Data Retention & Disposal Policy
1. Purpose
The purpose of this policy is to define how Method13 retains, manages, and securely disposes of customer and company data. This ensures compliance with PCI DSS, privacy regulations, contractual obligations, and legal requirements while minimizing data retention risk.
2. Scope
This policy applies to all systems, applications, backups, and services managed by Method13 that store, process, or transmit customer data, business records, or sensitive information. It applies to production, test, and backup environments.
3. Policy Statement
Method13 will retain data only for as long as it is required for business, operational, or legal purposes. When data is no longer required, it will be securely deleted or destroyed in accordance with industry best practices and PCI DSS standards.
4. Retention Requirements
-
Customer Data (Active Services): Retained only as long as the customer account is active and required to deliver contracted services.
-
Customer Data (Post-Termination): Retained for a maximum of 30 days after service termination, unless required by legal or regulatory obligations. After this period, customer data will be securely deleted.
-
Backups: Retained for a maximum of 30 days. Backup data beyond this period will be automatically purged or overwritten.
-
Payment Card Data: Method13 does not store sensitive authentication data (per PCI DSS). Any cardholder data necessary for transactions will be retained only as long as strictly required and securely deleted thereafter.
-
Legal / Regulatory Holds: Data subject to active litigation, investigation, or regulatory requirement may be retained beyond standard periods until the legal necessity expires.
5. Secure Disposal Methods
All data, whether electronic or physical, must be securely destroyed when retention is no longer required:
-
Electronic Data: Secure deletion using NIST 800-88 compliant methods (e.g., cryptographic erase, secure wipe).
-
Physical Media: Shredding, degaussing, or destruction so data cannot be reconstructed.
-
Cloud / Virtual Environments: Verified purge processes ensuring that no recoverable copies remain.
6. Responsibilities
-
Security Team: Defines retention schedules, ensures proper disposal methods, and audits compliance.
-
System Owners / Administrators: Implement retention and deletion controls, and ensure timely data purges.
-
Legal & Compliance: Reviews retention requirements for contracts and regulations; approves exceptions.
-
Executive Management: Provides oversight and resources for compliance.
7. Exceptions
-
Exceptions to this policy must be documented, approved by the Security Team and Legal, and include justification and compensating controls.
-
Retention periods may be extended only when legally or contractually required.
8. Monitoring & Verification
-
Regular audits will verify compliance with retention and disposal requirements.
-
Backup and purge processes will be monitored to confirm timely data deletion.
-
Incidents of policy noncompliance will be reported to management.
9. Enforcement
Failure to comply with this policy may result in disciplinary action, contract termination, or legal consequences depending on the severity of noncompliance.
10. Review & Updates
This policy will be reviewed at least annually or when significant changes to PCI DSS, data protection regulations, or business operations occur.
