Data Retention Policy
Internal Use
Data Deletion Policy
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 3.0 |
| Cadence | Annual |
| Policy Owner | Chief Information Security Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-3, DCF-13, DCF-25, DCF-32, DCF-38, DCF-39, DCF-40, DCF-45, DCF-46, DCF-53, DCF-54, DCF-55, DCF-56, DCF-57, DCF-68, DCF-76, DCF-77, DCF-78, DCF-79 |
1. PURPOSE AND SCOPE
1.1 Purpose
This policy defines how Dispel retains and deletes customer and company data so that data is kept only as long as necessary and destroyed securely when no longer needed.
1.2 Scope
This policy applies to:
- Customer data held in Dispel-managed production systems.
- Company data stored on equipment and media that may be decommissioned or repurposed.
- Backup copies and archives that contain in-scope data.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC6.5, CC8.1 | Supports Trust Services Criteria related to logical access, data retention, and disposal. |
| 2 | ISO/IEC 27001 | A.5.34, A.5.35 | Supports Annex A controls for information retention and secure disposal. |
| 3 | NIST SP 800-53 | MP-2, MP-6 | Implements media protection controls for media access and sanitization. |
| 4 | IEC 62443 | 62443-3-3.SR2.1 | Aligns with requirements for protection of data and secure disposal in industrial/OT systems. |
| 5 | HIPAA | 164.310(d)(2) | Supports Security Rule implementation specification for disposal of PHI when in scope. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL retain data only for as long as necessary to meet legal, regulatory, contractual, and business requirements and SHALL securely delete or destroy data when it is no longer needed.
2.3 Secondary Policy Statements
At a minimum, Dispel SHALL:
- Define retention periods for key data types in supporting standards or registers.
- Ensure data deletion and destruction methods are appropriate to the medium and classification of data.
- Document responsibilities for retention and deletion across systems and media.
3. REQUIREMENTS
3.1 Customer Data Lifecycle
Objective: Ensure consistent retention and deletion behavior for customer accounts and data.
Mandatory Activities:
- Customer data SHALL be retained for as long as the account is in active status.
- When a customer voluntarily closes an account, the account and related data SHALL enter an “expired” state and be retained for 90 days before permanent deletion, unless retention is required by law or contract.
- For involuntarily suspended accounts, there SHALL be a 30-day grace period during which the account is inaccessible but may be restored if obligations are met, followed by up to 60 additional days before closure and transition to the “expired” state. Data MAY be permanently removed 90 days after that, unless retention is required by law.
- Customers wishing to manually back up their data SHALL ensure their accounts are in good standing to access user interfaces and export mechanisms.
Required Outputs:
- Documented account lifecycle states and timelines.
- Customer-facing documentation describing retention and deletion behavior.
Security Controls: CC6.5, CC8.1.
Approval Required: Policy Owner, Product Owner.
3.2 Media and Equipment Disposal
Objective: Ensure secure deletion and destruction of data on equipment and media.
Mandatory Activities:
- All confidential data stored on mobile storage media (e.g., CD, DVD, USB flash drive, memory cards, paper) SHALL be erased or the medium destroyed before disposal.
- Equipment owners SHALL be responsible for checking and erasing data from equipment unless the Data Classification Policy prescribes differently.
- SSDs and hard drives used for in-scope data SHALL use full disk encryption; disposal procedures SHALL include cryptographic erasure (e.g., encrypt with a strong key and then erase the key) or multi-pass overwrite consistent with applicable standards.
- Magnetic media SHALL be overwritten at least three times to meet U.S. Department of Energy standards and seven times when required to meet U.S. Department of Defense 5220-22-M standards.
- Paper documents marked “Confidential” SHALL be destroyed in shredders; classified materials SHALL be destroyed consistent with U.S. Department of Defense 5220-22-M section 5-705 Methods of Destruction.
Required Outputs:
- Documented media sanitization and destruction procedures.
- Records of destruction for high-risk or regulated data.
