Purpose and Scope
This data retention policy sets out the principles for the safe retention and destruction of data stored within the organization ("Shuffl"). This policy covers all data stored within Shuffl's custody or control, regardless of the medium the data is stored in. It refers to collection, transformation, processing accessing, updating, storing, transferring and destruction of digital data.
Within this policy, the medium which holds data is referred to as information, no matter what form it is in (hereinafter referred to as “information”). This policy applies to all users of information systems within the organization. This typically includes employees, consultants, and contractors, as well as any external parties or service providers that are provided access to systems and information the organization owns or controls (hereinafter referred to as “users”). This policy must be made readily available to all users.
Shuffl's Data Retention policy is necessary to comply with multiple legal, regulatory and contractual obligations with regard to the data it processes and retains. These obligations stipulate how long data can be retained, and how data must be destroyed. Examples of legal, regulatory and contractual obligations include laws and regulations in the local jurisdiction where the organization conducts business, and contracts made with employees, customers, service providers, partners and others.
Shuffl may also be involved in events such as litigation or disaster recovery scenarios that require it to have access to original information in order to protect the organization’s interests or those of its employees, customers, service providers, partners and others. As a result, the organization may need to archive and store information for longer than it may be needed for day-to-day operations.
For further detail, please refer to Shuffl's DPA, which extends these policies as listed.
Retention is defined as the maintenance of information in a production or live environment which can be accessed by an authorized user in the ordinary course of business.
Information used in the development, staging, and testing of systems shall not be retained beyond their active use period nor copied into production or live environments.
By default, the retention period of information shall be an active use period of exactly two years from its creation unless an exception is obtained permitting a longer or shorter retention period. The business unit responsible for the information must request the exception.
After the active use period of information is over in accordance with this policy and approved exceptions, information must be archived for a defined period. Once the defined archive period is over, the information must be destroyed.
Each business unit is responsible for the information it creates, uses, stores, processes and destroys, according to the requirements of this policy. The responsible business unit is considered to be the information owner.
Shuffl may issue a litigation hold to request that information relating to potential or actual litigation, arbitration or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the legal counsel.
Each employee, consultant, and contractor affiliated with Shuffl must return information in their possession or control to the organization upon separation and/or retirement. All confidentially clauses will be enforced past termination of employment.
Information owners must enforce the retention, archiving and destruction of information, and communicate these periods to relevant parties.
Archiving is defined as secured storage of information such that the information is rendered inaccessible by authorized users in the ordinary course of business but can be retrieved by an administrator designated by company management.
Electronic records must be archived with strict access controls set by the information owner and appropriate to secure the confidentiality, integrity and accessibility of the information.
The default archiving period of information shall be 7 years unless an approved exception permits a longer or shorter period. Exceptions must be requested by the information owner.
As a guideline, an archiving period of more than 7 years may be granted for information with a vital historical purpose such as corporate records, contracts, and technical/trade secrets.
As a guideline, an archiving period of less than 7 years may be granted for information with a limited business purpose, or to comply with specific legal, contractual and/or regulatory requirements (e.g., PCI DSS, GDPR, etc.) which supersede these guidelines.
Information must be destroyed (defined below) at the end of the elapsed archiving period.
Destruction is defined as the physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially-available means.
The organization must maintain and enforce a detailed list of approved destruction methods appropriate for each type of information archived (database records or backup files).
Customer Data Deletion
Contact firstname.lastname@example.org to request an account data destruction or data deletion request. Data destruction will be processed timely with confirmations.
This policy is accessed by and distributed to all organization employees. Any employee found in this policy violation may be subject to disciplinary action including but not limited to termination.
Standard Controls Satisfied
TSC CC1.2, CC6.5, P4.2