Data Retention and Destruction
Purpose: This policy aims to define the protocols for how long customer data will be kept and the secure methods for its disposal once the data has served its intended purpose.
Scope: This policy applies to all customer data acquired and stored across all platforms and mediums during the Salesforce implementation process.
1 Principles of Data Retention:
Minimum Necessary Period: Customer data will only be retained for the period necessary to fulfil the purposes for which it was collected or to comply with legal, regulatory, or internal policy requirements.
Clear Retention Periods:Each type of customer data will have a clearly defined retention period, which will be communicated to the client at the start of the engagement.
2 Specific Retention Durations:
Salesforce Implementation Data: Data explicitly used for the Salesforce implementation process will be retained for a period of 3 months, after which it will be set for deletion unless a legal or regulatory reason dictates otherwise.
Engagement Documentation:The engagement-related documentation, excluding the actual customer data, will be retained for 7 years for reference and compliance purposes.
3 Data Destruction Protocols:
Digital Data: Data stored on digital platforms like Salesforce, Miro, Notion, and Google Drive will be permanently deleted after the retention period. Deleted data will also be removed from backups and other secondary storage solutions.
Physical Data (if applicable): Any customer data that exists in physical form will be destroyed using secure methods such as shredding. A record of the destruction, including the date and practice, will be maintained.
Third-party Tools and Services: When data is shared with third-party tools or services (e.g., for analysis or processing), these parties will be contractually obligated to destroy the data after the engagement or adhere to Elucidate Group's retention policies.
4 Regular Audits:
Periodic audits will ensure that data retention practices are followed and that data marked for deletion has been properly destroyed.
5 Breach Protocol:
Should there be an unintended exposure or leak of data scheduled for destruction:Immediate actions will be taken to contain and rectify the situation.Affected parties, including clients, will be informed.An internal investigation will be launched to understand the breach's root causes, followed by implementing corrective and preventive measures.
Review and Updates:This Data Retention and Destruction Policy will be reviewed annually or upon significant legal, regulatory requirements, or company process changes.
