All documents
PDF DCB-v1.0

IT Policy

Data Classification and Data Backup Policy

Tree (tree.com.hk) · Effective 2026-01-15

Prepared by

Max.chan@mediaworld.com.hk

Approved by

Date

2026-01-15

Version

DCB-v1.0

1 Purpose

This policy defines how Tree (tree.com.hk) protects and backs up company data. Tree does not use formal data classification levels — all business data is treated with the same level of protection and backup.

2 Scope

This policy applies to all data on Tree (tree.com.hk) systems:

SystemData Covered
File ServerShared documents, departmental files, and user personal folders
QuickBooksFinancial and accounting data
POS SystemSales and transaction records (Visa card payments via payment gateway — not stored locally)
Online Sales SystemOnline orders and customer data (Visa card payments via payment gateway — not stored locally)

Office PCs are not backed up directly. Save work to the file server personal folder.

Visa card payment information is handled by the payment gateway only — Tree systems do not store card details.

3 Data Handling

  • Tree does not operate a formal data classification scheme (e.g., Public / Internal / Confidential).
  • All company data on the systems listed above is considered business data and must be handled with care.
  • End users should not share company data outside the organization without management approval.
  • Sensitive information (e.g., passwords, customer personal data) must not be stored on personal devices or unapproved services.
  • Visa card payment information is processed by the payment gateway only and must not be stored in Tree's systems.

4 Data Backup Requirements

All business data is backed up daily. Each backup is kept in two locations:

CopyStorage Location
Copy 1 — LocalOn-site at Tree premises (local backup storage)
Copy 2 — CloudOff-site cloud data center
System / DataLocalCloud
File ServerDailyDaily
QuickBooksDailyDaily
POS SystemDailyDaily
Online Sales SystemDailyDaily

4.1 Backup Security

  • All backups are kept in local storage and the cloud data center only.
  • All backup copies are secured and protected from unauthorized access, loss, and corruption.
  • Only IT administrators may access backup data for restore, maintenance, or monitoring.
  • End users and other staff do not have access to backup systems or backup copies.
  • Backups are retained for 7 days, then securely deleted.

4.2 DR Recovery Test

  • A Disaster Recovery (DR) test is performed yearly to confirm backups can be restored.
  • The test is file-based — sample files are restored from backup and verified by IT.
  • DR test results are documented and kept on record.

4.3 General Rules

  • Data must be stored on the file server or approved systems — not only on local office PCs.
  • QuickBooks, POS, and online sales data must be included in the company backup plan.
  • Backup copies must be stored separately from production — one local, one cloud.

5 Responsibilities

  • IT Team: Manage backups, secure backup access (IT administrator only), perform restores, and conduct the yearly file-based DR recovery test.
  • Management: Approve any exception to this policy.
  • End Users: Save work to the file server personal folder and report data loss to IT immediately.

6 Review

This policy will be reviewed at least once per year.

Change Management Next: Physical Security