Data Retention Policy
1. Table of Contents
1 – Table of Contents
2 – Summary
3 – Policy
3.1 – Reasons for Data Retention
3.2 – Data Duplication
3.3 – Retention Requirements
3.3.1 – Personal
3.3.2 – Public
3.3.3 – Operational
3.3.4 – Confidential
3.3.5 – Critical
3.4 – Retention of Encrypted Data
3.5 – Data Destruction
3.5.1 – Applicability of Other Policies<
4 – Audience
5 – Enforcement
6 – Cross Reference / Authority.
7 – Definitions
Synerio Technologies, Inc., its current and future subsidiaries, and its current and future affiliates are hereinafter referred to as “Company.”
2. Summary
The need to retain data varies widely with the type of data. Some data can be immediately deleted, and some must be retained until reasonable potential for future need no longer exists. Since this can be subjective, a retention policy is important to ensure that the Company’s directives on retention are consistently applied throughout the organization.
The purpose of this policy is to specify the Company’s directives for retaining diverse types of data.
3. Policy
3.1 – Reasons for Data Retention
The Company does not wish to simply adopt a “save everything” mentality. That is not practical or cost-effective and would place an excessive burden on the IT Staff to manage the constantly-growing amount of data.
Some data, however, must be retained in order to protect the Company’s interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include:
A. Litigation
B. Accident investigation
C. Security incident investigation
D. Regulatory requirements
E. Intellectual property preservation
F. Legal obligations
G. Contractual obligations
3.2 – Data Suplication
As data storage increases in size and decreases in cost, companies often err on the side of storing data in several places on the network. A common example of this is where a single file may be stored on a local user’s machine, on a central file server, and again on a Backup system. When identifying and classifying the Company’s data, it is important to also understand where that data may be stored, particularly as duplicate copies, so that this policy may be applied to all duplicates of the information.
3.3 – Retention Requirements
This section sets default guidelines for retaining the different types of Company data. In the event a more specific retention requirement exists for a particular service within the Company service profiles, that retention requirement shall be used.
Some data must be retained for legal or regulatory reasons and generally must be retained for the period under which legal investigations for compliance with state and federal laws apply.
Some data must be retained for reasons specified in agreements between the Company and its customers. Such data will be retained for the period as specified in these agreements.
3.3.1 – Personal
There are no retention requirements for personal data. In fact, the Company requires that it be deleted or destroyed when it is no longer needed.
3.3.2 – Public
There are no retention periods for Public Data.
3.3.3 – Operational
Most Company data will fall in this category. Operational data subject to SOC audits must be retained for a minimum of 1 year with retention not to exceed two years where possible.
3.3.4 – Confidential
A. Synerio Data Platform customer data will be retained for seven years from the point of receipt. However, this retention period may be altered in accordance with the customer contract or as required by law.
B. Synerio Engage confidential data will be retained for two years from the sold date of the prescription. However, this retention period may be altered in accordance with the customer contract or as required by law.
3.3.5 – Critical
A. Synerio Data Platform critical data will be retained indefinitely.
B. Synerio Engage critical data will be for two years.
3.4 – Retention of Encrypted Data
If any information retained under this policy is stored in an encrypted format, considerations must be taken for secure storage of the Encryption Keys. Encryption Keys must be retained as long as the data that the Encryption Keys decrypt is retained.
3.5 – Data Destruction
Data destruction is a critical component of a data retention policy. Data destruction ensures that the Company will not get buried in data, making data management and data retrieval more complicated and expensive than it needs to be. Exactly how certain data should be destroyed is covered in the ENT-STD-0003 Information Asset Classification Standard.
When the retention timeframe expires, the Company must actively destroy the data covered by this policy. If a user feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the policy can be considered. Since this decision has long-term legal implications, only a member or members of the Company Security Committee will approve exceptions.
The Company specifically directs users not to destroy data in violation of this policy. Particularly forbidden is destroying data that a user may feel is harmful to him or herself or destroying data in an attempt to cover up a violation of law or company policy.
3.5.1 – Applicability of Other Policies
This document is part of the Company’s cohesive set of security policies, standards, guidelines, and procedures. Other policies, standards, guidelines, and procedures may apply to the topics covered in this document and as such, the applicable policies, standards, guidelines, and procedures should be reviewed as needed.
4. Audience
This policy applies to all Company departments and Workforce Members, defined for the purposes of this document to be departments and Workforce Members of all current and future subsidiaries of the Company.
This policy supersedes all previously defined policies relating to the content herein.
5. Enforcement
The Executive Management Team and/or Board of Directors of the Company, or those authorized by the Executive Management Team and/or Board of Directors will enforce this policy. A Workforce Member found to have deliberately violated this policy will be subject to disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment or cancellation of any contracting agreement.
Where illegal activities or theft of Company property (physical or intellectual) is suspected, the Company may report such activities to the applicable authorities. In the case where inappropriate access, use, or disclosure of Controlled Information is determined to have occurred; the Security Committee shall decide whether such actions require reporting to the appropriate enforcement agencies.
6. Cross-Reference/Authority
- ENT-STD-0003 Information Asset Classification
7. Definitions
| Term |
Definition |
| Backup | To copy data to a second location, solely for the purpose of safe keeping of that data. |
| Controlled Information | Information classified as Confidential or Critical by the ENT-0070-STD Asset Classification standard. |
| Encryption | The process of encoding data with an algorithm so that it is unintelligible without the Encryption Key. Used to protect data during transmission or while stored. |
| Encryption Key | An alphanumeric series of characters that enables data to be encrypted and decrypted. |
| Protected Health Information (PHI) | Individually identifiable information relating to past, present, or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present, or future payment for health care provided to an individual. |
| Workforce Member | Any employee, contractor, agent, volunteer, trainee, or other person whose conduct, in the performance of work for the Company, department, its offices, programs, or facilities, is under the direct control of the Company, department, office, program, or facility, regardless of whether the Company pays them. |