Data retention policy
Retention is defined as the maintenance of Records in a production or live environment that can be accessed by an authorized user in the ordinary course of business. Records used in staging, development, and testing, or draft versions of documents shall neither be retained beyond their active use period, nor copied into production or live environments.
A record is in a retention period while it is in active use (as stipulated in the Record Retention Requirements Table in Appendix A), unless an exception has been granted to permit a longer or shorter active use period by the Department responsible for creating, using, processing, disclosing, storing, and destroying the Records.
After the active use period has expired, (considering the appropriate exceptions,) Records shall be archived in accordance with Archiving Policy section. Afterwards, the Records are destroyed in accordance with Destruction Policy section.
For the purposes of enforcing retention, each department shall be responsible for the Records it creates, uses, stores, processes, and destroys. A sample list of Record types used within Astrix departments is specified in the Record Retention Requirements Table in Appendix A. This list shall be maintained by each Department Manager.
Each Department Manager shall be responsible for enforcing the retention, archiving and destruction of Records, and for communicating these stages to the relevant employees.
The Astrix Legal Department may issue a litigation hold request to a Department Manager that requires that Records relating to potential or actual litigation, arbitration, or other claims, demands, disputes, or regulatory action be retained in accordance with instructions from the Legal Department.
*Full policy will be shared upon request.
** We are soc2 compliant, audit can be shared after full MNDA prcoess.
Data archiving and removal policy
The archive period of Records shall be seven years, unless an exception has been granted for a longer or shorter active use period by the Department Manager who is responsible for creating, using, processing, disclosing, storing, and destroying the Records.
An archiving period of greater than seven years may be granted as an exception for Records with a vital historical purpose, such as corporate Records, contracts, or technical knowhow. The Department Manager shall request an exception to archive Records in accordance with the Exceptions to the Retention Period section. Such exception requests shall specify the administrative, organizational, and technical measures needed to ensure the confidentiality, integrity, and availability of such Records.
An archiving period of less than seven years may be granted by exception for Records with a limited business purpose, such as emails, messages, travel itineraries, pre-trip advisories, or to comply with client or industry requirements.
After the archive period has expired, Records shall be destroyed in accordance with the Destruction Policy section.
For the purposes of enforcing archiving, each department shall be responsible for the Records it creates, uses, stores, processes, and destroys. A sample list of Record types used within Astrix Departments is specified in the Record Retention Requirements Table in Appendix A. This list shall be maintained by each Department Manager.
Destruction is defined as when information contained in the Record is rendered irretrievable by ordinary commercially available means, both physically and technically.
The Astrix Security team shall maintain and enforce a detailed list of approved destruction methods appropriate for each type of archived information, whether on physical storage media (such as CD-ROMs, DVDs, backup tapes, hard drives, mobile devices, or portable drives), or in database Records or backup files.
Paper Records shall be shredded using secure, locked consoles designated in each office, from which waste shall be periodically collected and disposed of by security-screened personnel.
*Full policy will be shared upon request.
** We are soc2 compliant, audit can be shared after full MNDA prcoess.
Data storage policy
Records must comply with all applicable legal, regulatory, and contractual requirements.
Records must not be held for any longer than required.
The protection of Records (i.e., their confidentiality, integrity, and availability) must be in accordance with their security classification.
Records must remain retrievable in line with business requirements at all times.
Records containing personal data must not be able to identify individuals.
Depending upon the classification of information and the storage medium, cryptographic techniques shall be used to ensure Record confidentiality and integrity. Care shall be taken to ensure that encryption keys used to encrypt Records are securely stored for the life of the relevant records and shall comply with Astrix’s policy on cryptography.
*Full policy will be shared upon request.
** We are soc2 compliant, audit can be shared after full MNDA prcoess.
Data center location(s)
United States
Data hosting details
Cloud hosted: Atlas, MongoDB, and AWS RDS
Data hosting company
Amazon Inc (AWS), MongoDB, Inc.
App/service has sub-processors
no