Data retention policy
Data Retention Policy
Purpose
The purpose of this policy is to ensure that necessary records and documents of Tribble are adequately protected and maintained and to ensure that records that are no longer needed by Tribble are of no value are discarded at the proper time. This policy is also for the purpose of aiding employees, contractors, etc. in understanding their obligations in retaining electronic documents - including e-mail, PDF documents, code files, or other file formats.
Scope
All critical corporate documents, files, policies, information, data, records are governed by this policy. All company personnel (employees and contractors) are required to abide by this policy.
Policy
This policy represents the retention and disposal of records and retention and disposal of electronic documents. All data should be disposed of when it is no longer necessary for business use according to the retention periods outlined below.
Type of Records and Retention Periods
Accounting and Finance
Type of Record | Retention Period |
Accounts Payable ledgers and schedules | 7 years
Accounts receivables ledgers and schedules |7 years
Bank Statements and canceled checks | 7 years
Contracts
Type of Record | Retention Period
Contracts (vendors, contractors, customers) | Indefinitely
Corporate Records
Type of Record | Retention Period
Annual meeting minutes | Indefinitely
Tax Records
Type of Record | Retention Period
Payroll Tax Records| Indefinitely
Tax Bills | Indefinitely
Electronic Documents
Type of Record | Retention Period
Email | 7 years
PDF | 7 years
Code | Indefinitely
Internal Records
Type of Record | Retention Period
Employee Policies | Indefinitely
External Customer PII
Type of Record | Retention Period
Invoices | 7 years
Delivery documents | 7 years
Employee Records
Type of Record | Retention Period
Background checks | Upon termination
W2 | 7 years
Pay stubs | 7 years
Property Records
Type of Record | Retention Period
Insurance | 7 years
Privacy Policies
Type of Record | Retention Period
External facing privacy notice | 7 years
Internal Data Privacy Policy | 7 years
All GDPR related documents | 7 years
Responsibility
This policy is managed and reviewed annually by the Compliance team.
Enforcement:
The Tribble team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits. All those found in policy violation may be subject to disciplinary action, up to and including termination.
Data archiving and removal policy
Information and Data Archiving
Archiving is defined as secured storage of information such that the information is rendered inaccessible by authorized users in the ordinary course of business but can be retrieved by an administrator designated by company management.
Physical (e.g., paper) records must be archived in secured storage (onsite or offsite) and clearly labeled in archive boxes naming the information owner.
Electronic records must be archived with strict access controls set by the information owner and appropriate to secure the confidentiality, integrity, and accessibility of the information.
The default archiving period of information shall be three years unless an approved exception permits a longer or shorter period. Exceptions must be requested by the information owner.
As a guideline, an archiving period of more than three years may be granted for information with a vital historical purpose such as corporate records, contracts, and technical/trade secrets.
As a guideline, an archiving period of less than three years may be granted for information with a limited business purpose such as email, travel itineraries, pre-trip advisories, or to comply with specific legal, contractual and/or regulatory requirements.
Information and Data Destruction
Destruction is defined as the physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially available means.
Tribble must maintain and enforce a detailed list of approved destruction methods appropriate for each type of information archived, whether in physical storage media such as hard drives, mobile devices, portable drives or in database records or backup files. Physical information in paper form must be shredded using an authorized shredding device; waste must be periodically removed by approved personnel.
Data storage policy
Information and Data Handling
All emails containing PII must be encrypted
All data classified as confidential must follow the Data Classification Policy
PII must be in secure networks or using VPN when using an unsecured corporate network
All confidential data is in an encrypted database
All sensitive or confidential data is backed up according to the Data Backup Policy
All sensitive or confidential data is processed according to the Data Processing Policy
No PII is saved directly on employee workstations
For hardcopy material, only the minimum PII may be used
All passwords are saved to a secure password vault
Software installations are prohibited or restricted to appropriate IT staff to install
All employees, contractors, vendors, etc. handling sensitive or confidential data must abide by all Information Security and Privacy policies
All personal data is reviewed by management annually to ascertain the data collection methods are appropriate and up to date
If personal data is lost, employees or contractors must be reported to IT to contain the breach of personal data
Information and Data Retention
Retention is defined as the maintenance of information in a production or live environment which can be accessed by an authorized user in the ordinary course of business.
The requirements for retention / backup will vary depending on many factors. It is the responsibility for the IT Department to write and implement an appropriate backup strategy for each system. It should indicate:
The frequency of backups
The type of backup created (full or incremental)
The backup software / medium used
The nature of logs kept
An individual or group assigned to monitor success and failure of backups
Information used in the development and testing of systems shall not be sensitive or production data.
Depending on the nature of the data, an electronic log (generally part of the backup software) should be kept of every backup, including date, and time.
By default, the retention period of information shall be an active use period of exactly three years from its creation unless an exception is obtained permitting a longer or shorter retention period. The business unit responsible for the information must request the exception.
After the active use period of information is over in accordance with this policy and approved exceptions, information must be archived for a defined period. Once the defined archive period is over, the information must be destroyed.
All data is encrypted.
Encryption keys are rotated on a periodic basis to ensure destruction of all aging backup copies.
Each business unit is responsible for the information it creates, uses, stores, processes and destroys, according to the requirements of this policy.
The responsible business unit is the information owner.
The organization’s legal counsel may issue a litigation hold to request that information relating to potential or actual litigation, arbitration, or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the legal counsel.
Each employee and contractor affiliated with the company must return information in their possession or control to the organization upon separation and/or retirement.
All company data or intellectual property developed or gained during the period of employment remains the property of the company and must not be retained beyond termination or reused for any other purpose.
Refer to the Data Retention Policy for retention periods.
Data center location(s)
United States
Data hosting details
Cloud hosted
Data hosting company
Azure
App/service has sub-processors
no