4.6 Data Retention and Disposal Policy

Purpose and Scope

This Data Retention and Disposal Policy addresses how a customer's data is retained and disposed of and to ensure this is carried out in a consistent manner. From time to time, Sord may update this policy. This policy is guided by security requirements specific to Sord including compliance with applicable laws and regulations.

All personnel are required to read, accept and follow all Sord policies and plans upon starting and at least annually.

Data Retention

The time period for which Sord retains customer data depends on the purpose for which it is used. Sord retains customer data for as long as an account is active or in accordance with the agreement(s) between Sord and the customer, unless Sord is required by law to dispose of it earlier or keep it longer.

Data Disposal

Sord disposes of customer data within 30 days of a request by a current or former customer or in accordance with the Customer’s agreement(s) with Sord. Sord may retain and use data necessary for the contract such as proof of contract in order to comply with its legal obligations, resolve disputes, and enforce agreements. Sord hosting and service providers are responsible for ensuring the removal of data from disks allocated to Sord use before they are repurposed and the destruction of decommissioned hardware.

Only a limited number of Sord employees can delete customer data. Such list includes Senior Management and Engineering organizations. Upon employee or contractor termination, company-owned devices will be collected and sanitized prior to device reissuance in accordance with Nist Guidelines for Media Sanitization (NIST S.P. 800-88 Rev. 1).

Exceptions

Sord business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any employee or contractor who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.

​The disciplinary process should also be used as a deterrent to prevent employees and contractors in violating organizational security policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually.

This document is maintained by Jonathan Gautsch.

This document was last updated on 03/27/2024.