Data Retention and Destruction Policy

Purpose

The purpose of this policy is to define the activities associated with the provision of data retention and destruction plans and programs that protect Evercam Limited’s information systems, networks, data, databases and other information assets. Additional policies governing data management activities will be addressed separately.

Scope

The scope of this data retention and destruction policy is all information technology systems, software, databases, applications and network resources needed by Evercam Limited to conduct its business. The policy is applicable to all Company employees, contractors and other authorised third-party organisations.

Statement of Compliance

This policy is designed to be compliant with the U.S. Data Protection Act of 1998, Freedom of Information Act of 2000, Fair and Accurate Credit Transactions Act of 2003 and Europe’s General Data Protection Regulation.

Data retention and destruction policy compliance is managed by the IT department, with support from Compliance department leadership and subject matter experts. To achieve compliance, data retention and destruction programs include appropriate procedures, and identify staffing and technology resources to meet compliance requirements. Compliance verification (especially for data destruction) is performed monthly by the IT department, internal audit or other appropriate entity.

Policy

The Information Technology (IT) department, with support from the Compliance department, is responsible for managing all data retention and destruction activities for the Company. Other departments, such as Finance and Accounting, Operations and Human Resources, are also responsible for providing the IT and Compliance departments with their requirements for data retention and destruction. The IT and Compliance departments are responsible for developing, executing and periodically testing data retention and destruction procedures. The IT and Compliance departments also acknowledge they will comply with appropriate industry standards for data retention and destruction in its activities.

  1. The company shall develop comprehensive data retention and destruction plans in accordance with good data management practices as defined by established standards.
  2. Data retention and destruction activities shall be performed as part of the company’s data management program, which administers and manages the overall technology data management program, which includes:
    • Planning and design of data retention and destruction activities;
    • Identification of data retention and destruction teams, defining their roles and responsibilities and ensuring they are properly trained and prepared to perform their duties;
    • Planning, design and documentation of data retention and destruction plans;
    • Scheduling of updates to data retention and destruction risk analyses;
    • Planning and delivery of awareness and training activities for employees and data retention and destruction team members;
    • Planning and execution of data retention and destruction plan exercises;
    • Designing and implementing data retention and destruction maintenance activities to ensure that plans are up to date and ready for use;
    • Preparing for management review and auditing of data retention and destruction plan(s); and
    • Planning and implementation of continuous improvement activities for data retention and destruction activities and plans.
  1. Formal Risk Assessments (RAs) and Business Impact Analysis (BIAs) shall include requirements for data retention and destruction activities; RAs and BIAs shall be updated at least annually to ensure they are in alignment with the business and its technology requirements.
  2. Data retention and destruction plans shall address electronic data stored on electronic media such as CDs, hard disk drives, solid state disk drives, magnetic tape and other appropriate media.
  3. Data retention and destruction plans shall address data stored on non-electronic media (e.g., paper files, microfiche).
  4. Data retention and destruction plans shall address electronic information systems (e.g., servers, routers, switches) and components (e.g., cabling and connectors, power supplies, storage racks) and other assets that are currently out of production or scheduled to be phased out of production environments.
  5. Data retention plans shall establish the storage requirements and associated metrics (e.g., length of storage, type of storage media) for electronic and non-electronic information as well as systems supporting the IT infrastructure.
  6. Data destruction plans shall establish the parameters for destruction of electronic data (e.g., overwriting, reformatting, degaussing, firmware-based erasure, physical data media destruction), non-electronic data (e.g., shredding of hard copy), and systems and components (e.g., third-party destruction services).
  7. Data retention and destruction plans shall be periodically reviewed and tested in a suitable environment to ensure that data, databases, media, systems and other relevant elements can be retained or destroyed and that Evercam Limited’s management and employees understand how the plans are to be executed as well as their roles and responsibilities.
  8. All employees must be made aware of the data retention and destruction program and their own roles and responsibilities.
  9. Data retention and destruction plans and other documents are to be kept up to date and will reflect existing and changing circumstances.

Data Retention and Destruction Specifications

Following are specific data retention and destruction technical requirements:

Data/System Retention Procedures

  1. The data is securely stored on a Google Drive that is password protected. The retention period for the data is in compliance with the law and is also determined by the duration of the project. The customer can request deletion of the data at any time.
  2. The data is stored both on cloud-based servers and physical hard drives for redundancy and backup purposes.
  3. The cloud recordings are stored on dedicated cloud service providers, primarily on Hetzner servers located in Germany. In addition, physical hard drives are placed at the project site and connected to the cameras for local storage. At the end of the project, the customer has the option to retain the physical hard drives or store them securely with us. We take every precaution to ensure the security and confidentiality of the data.
  4. Regular audits are conducted to ensure the integrity and security of the data stored in the cloud and physical hard drives. These routine checks enable us to identify and address any potential issues or concerns promptly, ensuring the safety and confidentiality of our clients’ data.

Data/System Destruction Procedures

Once the data retention period has expired or if the client requests deletion of their data, we ensure complete and secure removal of the data. This involves deleting the data from the servers and wiping the hard drives of any physical media to prevent any unauthorised access or recovery of the data. We take every precaution to ensure that the data is completely and irreversibly erased, in accordance with industry best practices and data privacy regulations.

Retention and Destruction Requests

To initiate the process of data deletion, the client can send a request to our support team at support@evercam.io. Our team will verify the request and take the necessary steps to securely delete the data from our servers and physical media.