1. Purpose, scope, and users
This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within Resolver Inc. (further: the “Company”).
This Policy applies to all business units, processes, and systems in all countries in which the Company conducts business and has dealings or other business relationships with third parties.
This Policy applies to all company officers, directors, employees, agents, affiliates, contractors, consultants, advisors, or service providers who may collect, process, or have access to data (including personal and/or sensitive personal data). It is the responsibility of all the above to familiarise themselves with this policy and ensure adequate compliance with it.
This policy applies to all information used at the Company. Examples of documents include:
- Emails
- Hard copy documents
- Soft copy documents
- Video and audio
- Data generated by physical access control systems
2. Reference documents
- ISO/IEC 27001:2013 standard clauses 7.5.3, A.12.3.1, A.12.4.2, A.13.2.1, A.18.1.3
- ISO/IEC 27701:2019 standard clause 7.4.7
- EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC)
- Data Handling Policy
- Disposal and Destruction Policy
3. Rules
Company employees, members of the Board of Directors, and outsiders (i.e., independent contractors via agreements with them) are required to honor the following rule:
- No paper or electronic documents will be destroyed or deleted if pertinent to any ongoing or anticipated government investigation, proceeding, or private litigation.
- Records must be held in compliance with all applicable legal, regulatory and contractual requirements
- Records must not be held for any longer than required
- The protection of records in terms of their confidentiality, integrity and availability must be in accordance with their security classification
- Records must always remain retrievable in line with business requirements
- Where appropriate, records containing PII must be subject as soon as possible to techniques that prevent the identification of a living individual
- Temporary files created during the processing of PII must be subject to documented retention policies and procedures to implement those policies (for example, for destruction)
4. Terms of retention
4.1. Customers’ production data
- The retention period for customer data stored in Resolver’s production environment should be stipulated in the relevant Master Service Agreement (MSA).
- By default, data retention is 31 days for all Multi-Tenant environments.
4.2. Permanent retention
The following types of documents and records must be permanently retained:
- Governance records Charter and amendments, by-laws, other organization documents, governing board, and board committee minutes.
- Tax records: filed federal tax returns/reports and supporting records, tax-exemption determination letter, related correspondence, and files related to tax audits.
- Intellectual property records: copyright and trademark registrations and samples of protected works.
- Financial records: audited financial statements and attorney contingent liability letters.
4.3. 10-Year retention
The following types of documents and records must be retained for no less than ten years:
- Pension and benefits records: Pension (ERISA) plan participant/beneficiary records, actuarial reports, related correspondence with government agencies, and supporting records.
- Government relations records state and federal lobbying, political contribution reports, and supporting records.
4.4. 3-Year retention
The following types of documents and records must be retained for no less than three years:
- Employee/employment records (from date of termination or departure from the company): Employee names, addresses, social security numbers, dates of birth, resume/application materials, job descriptions, dates of hire and termination/separation, evaluations, compensation information, promotions, transfers, disciplinary matters, time/payroll records, leave/comp time, engagement and discharge correspondence, and documentation of the basis for independent contractor status.
- Lease, insurance, and contract/license records (from expiration data): software license agreements, vendor, hotel and service agreements, independent contractor agreements, employment agreements, consultant agreements, and all other agreements.
4.5. 1-Year retention
- All other electronic records, documents, and files must be retained for a minimum of one year.
- All Production environments logs, audit trails retention period of at least one year (365 days).
4.6. Retention of audit records
- Operation activities, logs, and audit trails of all production environments, storing and processing customer data, must be retained for a minimum of one year.
- Corporate IT infrastructure, operations activity logs, and audit trails must be retained for a minimum of 180 days.
4.7. Retention general schedule
The Data Protection Officer (DPO) defines the time period for which the documents and electronic records should be retained through the Data Retention Schedule.
As an exemption, retention periods within the Data Retention Schedule can be prolonged in cases such as:
- Ongoing investigations from Member States authorities, if there is chance records of personal data are needed by the Company to prove compliance with any legal requirements; or
- When exercising legal rights in cases of lawsuits or similar court proceedings recognized under local law.
4.8. Safeguarding of data during the retention period
Where appropriate to the classification of information and the storage medium, cryptographic techniques must be used to ensure the confidentiality and integrity of records.
Where PII is transmitted electronically over a network, appropriate controls must be used to ensure the data reaches its intended destination and is not compromised en route. These controls will typically involve the use of encryption techniques for data in transit, such as Transport Layer Security (TLS). These controls should be implemented where possible as part of the file transfer mechanism, such as secure FTP.
Care must be taken to ensure that encryption keys used to encrypt records are securely stored for the life of the relevant records and comply with the organization’s policy on cryptography.
Please refer to “A.8.2 Resolver Corporate Data Handling Policy”.
5. Managing records kept based on this document
Record name | Storage location | The person responsible for the storage | Controls for record protection | Retention time |
Data Retention Schedule | Box | Information Security Analyst | [e.g. Only authorized persons may access this document] | Permanently |
6. Retrieval
There is little point in retaining records if they are not able to be accessed in line with business or legal requirements. The choice and maintenance of record storage facilities must ensure that records can be retrieved in a usable format within an acceptable period. An appropriate balance should be struck between the cost of storage and the speed of retrieval so that the most likely circumstances are adequately catered for.
7. Destructions
Any sensitive and confidential paper documents or data is shredded in the confidential paper shredding bins located in the company’s office. Before disposal, all hard drives and other digital media data are wiped three times and then the device or digital media is physically destroyed.
Please refer to “A.11.2 Resolver Disposal and Destruction Policy” for more information.
8. Routine disposal schedule
Records that may be routinely destroyed unless subject to an ongoing legal or regulatory inquiry are as follows:
- Announcements and notices of day-to-day meetings and other events, including acceptances and apologies;
- Requests for ordinary information such as travel directions;
- Reservations for internal meetings without charges / external costs;
- Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, compliments slips, and similar items that accompany documents but do not add any value;
- Message slips;
- Superseded address lists, distribution lists, etc.;
- Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts, or extracts from databases and day files;
- Stock in-house publications which are obsolete or superseded; and
- Trade magazines, vendor catalogs, flyers, and newsletters from vendors or other external organizations.
- In all cases, disposal is subject to any disclosure requirements that may exist in litigation, and please refer to clause 4. Terms of Retention in this document.
9. Exceptions
Exceptions to these rules and terms for retention may be granted only by the company’s Chief Executive Officer or the Chairman of the Board of Directors.
10. Review
The retention and storage of records must be subject to a regular review process carried out under the guidance of management to ensure that:
- The policy on records retention and protection remains valid
- Records are being retained according to the policy
- Records are being securely disposed of when no longer required
- Legal, regulatory and contractual requirements are being fulfilled
- Processes for record retrieval meet business requirements
The results of these reviews must be recorded.
11. Non-Conformance
All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
12. Validity and document management
This document is valid as of August 2023.
The owner of this document is an InfoSec & Compliance Lead who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
- The number of incidents arising from the unclear definition of the ISMS scope.
EFFECTIVE ON: August 2023
REVIEW CYCLE: Annual at least and as needed