Data retention policy
Unless otherwise required by law, PlusPlus retains Sensitive & Confidential Data
only for as long as necessary to fulfill the purposes for which it is collected and
processed, or to meet legal and client contractual obligations. To support compliance with these obligations, the CTO shall, on an annual basis, review
PlusPlus’s existing retention practices regarding Sensitive & Confidential Data.
Data archiving and removal policy
Once Sensitive & Confidential Data is no longer necessary or has reached the
end of its retention period, it is securely disposed of. Processes are in place for
the secure disposal of data when the data is no longer needed for legal,
regulatory and, business requirements. An automatic or manually executed
process is to be in place for identifying and securely removing data that exceeds
the defined legal, regulatory, and business requirements. As for disposing of
data, the following methods are to be utilized for both hard copy and electronic
data:
▪ Purging, sanitizing, and deleting data from all system components. This
can be done by utilizing a secure wipe program in accordance with
industry-accepted standards for secure deletion (i.e., degaussing).
▪ Destroying (cross-shredding) any cardholder data that is in a hardcopy
format.
▪ For electronic media stored on system components that are no longer in
use, data is to be disposed of through any one of the following
procedures: Disintegration, Shredding (disk grinding device), Incineration by a licensed incinerator, Pulverization.
▪ Instances of disposal of customer data will be tracked via a ticketing
system and will include the steps taken to complete the removal.
Data storage policy
Sensitive Data is only stored in approved systems, databases, and devices. The storage location depends on the type of deployment:
▪ On-premises: Sensitive Data is stored on client-owned or client-
leveraged servers.
▪ Cloud: Sensitive Data is stored in a secure, dedicated cloud environment
behind a firewall.
PlusPlus specifically prohibits employees from storing Sensitive Data in the
PlusPlus development environment, on their PlusPlus-issued laptops or desktop
computers, on their personal devices, on removable media (e.g., USB flash
drives), or on printed media.
Data center location(s)
United States
Data hosting details
▪ On-premises: Data is stored on client-owned or client-
leveraged servers.
▪ Cloud: Sensitive Data is stored in a secure, dedicated cloud environment
behind a firewall.
App/service has sub-processors
no