Data retention policy
Castle shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data.
Data archiving and removal policy
Data classified as restricted or confidential shall be securely deleted when no longer needed. Castle shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet Castle requirements for secure data disposal shall be used for storing and processing restricted or confidential data.
Castle shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of disposal.
Customer accounts and data shall be deleted from operating production systems within 90 days of contract termination through manual data deletion processes. Archives of customer data, obfuscated to remove any customer PII data, can persist in S3 storage indefinitely (for training our risk models).
Data storage policy
Castle classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.
Information systems and applications shall be classified according to the highest classification of data that they store or process.
Confidential data is subject to the following protection and handling requirements:
● Access for non-pre approved roles requires documented approval from the data owner
● Access is restricted to specific employees, roles and/or departments
● Confidential systems shall not allow unauthenticated or anonymous access
● Confidential Customer Data shall not be used or stored in non-production systems/environments
● Confidential data shall be encrypted in transit over public networks
● Confidential data shall be stored on encrypted hard drives
● Mobile device hard drives containing confidential data, including laptops, shall be encrypted
● Mobile devices storing or accessing confidential data shall be protected by a log-on
password or passcode and shall be configured to lock the screen after five (5) minutes of
non-use
● Backups shall be encrypted
● Confidential data shall not be stored on personal phones or devices or removable media
including USB drives, CD’s, or DVD’s
● Paper records shall be labeled “confidential” and securely stored and disposed
● Hard drives and mobile devices used to store confidential information must be securely
wiped prior to disposal or physically destroyed
● Transfer of confidential data to people or entities outside the company shall only be done in
accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner
Castle shall evaluate the risks inherent in processing and storing data, and shall implement cryptographic controls to mitigate those risks where deemed appropriate. Where encryption is in use, strong cryptography with associated key management processes and procedures shall be implemented and documented. All encryption shall be performed in accordance with industry standards, including NIST SP 800-57.
For all personal data, Castle shall consider the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, and implement appropriate technical and organizational measures surrounding the pseudonymization and encryption of data to ensure a level of security appropriate to the risk.
For all web traffic sent over the public Internet containing confidential information, the TLS v1.2 protocol or better must be utilized.
Data center location(s)
United States
Data hosting details
Cloud
App/service has sub-processors
yes
Guidelines for sub-processors