Security Controls: MP-2, MP-6; 164.310(d)(2).
Approval Required: Policy Owner.
3.3 SaaS and Cloud Storage
Objective: Clarify retention and deletion responsibilities when using SaaS and cloud providers.
Mandatory Activities:
- For SaaS providers (e.g., Microsoft, Box), Dispel SHALL rely on provider controls to perform deletion operations, but SHALL configure and manage retention settings consistent with this policy.
- Contracts and Data Processing Agreements with SaaS and cloud providers SHALL address data retention and deletion responsibilities.
Required Outputs:
- Configuration records for SaaS retention settings.
- Vendor contracts referencing retention and deletion responsibilities.
Security Controls: CC8.1; A.5.34, A.5.35.
Approval Required: Policy Owner, Security Officer.
3.4 Destruction Records and Oversight
Objective: Ensure high-risk data destruction is appropriately overseen and recorded.
Mandatory Activities:
- Information classified as “Confidential” SHALL be erased or destroyed in the presence of an authorized person or a commission, as defined in supporting standards.
- Destruction records SHALL capture at least the date, method, media type, and responsible parties.
Required Outputs:
- Destruction logs or certificates for in-scope media.
Security Controls: MP-6.
Approval Required: Policy Owner, Compliance Officer.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this Data Deletion Policy.
- Ensures retention and deletion requirements are defined and reviewed at least annually.
4.2 Engineering / Operations
Responsibilities:
- Implement technical deletion and destruction mechanisms on systems and media.
- Ensure retention configurations in systems align with this policy.
4.3 All Personnel
Responsibilities:
- Follow this policy and related procedures when handling data and media scheduled for deletion.
- Escalate cases where retention/deletion requirements are unclear.
5. PROCEDURES
5.1 High-Level Retention and Deletion Procedure
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Classify data and determine applicable retention requirements. | Policy Owner; System Owners | During system onboarding and major changes |
| 2 | Configure retention and deletion behavior in systems and SaaS platforms. | Engineering / Operations | During deployment and configuration changes |
| 3 | Periodically review data sets approaching end-of-life and schedule secure deletion or destruction. | Engineering / Operations; Policy Owner | At least annually |
| 4 | Record destruction of high-risk or regulated data as required. | Engineering / Operations | At time of destruction |
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this policy SHALL be monitored through:
- Reviews of system retention configurations.
- Spot checks and audits of media disposal practices and destruction records.
6.2 Metrics and Reporting
| Metric | Frequency | Owner |
|---|---|---|
| Number of exceptions to standard retention and deletion rules | Annually | Policy Owner |
6.3 Non-Compliance Consequences
Non-compliance with this policy may result in:
- Corrective and preventive actions.
- Disciplinary measures up to and including termination.
- Additional technical or process remediation.
7. EXCEPTIONS AND WAIVERS
7.1 Exception Process
Exceptions to this policy SHALL:
- Be submitted in writing by the requesting party.
- Include detailed justification and business impact.
- Describe compensating controls or mitigation measures.
- Define exception duration and remediation plan.
7.2 Exception Approval Authority
| Risk Level | Approval Authority |
|---|---|
| Low | Policy Owner |
| Medium | Policy Owner and Security Officer |
| High | Policy Owner, Security Officer, and Compliance Officer |
| Critical | Executive Management |
8. DEFINITIONS
Data Deletion: Securely removing data from systems or media so that it cannot be reasonably recovered.
9. REFERENCES
9.1 Internal References
- Data Classification Policy
- Data Retention / Deletion Standards
9.2 External References
- SOC 2 Trust Services Criteria
- ISO/IEC 27001 Annex A.5.34–A.5.35
- NIST SP 800-53 (MP family)
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2022-01-14 | Ethan Schmertzler | Initial Creation and Approval |
| 2.0 | 2025-01-10 | Stefan Kristensen | Annual review and updates |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Compliance Officer |
END OF POLICY