Book a demo
Book a demo

Data & Log Retention Policy

Effective Date: 28th August, 2024
Last Updated: 10th October, 2024

1. Introduction

Suprdense (“the Company,” “we,” “us,” or “our”) is committed to managing its data—particularly system, application, and security logs—in a secure, compliant, and efficient manner. The primary goal of this Data & Log Retention Policy (“Policy”) is to ensure that Suprdense retains logs and other relevant records in a way that supports business operations, meets legal and regulatory requirements, and respects data privacy obligations.

2. Purpose & Scope

  1. Purpose:
    1. Define retention schedules for various categories of data and logs, including how long data is stored and when it is securely deleted.
    2. Ensure consistency with applicable laws and regulations (GDPR, local data protection laws).
    3. Facilitate compliance, auditing, and operational continuity for Suprdense and its customers.
  2. Scope:
    1. This Policy applies to all system and application logs generated and managed by Suprdense’s applications, services, and supporting infrastructure.
    2. It covers data and logs generated in both production and non-production environments (development, QA, and staging), where applicable.
    3. All employees, contractors, and third-party service providers (sub-processors) who handle or manage Suprdense’s data or logs must comply with this Policy.

3. Definitions

  • Log Data: Records of system, application, security, or network events stored in text, structured, or binary format.
  • Retention Period: The length of time for which Suprdense is required or chooses to retain specific data before archiving or deleting it.
  • Archival: The process of moving data or logs that are no longer actively used but may still be needed for compliance or historical purposes to a separate storage location.
  • Deletion: The secure and irreversible destruction of data or logs, using methods that prevent reconstruction.

4. Categories of Data & Retention Schedules

Suprdense categorizes its logs and data to apply different retention policies according to their operational and legal relevance. Below is a high-level overview:

  1. Application & Service Logs
    1. Description: Records containing operational data about how our services and applications function (API requests, error messages, and performance metrics).
    2. Retention Period: Typically 90 days, with an option to archive critical logs for up to 12 months if necessary for troubleshooting, compliance, or contractual obligations.
    3. Rationale:
      1. 90 days is sufficient for day-to-day troubleshooting and performance analysis.
      2. Extended retention (up to 12 months) for logs that may be required by certain customers or legal requirements.
  2. Security & Access Logs
    1. Description: Logs that capture authentication events (successful and failed login attempts), changes to user permissions, firewall logs, intrusion detection/prevention system alerts, and other security-related events.
    2. Retention Period: Minimum of 12 months, with optional extension to 24 months for compliance with regulatory or contractual requirements.
    3. Rationale:
      1. Extended retention helps detect, investigate, and respond to security incidents.
      2. Facilitates forensic analysis, compliance with standards (ISO 27001, SOC 2), and satisfies certain regulatory demands (GDPR’s accountability principle).
  3. Audit Logs & Compliance-Related Records
    1. Description: Logs and records specifically required for compliance, auditing, or legal proceedings (changes to system configurations, data subject access requests, and backup logs).
    2. Retention Period: Up to 24 months or longer based on specific legal, regulatory, or customer contractual requirements.
    3. Rationale:
      1. Ensures traceability and accountability for critical changes and actions.
      2. Aligns with various international regulations that may require a 1–2 year retention period.
  4. Transactional & Billing Data
    1. Description: Logs of financial or contractual transactions, such as invoices, payment records, or service usage metrics for billing.
    2. Retention Period: Typically 5–7 years, to align with tax and corporate record-keeping laws in multiple jurisdictions.
    3. Rationale:
      1. Required for financial audits, dispute resolution, and compliance with accounting standards.

5. Storage, Access, & Security Controls

  1. Storage Methods:
    1. Primary Storage: Active logs are maintained on secure servers or cloud-based solutions AWS, MongoDB, GCP, and Google Firestore.
    2. Archival Storage: Old or rarely accessed logs may be moved to lower-cost, encrypted archival storage with appropriate access controls.
  2. Access Controls:
    1. Least Privilege Principle: Access to logs is granted only to authorized personnel who need the information to perform their roles (security analysts, and DevOps engineers).
    2. Multi-Factor Authentication (MFA): Required for all administrative log access to prevent unauthorized viewing or tampering of log data.
  3. Encryption:
    1. Data in Transit: All log data transfers occur over secure channels.
    2. Data at Rest: Logs are encrypted at rest where supported by the underlying storage system AES-256.
  4. Monitoring & Alerts:
    1. Automated systems monitor for anomalous patterns in log data.
    2. Access attempts are logged, and suspicious activities trigger real-time alerts.

6. Deletion & Destruction

  1. Deletion Protocol:
    1. Once a log reaches the end of its retention period, it is marked for deletion or archival, depending on business or compliance requirements.
    2. Automated scripts or processes handle the scheduled deletion of logs to ensure consistency.
  2. Secure Destruction:
    1. Secure wiping of data uses industry-standard methods to ensure the data cannot be recovered.
    2. Certificates of destruction may be generated for critical or compliance-related data, as necessary.

7. Exemptions & Exceptions

  1. Legal Holds:
    1. If logs are subject to litigation or a regulatory investigation, they are placed on a legal hold and are not deleted until the hold is lifted.
    2. Suprdense’s Legal Department coordinates such processes.
  2. Customer Requirements:
    1. In some cases, customer-specific contracts or SLAs may require different retention durations.
    2. These are handled on a case-by-case basis, and relevant teams are notified to adjust retention settings accordingly.
  3. Extension of Retention Period:
    1. Security or operational concerns may justify extending the retention period for specific logs. Any extension must be approved by the Chief Information Security Officer (CISO).

8. Compliance & Audits

  1. Regulatory Compliance:
    • This Policy is designed to align with key regulations such as GDPR, local data protection laws, and relevant industry standards (ISO 27001, and SOC 2).
    • Any change in applicable laws or regulations may result in immediate updates to this Policy.
  2. Internal & External Audits:
    • Suprdense conducts periodic internal audits to ensure compliance with this Policy.
    • Customers or external auditors (ISO or SOC certifications) may review log retention processes under NDA or relevant contractual obligations.

9. Roles & Responsibilities

  1. Chief Information Security Officer
    • Oversees compliance with data protection regulations and ensures that this Policy meets GDPR and other global requirements.
    • Maintains the technical standards and tools needed for log management and retention.
    • Coordinates with the IT and DevOps teams to ensure logs are properly stored, encrypted, archived, and deleted.
  2. IT & DevOps Teams:
    • Implement and maintain automated processes for data retention, archival, and deletion.
    • Monitor logs and respond to any anomalies or breaches in line with the separate Suprdense Incident Response & Security Vulnerability Policy.
  3. Legal & Compliance Teams:
    • Advise on legal holds, contract clauses, and evolving regulatory requirements that may influence data retention schedules.

10. Policy Management & Review

  1. Revision & Approval:
    • This Policy is reviewed at least annually or upon significant changes to technical infrastructure, regulatory requirements, or business needs.
    • Any revisions require approval from the CISO and the CEO or equivalent executive authority.
  2. Publication & Awareness:
    • This Policy is published internally on Suprdense’s documentation portal and externally on our website (if applicable).
    • Training sessions may be conducted to educate employees and contractors on their responsibilities under this Policy.

11. Contact & Further Information

For questions or more information regarding this Suprdense Modern Slavery Statement, please contact:

Nishant Gupta
Chief Executive Officer
Suprdense
talk@suprdense.com