Clean desk policy

Clean Desk Policy Owner: Martin Remmelgas Review date: 17 April 2026

1. Purpose This Clean Desk Policy establishes requirements for managing physical information and securing sensitive materials at workstations. It is designed to reduce the risk of unauthorized access, loss, or theft of confidential information, and to support compliance with ISO/IEC 27001, SOC 2, and GDPR.

2. Scope This policy applies to all individuals accessing Codemagic facilities or information assets, including full-time and part-time employees, contractors, consultants, temporary staff, and on-site third-party vendors.

3. Policy Requirements During Working Hours

Only materials actively required for current work should be on the desk. Sensitive documents must not be left unattended when stepping away, even briefly. Computer screens must be locked when leaving the workstation (Cmd+Ctrl+Q). Visitor-facing areas must not display any confidential information.

End of Day

All documents, notebooks, and removable media (USB drives, hard drives) must be secured in a locked drawer or cabinet. Whiteboards containing sensitive information must be erased before leaving. Printers and shared devices must be cleared of all documents. Workstation screens must be locked or logged off.

Ongoing

Passwords must never be written down and left on or near a workstation. Confidential documents must be shredded when no longer needed — not placed in general waste. Access badges and keys must be stored securely and never left unattended.

4. Remote Work Employees working from home or public locations must apply the same standards. This includes locking screens when not in use, securing physical documents, and ensuring screens are not visible to others (e.g., in coffee shops or shared spaces).

5. Enforcement Compliance with this policy is mandatory. Violations may result in disciplinary action up to and including termination, depending on severity. Managers are responsible for ensuring their teams adhere to this policy. Periodic audits may be conducted to assess compliance.

6. Exceptions Exceptions must be submitted in writing to your team lead and approved by the CEO. Approved exceptions will be documented and reviewed quarterly.