graphgrc

Data Retention Standard

Requirements for data retention and secure deletion.

Scope

All data collected, processed, or stored by the organization, including customer data, employee data, and business records.

Retention Requirements

Customer Data

• Production data (PII, usage data): Retain while customer relationship active + 90 days after termination
• Customer support tickets: 3 years
• Payment/billing records: 7 years (regulatory requirement)
• Customer contracts: Duration of contract + 7 years

Employee Data

• Personnel files: 7 years after employment ends
• Payroll records: 7 years
• Background checks: Duration of employment + 1 year
• Security training records: 3 years

Security and Audit Data

• Audit logs: 2 years (SOC 2 requirement)
• Security logs: 1 year minimum
• Vulnerability scan reports: 1 year
• Penetration test reports: 3 years
• Incident response reports: 7 years

Application and Infrastructure Data

• Application logs (non-security): 30 days
• Infrastructure metrics: 90 days
• Database backups: 30 days (see backup-standard.md)
• Source code: Indefinite (version control)

Business Records

• Contracts and agreements: Duration + 7 years
• Financial records: 7 years
• Email: 3 years (auto-delete)
• Slack messages: 1 year

Data Deletion

Secure Deletion Methods

• AWS S3: Versioning deleted, empty bucket, delete bucket
• RDS: Final snapshot (retained per retention policy), then delete instance
• Encrypted storage: Delete encryption key (cryptographic erasure)
• SaaS data: Use vendor deletion API, request attestation of deletion

Customer Data Deletion

• Triggered by customer request (GDPR Right to Erasure) or account termination
• Completed within 30 days of trigger
• Exceptions: Data required for legal/regulatory compliance (document exception)
• Backup tapes: Expire naturally (document in deletion report)

Employee Data Deletion

• Triggered by end of retention period
• PII deleted, anonymize data used for analytics
• Exceptions: Legal hold, ongoing investigations

Data Minimization

• Collect only data necessary for business purpose
• Review data collected quarterly, eliminate unnecessary collection
• Anonymize or pseudonymize data where possible

Exceptions and Legal Holds

• Legal department can place hold on deletion for litigation
• Documented exception process with approval required
• Hold tracked in legal hold system, reviewed quarterly

References

• Related controls: DAT-03, DAT-04
• GDPR Article 17 (Right to Erasure)
• SOC 2 retention requirements

Control Mapping

• DAT-03: Data Retention & Deletion ^[Retention periods for customer data, employee data, logs, and business records]
• DAT-04: Data Privacy (GDPR Compliance) ^[Customer data deletion within 30 days, Right to Erasure implementation, data minimization]
• INF-03: Logging & Monitoring ^[Audit log retention for 2 years per SOC 2, security logs for 1 year minimum]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

This site is open source. Improve this page.