4.3 KiB
4.3 KiB
Data Retention Policy
Version: 1.0 Effective: February 2026 Owner: Johan Jongsma Review: Annually
1. Purpose
Define how long Dealspace retains client data and the procedures for data deletion.
2. Scope
All data stored in Dealspace systems:
- Projects and deals
- Deal data (requests, responses, documents)
- Participant accounts and access grants
- Access logs
- Authentication tokens
3. Retention Periods
Deal Data
| Data Type | Retention Period | Rationale |
|---|---|---|
| Active deal data | Per client agreement | Deal lifecycle varies |
| Closed deals | 7 years from close | Regulatory compliance |
| Deleted deals | 30 days (soft delete), then purged | Recovery window |
System Data
| Data Type | Retention Period | Rationale |
|---|---|---|
| HTTP access logs | 90 days | Security investigation window |
| Audit logs | 7 years | Regulatory compliance |
| Error logs | 90 days | Debugging and monitoring |
Authentication Data
| Data Type | Retention Period | Rationale |
|---|---|---|
| Access tokens | 1 hour expiry | Security |
| Refresh tokens | 7 days or until revoked | Session management |
| Invite tokens | 72 hours or until used | Security |
Backup Data
| Data Type | Retention Period | Rationale |
|---|---|---|
| Daily backups | 30 days | Recovery window |
4. Client-Initiated Deletion
Project Deletion
When a client deletes a project:
Immediate actions:
- Mark project as deleted
- Revoke all access grants
- Remove from active listings
Within 30 days:
- Soft delete allows recovery
- After 30 days: permanent purge
Retained for compliance:
- Audit log entries (7 years, anonymized)
Individual Entry Deletion
When a user deletes a specific entry:
- Entry soft-deleted immediately
- Removed from backups per rotation schedule (30 days)
Right to Erasure (GDPR Article 17)
Users may request complete erasure:
- User submits request via privacy@muskepo.com
- Identity verified
- Deletion executed within 30 days
- Confirmation sent to user
- Request logged for compliance
5. Automated Retention Enforcement
Daily Cleanup Jobs
- Remove expired access tokens
- Remove expired refresh tokens
- Remove expired invite tokens
- Process queued deletions past retention window
Log Rotation
- Rotate logs older than 90 days
- Audit logs retained for 7 years
Backup Rotation
- Daily backups: 30-day retention
6. Legal Holds
When litigation or investigation requires data preservation:
- Identify scope - Which clients/deals affected
- Suspend deletion - Exclude from automated purges
- Document hold - Record reason, scope, authorizer, date
- Release hold - When legal matter resolved, resume normal retention
Current legal holds: None
7. Data Export
Clients may export their data at any time:
- Full export available via platform
- Formats: JSON (structured data), original files
- Export includes all project data and audit logs
8. Backup Data Handling
Deleted data may persist in backups until rotation completes:
| Backup Type | Maximum Persistence After Deletion |
|---|---|
| Daily backups | 30 days |
Clients are informed that complete purge from all backups occurs within 30 days of deletion request.
9. Third-Party Data
Hostkey (Hosting)
- Encrypted data only
- Subject to Dealspace's retention policies
- Physical media destroyed per Hostkey procedures
10. Compliance Mapping
| Regulation | Requirement | Implementation |
|---|---|---|
| GDPR Art. 17 | Right to erasure | 30-day deletion on request |
| GDPR Art. 5(1)(e) | Storage limitation | Defined retention periods |
| FADP | Data minimization | Same as GDPR implementation |
| CCPA | Deletion rights | Same as GDPR implementation |
11. Verification
Monthly Review
- Verify cleanup jobs running
- Check for orphaned data
- Review pending deletion requests
- Confirm backup rotation operating
Annual Review
- Review retention periods for regulatory changes
- Update policy as needed
- Verify compliance with stated periods
Document end