handbook/handbook-main/guides/security/document_sharing.txt

## Sharing documents outside Made Tech

We know that many teams collaborate directly with clients, suppliers and partners through our Google Workspace, and that working that way is a key part of both our culture and process. We want to enable that whilst also making sure that we’re only granting access to information to people who need it for as long as they need it.

- We should only share drives and docs with business email addresses: don’t add personal accounts (including your own!) to any Made Tech owned file without clearing this with the Ops team.
- Only grant edit access where you know this is needed: ‘View’ or ‘Comment’ access is usually fine for guests, so please use these by default.
- Wherever possible set an expiration date for access (this is a new update from Google workspace as of November 2022 which allows you to add an expiration date when sharing a file).
- Remove external access to folders and files when it’s no longer needed.
- Please regularly review any shared drives, folders or files you manage to make sure permissions and access are correct - especially for any external users. 
- We’re now logging all external sharing and downloading and we’ll be looking to build some better processes and controls to manage this in a rapidly growing organisation (and in line with our ISO27001 certification).

Contact the Ops team at #ops-infosec on slack if you want help reviewing the structure or permissions on any folders you own; or if you have any clients, partners or other stakeholders using personal emails for legitimate access to our data.