Internal Documentation

Data Disposal Policy

Purpose

The purpose of this policy is to establish guidelines and procedures for the secure disposal of customer data stored in cloud environments, ensuring compliance with data protection regulations and maintaining the confidentiality of customer information.

Scope

This policy applies to all customer data stored in cloud environments, specifically:

  • Amazon S3 (Simple Storage Service)
  • Fly.io platform volumes

Policy

Data Storage Locations

Customer data is exclusively stored in the following cloud environments:

  • Amazon S3 buckets
  • Fly.io platform volumes
  • Google drive

No customer data is permitted to be stored on employee laptops or any other local devices.

Data Retention

  • We retain customer data for as long as customers maintain an active subscription to our services.
  • Upon request from a customer or user, we will delete their data in accordance with our Data Disposal Procedures.
  • For customers who have churned (cancelled their subscription), we may delete their data after a specified period, typically 90 days after the end of their subscription, unless otherwise specified in their contract or by applicable laws and regulations. This is not required, and data may be retained indefinitely if useful for analytics, or for any other reason.
  • In cases where regulatory requirements or contractual obligations necessitate longer retention periods, we will comply with those requirements.

Data Disposal Procedures

Amazon S3

  1. Data deletion:
    • Use S3’s object deletion API or console to remove individual objects.
    • For bulk deletions, use S3 batch operations or lifecycle policies.
  2. Bucket deletion:
    • Empty the bucket of all objects and delete the bucket itself when no longer needed.
  3. Versioning:
    • If versioning is enabled, ensure all versions of objects are deleted.

Fly.io Volumes

  1. Data Deletion:
    • Use Fly.io’s API or CLI to securely delete data from volumes.
  2. Volume Destruction:
    • Destroy volumes that are no longer needed using Fly.io’s volume destruction feature.

Verification

After deletion, verify that data has been successfully removed from all locations.

Maintain logs of all data disposal actions for audit purposes.

Employee Responsibilities

  1. Employees are prohibited from storing customer data on local devices, including laptops.
  2. All data access and disposal must be done through secure, authorized cloud interfaces.

Disposal Triggers

  1. Customer Request: Promptly dispose of data upon customer request, subject to legal and contractual obligations.
  2. End of Retention Period: Automatically dispose of data that has reached the end of its defined retention period.
  3. Contract Termination: Dispose of all customer data upon termination of services, as per contractual agreements.

Documentation and Auditing

  1. Maintain detailed logs of all data disposal activities.
  2. Conduct regular audits to ensure compliance with this policy.
  3. Review and update this policy annually or when significant changes occur in data storage practices.

Compliance

  1. This policy is designed to comply with relevant data protection regulations, including but not limited to GDPR, CCPA, and other applicable laws.
  2. Any violations of this policy may result in disciplinary action, up to and including termination of employment.

Policy Review

This policy will be reviewed annually and updated as necessary to reflect changes in technology, business practices, and regulatory requirements.

Visibility

This document is confidential and is a proprietary work product of Cadence OneFive. The information contained herein may not be copied or distributed without the specific written consent of Cadence OneFive.