Data retention policy
Stomio, Inc. shall retain data as long as the company has a need for its use, or to meet
regulatory or contractual requirements. Once data is no longer needed, it shall be securely
disposed of or archived. Data owners, in consultation with legal counsel, may determine
retention periods for their data.
Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer
has a business use.
Customer Data: Up to 60 days after contract termination (unless specific client agreement is in
place)
Security and system event and Security Event log data, network data flow: 1 year
Security Policies: 1 year after archive
Database backups: 1 year
Data archiving and removal policy
Data classified as restricted or confidential shall be securely deleted when no longer needed.
Stomio, Inc. shall assess the data and disposal practices of third-party vendors in accordance
with the Third-Party Management Policy. Only third-parties who meet Stomio, Inc. requirements
for secure data disposal shall be used for storage and processing of restricted or confidential
data.
Stomio, Inc. shall ensure that all restricted and confidential data is securely deleted from
company devices prior to, or at the time of, disposal.
Confidential and Restricted hardcopy materials shall be shredded or otherwise disposed of
using a secure method.
Personally identifiable information (PII) shall be collected, used and retained only for as long as
the company has a legitimate business purpose. PII shall be securely deleted and disposed of
following contract termination in accordance with company policy, contractual commitments and all relevant laws and regulations. PII shall also be deleted in response to a verified request
from a consumer or data subject, where the company does not have a legitimate business
interest or other legal obligation to retain the data.
Data storage policy
Policy
Stomio, Inc. classifies data and information systems in accordance with legal requirements,
sensitivity, and business criticality in order to ensure that information is given the appropriate
level of protection. Data owners are responsible for identifying any additional requirements for
specific data or exceptions to standard handling requirements.
Information systems and applications shall be classified according to the highest classification
of data that they store or process.
Data Classification
To help Stomio, Inc. and its employees easily understand requirements associated with different
kinds of information, the company has created three classes of data.
Confidential
Highly sensitive data requiring the highest levels of protection; access is restricted to specific
employees or departments, and these records can only be passed to others with approval from
the data owner, or a company executive. Example include:
- Customer Data
- Personally identifiable information (PII)
- Company financial and banking data
- Salary, compensation and payroll information
- Strategic plans
- Incident reports
- Risk assessment reports
- Technical vulnerability reports
- Authentication credentials
- Secrets and private keys
- Source code
- Litigation data
Restricted
Stomio, Inc. proprietary information requiring thorough protection; access is restricted to
employees with a "need-to-know" based on business requirements. This data can only be
distributed outside the company with approval. This is default for all company information
unless stated otherwise. Examples include:
- Internal policies
- Legal documents
- Meeting minutes and internal presentations
- Contracts
- Internal reports
- Slack messages
- Email
Public
Documents intended for public consumption which can be freely distributed outside Stomio,
Inc.. Examples include:
- Marketing materials
- Product descriptions
- Release notes
- External facing policies
App/service has sub-processors
yes
Guidelines for sub-processors