Employee Confidentiality and Data Protection Agreement

Effective February 9, 2026

Agreement Overview

This Employee Confidentiality and Data Protection Agreement (“Agreement”) establishes the legal obligations of employees and contractors who have access to Beekeeper Studio systems and customer data.

Our Business: Beekeeper Studio is a desktop database client. Employees will have access to our cloud services (account management, support systems, code repositories) but not to customer databases. See Data Flow Diagram.

Purpose: Ensure all personnel understand their obligations regarding confidential information, data security, and privacy compliance.

Scope: All employees, contractors, interns, and temporary workers with access to company systems or customer data.

Important: All team members must sign the confidentiality agreement on Day 1 before receiving system access. The agreement template is maintained internally in Google Drive.

1. Signing and Tracking Procedures

2.1 When Agreement Must Be Signed

Required for:

All new hires before accessing any systems
Existing employees (one-time retroactive signing)
Contractors before receiving access credentials
Temporary workers with system access
Interns with access to customer data

Timeline:

New hires: Sign on first day, before system access granted
Existing employees: Sign within 30 days of policy effective date
Contractors: Sign before contract commencement
Re-sign when agreement substantially updated

2.2 Signing Process

Steps:

Provide Agreement: HR or manager provides signed copy to employee
Review Period: Employee has opportunity to review and ask questions
Sign Agreement: Employee signs electronically or physically
Company Countersignature: Authorized company representative signs
File in HR: Original filed in employee personnel file
Copy to Employee: Employee receives copy for records
Track in Register: Agreement logged in confidentiality agreement register

Electronic Signature: DocuSign or similar e-signature tool acceptable

2.3 Tracking and Compliance

Confidentiality Agreement Register:

Employee Name	Job Title	Hire Date	Agreement Signed	Signed Date	Training Completed	File Location
John Doe	Developer	2026-01-15	Yes	2026-01-15	2026-01-30	HR/johndoe.pdf
Jane Smith	Support	2026-02-01	Yes	2026-02-01	2026-02-15	HR/janesmith.pdf

Compliance Monitoring:

Monthly: Check all new hires have signed agreement
Quarterly: Verify 100% compliance for employees with system access
Annual: Audit register for completeness
Ad-hoc: Review before granting privileged access

Non-Compliance:

Employee without signed agreement: No system access granted
Existing employee refuses to sign: Escalate to HR and legal
Missing agreement discovered: Obtain signature within 7 days

2. Training Requirements

3.1 Initial Training (Within 30 Days of Hire)

Topics:

Information security policies
Data classification and handling
Password and MFA requirements
Phishing and social engineering awareness
Incident reporting procedures
FERPA and NDPA basics (for employees accessing student data)

Format:

Online training module (required)
Quiz to test comprehension (80% passing score)
In-person session for privileged users

Completion Tracking:

Training platform records completion
Certificate of completion filed with signed agreement
Non-completion blocks system access

3.2 Annual Refresher Training

Topics:

Policy updates from past year
Recent security incidents and lessons learned
New threats and attack vectors
Refresher on data handling requirements
Q&A session

Format:

30-minute online module
Annual security awareness email
Optional in-person session

Compliance:

Due date: Anniversary of hire date
Reminder sent 30 days before due date
Overdue training: Account access suspended after 14-day grace period

3.3 Privileged User Training

Additional Topics:

Privilege access responsibilities
Advanced security practices
Incident response procedures
Data breach notification requirements
NDPA deep-dive for those accessing student data

Frequency: Annual, plus updates when policies change

3. Offboarding Checklist

Employee Termination - Confidentiality Obligations

Immediate (Day of Termination):

Remind employee of ongoing confidentiality obligations
Collect all company property (devices, keys, badges)
Request deletion of company data from personal devices
Provide exit interview covering confidentiality

Within 7 Days:

Employee provides written certification of data deletion
HR verifies all company property returned
Final access review to ensure all access revoked
Document any concerns or violations

Reminder Letter:
Send written reminder of post-employment obligations:

Dear [Employee],

As your employment with Beekeeper Studio ends, we remind you of your continuing
obligations under the Employee Confidentiality and Data Protection Agreement you
signed on [Date]:

- Maintain confidentiality of all company and customer information
- Do not disclose or use confidential information for any purpose
- Student data protection obligations continue indefinitely under NDPA
- Return all company property and delete all company data
- No retention of customer data, source code, or proprietary information

Violation of these obligations may result in legal action. If you have questions,
contact [HR/Legal Contact].

Sincerely,
[Company Representative]

Information Security Policy - Overall security framework
Access Review and Management Policy - Access control requirements
Data Retention and Deletion Policy - Data handling procedures
Incident Response Plan - Breach reporting procedures

Document Information

Version: 1.0
Effective Date: 2026-02-09
Last Reviewed: 2026-02-09
Next Review Due: 2027-02-09
Document Owner: HR / Legal / Security Contact
Approved By: CEO / Legal Counsel

Appendix A: Quick Reference - Employee Data Protection Responsibilities

DO:

✅ Keep all customer and student data confidential
✅ Use strong passwords and enable MFA
✅ Lock your screen when away
✅ Encrypt sensitive data
✅ Report security incidents immediately
✅ Complete required security training
✅ Follow all security policies
✅ Ask questions if unsure

DON’T:

❌ Share passwords or credentials
❌ Access data you don’t need for your job
❌ Store company data on personal devices
❌ Discuss confidential matters in public
❌ Use customer data for personal purposes
❌ Take company data when leaving
❌ Ignore security warnings or alerts
❌ Disable security features

REPORT IMMEDIATELY:

🚨 Suspected data breach
🚨 Lost or stolen devices
🚨 Phishing emails
🚨 Unauthorized access attempts
🚨 Security policy violations

Contact: security@beekeeperstudio.io

Appendix B: For Educational Customers - Student Data Obligations

Applies: When serving educational institutions with NDPA agreements

Important: Student data only appears in our systems if staff voluntarily saves it to cloud workspaces or shares it in support tickets. We do NOT access school databases.

Strict Prohibitions:

❌ Never use student data for targeted advertising
❌ Never sell or share student data with third parties
❌ Never create profiles of students for non-educational purposes
❌ Never use student data for product marketing

Required Practices:

✅ Access student data only to provide services (support, cloud workspace management)
✅ Treat all student data as highly confidential (FERPA-protected)
✅ Report any student data breach within 1 hour (72-hour notice to LEA per Incident Response Plan)
✅ Delete student data upon LEA request (within 60 days per Data Retention Policy)

Your Role as “School Official”:

When accessing student data, you act as a “school official” under FERPA with legitimate educational interest in providing our service.

Violations Have Serious Consequences:

FERPA/NDPA violations: Legal liability, contract breach
Employment: Immediate termination

When in doubt about student data, ask CTO/Security Contact first.