Data retention policy
All information assets must be preserved for the period of the immediate or current use of the asset, unless a longer retention period is necessary for historical reference or to comply with contractual or legal requirements.
To provide for consistent retention and disposal of information assets, Data Owners must maintain an Information Asset Retention Schedule that provides a breakdown of when specific information assets are to be removed and/or destroyed based on the sensitivity of the data. This schedule must address VGS business, legal, fiscal, and reference requirements.
Unless specified otherwise in the Information Asset Retention Schedule, the retention period for an information asset begins on the date the asset was received or created by VGS.
Data archiving and removal policy
4. Customer Data Deletion Requests
Because immediate deletion of sensitive data may negatively impact downstream business requirements (e.g. deleting payment card data could prevent future refunds or make chargeback management substantially more difficult) we have a strict process around deletion.
Obtaining authorization
Scheduling or deleting data may only be done if one of the following methods of requests
A face-to-face meeting or video chat with Customer's authorized representative where said representative requests and authorizes the deletion, note: this should be accompanied by separate written confirmation from the Customer;
A PGP signed email including: a signed letter from Customer outlining the actions to take, defining the affected data, and authorizing Very Good Security to move forward;
Or a predefined data retention deadline.
The direct request (via email or slack) from an authorized employee must specifically confirm:
the data to be deleted
the reason for the deletion
the persons authorizing the deletion
Upon receiving and authenticating that request, we will immediately disable the related records as well as any access credentials so that the underlying sensitive data can no longer be accessed, retrieved, or otherwise used. After a waiting period of 180 days, we then securely delete the sensitive data.
Identification
The specific data to be deleted must be clearly defined either by an appropriate time range (including confirmed timezone) or, preferably, the specific records to be deleted with corresponding payload information to verify.
Data deletion must be done pursuant to proper change management procedures: prior to commencing deletion, the selected data must be confirmed and the deletion plan must be approved by a peer engineer.
Documentation
Customer communication authorizing deletion must be retained and attached to the appropriate ticket tasking out deletion along with copies of all customer communication associated with the deletion.
Data storage policy
Very Good Security retains data in accordance with it's Data Storage Policy which is available upon request
Data center location(s)
United States, Germany
Data hosting details
Completely hosted on AWS services between European and US regions
App/service has sub-processors
no