Kantata (formerly Mavenlink)

United States

Data Retention Periods As per principle 5 of the UK Data Protection Act 2018 and article 5.1(e) of GDPR, personal data must not be kept for any longer than is necessary for the purpose for which it was obtained. If data are kept too long, the accuracy and relevance may be compromised. Therefore, the Company will base its record retention on any legal, regulatory or contractual obligations. Unless it has been contractually agreed to extend the retention period, all data records must be securely destroyed after the minimum retention period has expired. Any requests for extended retention of records should be discussed and approved with the Data Protection Officer. Data retention periods may be introduced or changed as part of legislation, regulation, audit or management requirements. In such instances, any legal retention requirement takes precedent. A listing of data retention periods will be maintained in a data retention inventory (also referred to as an Information Asset Inventory / Register) which will include the data description; the minimum retention period; any relevant legal provision as well as the owner who is responsible for performing periodic reviews.

Data Disposal At the end of minimum retention periods, data records must be disposed of successfully and securely. This applies to both electronic media and paper-based records. Such procedures may include shredding, incinerating, or pulp of hard copy materials so that sensitive information cannot be reconstructed. In situations where the data resides on shared hardware that cannot be destroyed or otherwise physically separated, monitored controlled access is used to irrecoverably overwrite the data in the addressable storage space. The transfer or disposition of data processing equipment, such as computers and related media, shall be controlled. Data can be present on any type of storage device, whether fixed or removable, that contains data and maintains the data after power is removed from the device. Degaussing (i.e., demagnetizing) is a procedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. All removed storage media is degaussed prior to disposal.

Record Storage and Archiving The following record storage requirements are applicable to personal, sensitive personal and confidential data. All electronic and paper records must be stored securely. Paper records must be securely stored in lockable filing cabinets. Should storage be required offsite, then a third party must be used that can provide the required levels of security. Paper archived records must be clearly labelled with the department name; a brief description of the contents; the date archived; a review date and the disposal date. A log of all archived records should be maintained, and archived records must be reviewed periodically to ensure the data remains accurate, adequate, relevant and not excessive. Electronic records, either created by the user or received from a third party, should be stored on a network drive and not on a user’s local hard drive. As data stored on local hard drives is not backed up, this ensures that data is not lost or stolen. Email should only be used primarily for the transfer of information and short-term storage. Attachments should be saved on to the Company’s network and not retained indefinitely within a user’s email account. Access to data records, must be restricted to authorized users on a “need to know” basis and by using a combination of both logical and physical access controls. Should a user require access to data, which is not considered to be in line with their current role or responsibility, then a business justification should be provided in writing and permission from a Managing Director must be obtained. Maintain an Inventory Each department will support a listing (inventory) of all major records it uses and maintains as well as any corresponding retention periods, which should be in accordance with all relevant legislation and regulation. Annual Records Review Each department will perform an annual review of its major records to determine whether retention of these records is adequate and relevant. Each department will perform an annual review of its major records to determine whether data remains accurate. Litigation Holds In the event of an audit, investigation, or pending litigation, record disposal may be suspended by the Executive Team. Therefore: - The Executive Team should inform employees, temporary staff and contractors when litigation is contemplated against the Company and when it has been released. Any electronic documents such as e-mail and computer accounts will need to be immediately maintained by the appropriate departments as well as information resources until litigation has been released. No employee, temporary staff or contractor, who has been notified, may alter or delete any electronic records that falls within the scope of the litigation. Violation may subject the individual to disciplinary action, up to and including termination of contract, as well as personal liability and criminal prosecution.

Cloud hosted

AWS, Azure

no

Data deletion is handled upon formal request of the data owner for deletion. Data will be deleted within 90 days(unless otherwise required by applicable law), and formal confirmation of deletion will be returned to the data owner.

no

2021-09-22

yes

Google

yes

yes

security@mavenlink.com

yes

no

no

no

no