⏱️ 2 minute read
This policy outlines the procedures and controls implemented by Forecast to ensure the secure and timely deletion of data in compliance with our legal, regulatory, contractual and business requirements including SOC 2 Trust Services Criteria for Confidentiality and Privacy.
Scope
This policy applies to all:
- Customer and employee data.
- Internal and external systems (including cloud platforms).
- On-premise servers and backup systems.
- Third-party data processors and storage providers.
Data Retention and Deletion Schedule
| Data Category | Data Type | Retention Period | Deletion Method | Responsible Role |
|---|---|---|---|---|
| Customer Data | Name, Account, Email | 90 days post-termination | Cryptographic erasure, overwrite | Data Protection Officer/Customer Success |
| System Logs | Access Logs | 180 days | Log rotation & secure overwrite | DevOps Engineer |
| Financial Records | Invoices, Receipts | 7 years | Archival & secure deletion | Finance Manager |
| Backup Archives | Full DB Backups | 30 days post-restore window | Automated deletion & encrypted storage | IT Manager |
| Support Records | Helpdesk Tickets | 2 years | Manual deletion (quarterly) | Support Team |
| Marketing Data | Campaign Emails | 1 year | Manual deletion | Marketing Manager |
Deletion Methods
Data will be deleted using one or more of the following approved methods:
- Crytographic erasure: Destroying encryption keys.
- Secure overwrite: Using DoD-compliant methods (shred, delete, etc).
- Cloud-native tools: Leveraging features like AWS S3 lifecycle policies, Google Vault deletion, etc.
Customer Deletion Requests
- Requests for data deletion must be submitted through email to support@forecast.app.
- Identity verification is required prior to data erasure.
- Requests will be completed within 30 days unless otherwise mandated following Forecast's Data Management & Escalation Process.
- A confirmation will be provided upon successful deletion.
Deletion of Backups
- Backups are retained only as long as necessary per the data retention schedule.
- Once expired, backups are deleted using secure deletion protocols.
- Redundant or orphaned backup copies will be included in deletion reviews.
Third-Party Responsibilities
- Contracts with third-party vendors must include data deletion clauses.
- Vendors are required to adhere to deletion requests within agreed SLAs.
- Third-party compliance (i.e. SOC 2, ISO 27001) must be validated annually.
Logging and Audit
- All deletion events are logged, including: Timestamp, data owner, deletion method and executor.
- Logs are retained for a minimum of 12 months and reviewed quarterly.
- Audit trails will be available during SOC 2 assessments.
Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Data Protection Officer/Customer Success | Oversees compliance, approves requests, coordinates audits |
| IT/DevOps | Implements technical deletion methods, monitors backups |
| Legal/Compliance | Ensures regulatory alignment, advises on retention legality |
| All Employees | Must follow policy and attend data handling and deletion training annually. |
Policy Review
This policy is reviewed annually or upon significant changes to:
- Applicable regulations
- Data storage architecture
- Business operations
Comments
0 comments
Article is closed for comments.