Data Retention Policy
2025.1
Reviewed: 9/23/2024
Updated: 9/23/2024
Purpose and Scope:
- This data retention policy defines the objectives and requirements for data retention within IMPLAN.
- This policy covers all data within IMPLAN's custody or control, regardless of the medium the data is stored in (electronic form, paper form, etc.) Within this policy, the medium which holds data is referred to as information, no matter what form it is in.
- This policy applies to all users of information systems within IMPLAN. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information IMPLAN owns or controls (hereinafter referred to as "users"). This policy must be made readily available to all users.
Background:
- IMPLAN is bound by multiple legal, regulatory and contractual obligations with regard to the data it retains. These obligations stipulate how long data can be retained, and how data must be destroyed. Examples of legal, regulatory and contractual obligations include laws and regulations in the local jurisdiction where IMPLAN conducts business, and contracts made with employees, clients, service providers, partners and others.
- IMPLAN may also be involved in events such as litigation or disaster recovery scenarios that require it to have access to original information in order to protect IMPLAN's interests or those of its employees, clients, service providers, partners and others. As a result, IMPLAN may need to archive and store information for longer thanit may be needed for day-to-day operations.
Controls and Procedures
Data Retention Policy:
- Information Retention
a. Retention is defined as the maintenance of information in a production or live environment which can be accessed by an authorized user in the ordinary course of business.
b. In relation to IMPLAN Cloud, active use is defined as the length of any active subscription.
c. User data used in the development, staging, and testing of systems shall not be copied into production or live environments.
d. In relation to IMPLAN Cloud, and by default, the retention period of information shall be no shorter than one (1) year.
e. After the active use period of information is over, information will be retained for 60 days.
f. At any point, either during active use or after, should a client require that data be destroyed from the live environment, they must put in a request to their Customer Service Manager or via support@implan.com.
g. Each business unit is responsible for the information it creates, uses, stores, processes and destroys, according to the requirements of this policy. The responsible business unit is considered to be the information owner.
h. IMPLAN's leadership or legal counsel may issue a litigation hold to request that information relating to potential or actual litigation, arbitration or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the legal counsel.
i. Each employee and contractor affiliated with the company must return information in their possession or control to IMPLAN upon separation and/or retirement.
j. Information owners must enforce the retention, archiving and destruction of information, and communicate these periods to relevant parties. - Information Backups
a. Digital information pertaining to any web application produced or managed by IMPLAN shall have daily backups created.
b. Digital backups will be encrypted.
c. Digital backups will be tested quarterly.
d. Digital backups will be retained for 35 days. - Information Archiving
a. Archiving is defined as secured storage of information such that the information is rendered inaccessible by unauthorized users in the ordinary course of business but can be retrieved by an authorized user.
b. The default archiving period of information shall be 7 years unless an approved exception permits a longer or shorter period. Exceptions must be requested by the information owner.
c. Information must be destroyed (defined below) at the end of the elapsed archiving period. - Information Destruction
a. Destruction is defined as the physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially-available means.
b. IMPLAN must maintain and enforce a detailed list of approved destruction methods appropriate for each type of information archived, whether in physical storage media such as CD-ROMs, DVDs, backup tapes, hard drives, mobile devices, portable drives or in database records or backup files. Physical information in paper form must be shredded using an authorized shredding device; waste must be periodically removed by approved personnel.
c. Retention and archival periods for information that is created, processed, stored and used by IMPLAN is defined internally.