xcPEP Data Retention and Deletion Policy

xcPEP Data Retention and Deletion Policy

 

1. Purpose and Scope

This Data Retention and Deletion Policy defines Advanced Structures India Private Limited's guidelines and procedures for retaining and securely deleting customer data and other relevant information processed within the xcPEP SaaS platform. The policy aims to comply with legal, regulatory (e.g., GDPR, local data protection laws), and contractual obligations, while minimizing data retention to what is necessary.

2. Data Classification

All data within xcPEP is categorized (e.g., customer content, usage logs, audit trails, account information) to determine appropriate retention periods based on its sensitivity, legal requirements, and business value.

3. Data Retention Periods

  • Standard Retention: Customer Content Data (data uploaded or generated by the customer through the service) is retained for the duration of the customer's active subscription. Following subscription termination or expiration, customer data is retained for a grace period of 30-90 days to allow for data retrieval, after which it is queued for deletion.
  • Custom Retention Policies: We provide capabilities for customers to define and implement custom data retention timelines for their specific data, where technically feasible. These custom policies override standard retention where applicable.
  • Legal/Regulatory Holds: Data may be retained beyond standard periods if required by a legal obligation, court order, regulatory request, or ongoing investigation.
  • System Logs and Audit Trails: Retained for 90 days to 1 year for security, troubleshooting, and compliance purposes.
  • Account Data: Retained for the duration of the business relationship and for a period thereafter as required for financial, legal, or audit purposes.

4. Data Deletion Procedures

  • Upon Termination of Service: Following the grace period after subscription termination, all customer-specific data (including from active systems and backups) associated with the terminated account is securely deleted in accordance with our documented procedures.
  • Right to Erasure (Right to be Forgotten): We facilitate the customer's ability to respond to individual data subject requests for erasure. Upon receiving a valid erasure request from a customer (as the data controller), we will delete the specified Personal Data from our active systems and backups within 30 days, unless retention is required by law.
  • Scheduled Deletion: Automated or manual processes are in place to identify and securely delete data that has reached its defined retention limit.
  • Secure Deletion Methods: We employ industry-standard secure deletion and sanitization methods to ensure data cannot be reconstructed or recovered. This includes cryptographic erasure, overwriting techniques, and secure destruction of storage media where applicable.

5. Audit Trails for Deletion

Records of data deletion, including dates and methods used, are maintained for audit and compliance purposes.

6. Responsibilities

The Operations, Data Management, and Security teams are jointly responsible for implementing and enforcing this policy, including the execution of data retention and deletion processes.

7. Policy Review and Updates

This Data Retention and Deletion Policy is reviewed at least annually and updated as necessary to comply with evolving legal requirements, industry best practices, and changes in our data processing activities.