1. Purpose, scope, and users
This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within Resolver Inc. (further: the “Company”).
This Policy applies to all business units, processes, and systems in all countries in which the Company conducts business and has dealings or other business relationships with third parties.
This Policy applies to all company officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including personal data and/or sensitive personal data). It is the responsibility of all the above to familiarise themselves with this policy and ensure adequate compliance with it.
This policy applies to all information used at the Company. Examples of documents include:
- Hard copy documents
- Soft copy documents
- Video and audio
- Data generated by physical access control systems
2. Reference documents
- EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC)
- Data Handling Policy
- Disposal and Destruction Policy
Company employees, members of the Board of Directors, and outsiders (i.e., independent contractors via agreements with them) are required to honor the following rule:
- No paper or electronic documents will be destroyed or deleted if pertinent to any ongoing or anticipated government investigation, proceeding, or private litigation.
4. Terms of retention
4.1. Customers’ production data
- The retention period for customer data stored in Resolver’s production environment should be stipulated in the relevant Master Service Agreement (MSA).
- By default, data retention is 31 days for all Multi-Tenant environments.
4.2. Permanent retention
The following types of documents and records must be permanently retained:
- Governance records Charter and amendments, by-laws, other organization documents, governing board, and board committee minutes.
- Tax records: filed federal tax returns/reports and supporting records, tax-exemption determination letter, and related correspondence, and files related to tax audits.
- Intellectual property records: copyright and trademark registrations and samples of protected works.
- Financial records: audited financial statements and attorney contingent liability letters.
4.3. 10-Year retention
The following types of documents and records must be retained for no less than ten years:
- Pension and benefits records: Pension (ERISA) plan participant/beneficiary records, actuarial reports, related correspondence with government agencies, and supporting records.
- Government relations records: state and federal lobbying and political contribution reports and supporting records.
4.4. 3-Year retention
The following types of documents and records must be retained for no less than three years:
- Employee/employment records (from date of termination or departure from company): Employee names, addresses, social security numbers, dates of birth, resume/application materials, job descriptions, dates of hire and termination/separation, evaluations, compensation information, promotions, transfers, disciplinary matters, time/payroll records, leave/comp time, engagement and discharge correspondence, and documentation of the basis for independent contractor status.
- Lease, insurance, and contract/license records (from expiration data): software license agreements, vendor, hotel and service agreements, independent contractor agreements, employment agreements, consultant agreements, and all other agreements.
4.5. 1-Year retention
- All other electronic records, documents, and files must be retained for a minimum of one year.
- All Production environments logs, audit trails retention period at least one year (365 days).
4.6. Retention of audit records
- Operation activities, logs, and audit trails of all production environments, storing and processing customer’s data, must be retained for a minimum of one year.
- Corporate IT infrastructure, operations activity logs, and audit trails must be retained for a minimum of 180 days.
4.7. Retention general schedule
The Data Protection Officer (DPO) defines the time period for which the documents and electronic records should be retained through the Data Retention Schedule.
As an exemption, retention periods within the Data Retention Schedule can be prolonged in cases such as:
- Ongoing investigations from Member States authorities, if there is chance records of personal data are needed by the Company to prove compliance with any legal requirements; or
- When exercising legal rights in cases of lawsuits or similar court proceedings recognized under local law.
4.8. Safeguarding of data during the retention period
Please refer to “A.8.2 Resolver Corporate Data Handling Policy”.
5. Managing records kept based on this document
|Record name||Storage location||The person responsible for the storage||Controls for record protection||Retention time|
|Data Retention Schedule||Box||Information Security Analyst||[e.g. Only authorized persons may access this document]||Permanently|
Any sensitive and confidential paper documents or data is shredded in the confidential paper shredding bins located in the company’s office. Before disposal, all data on hard drives and other digital media are wiped three times and then the device or digital media is physically destroyed.
For more information please refer to: “A.11.2 Resolver Disposal and Destruction Policy”.
7. Routine disposal schedule
Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:
- Announcements and notices of day-to-day meetings and other events including acceptances and apologies;
- Requests for ordinary information such as travel directions;
- Reservations for internal meetings without charges / external costs;
- Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, compliments slips, and similar items that accompany documents but do not add any value;
- Message slips;
- Superseded address lists, distribution lists, etc;
- Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts, or extracts from databases and day files;
- Stock in-house publications which are obsolete or superseded; and
- Trade magazines, vendor catalogs, flyers, and newsletters from vendors or other external organizations.
- In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation, please refer to clause 4. Terms of Retention in this document.
Exceptions to these rules and terms for retention may be granted only by the company’s Chief Executive Officer or the Chairman of the Board of Directors.
All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
10. Validity and document management
This document is valid as of July 2020.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
- The number of incidents arising from the unclear definition of the ISMS scope.
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.