storage, and access controls:

| Classification   | Description                                                                     | Examples                                                                          |
| ---------------- | ------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
| **Sensitive**    | The most restricted data, with access strictly limited                          | Passwords, encryption keys, authentication tokens                                 |
| **Confidential** | Business information intended for use solely by Rockhopper and/or its customers | Personally identifiable information (PII), customer financial data, audit reports |
| **Public**       | Information that does not fit into the above classifications                    | Marketing content, published documentation                                        |

Each tier has specific requirements for storage, transmission, access control, and disposal. The classification policy is reviewed annually by management.

## Non-production environments

Customer data is **prohibited from use in development and test environments** by policy. Production and non-production environments are segregated at the network level, and all production data is sanitized before any use in non-production contexts.

## Data retention

Data is maintained for the duration of the contractual agreement with your organization:

* **Version snapshots** are retained indefinitely (including discarded and reverted versions) to preserve the audit trail
* **Comments and reviews** are retained for the life of the file
* **User accounts** persist until the organization requests removal

At the end of a contract, all data associated with your organization is purged.

## Data export

You can request a full export of your organization's data at any time. Contact <privacy@rockhopper.co> and we'll provide the export within one week.

## Data deletion

Rockhopper can perform a complete purge of specified accounts or data upon request. Contact <privacy@rockhopper.co> to initiate. After an export is provided, all associated data is purged within 24 hours.

## Secure disposal

When data reaches the end of its retention period or is no longer required, Rockhopper securely disposes of it using industry-accepted methods for secure deletion. All disposal actions are tracked through a ticketing system to maintain a documented chain of custody.

## Personal data protection

Rockhopper collects only the personal information necessary for operation — names and email addresses from your identity provider. The platform does not collect or store personal data outside this scope.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rockhopper.co/security-and-compliance/data-governance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.