Data retention policy
Terrastruct, Inc. shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Retention periods shall be documented in the Data Retention Matrix in Appendix B to this policy.
Appendix B:
- Terrastruct, Inc. SaaS Products (AWS)/Customer Data/Up to 60 days after contract termination
- Terrastruct, Inc. AutoSupport/Customer instance and metadata, debugging data/Indefinite
- Terrastruct, Inc. Customer Support Tickets/Support Tickets and Cases/Indefinite
- Terrastruct, Inc. Security Event Data/Security and system event and log data, network data flow logs/On-Premise - Indefinite/AWS Instance
- Terrastruct, Inc. Customer Sales (Salesforce)/Opportunity and Sales Data/Indefinite
- Terrastruct, Inc. QA and Testing Data (TestRail)/QA, testing scenarios and results data/Indefinite
Data archiving and removal policy
Data classified as restricted or confidential shall be securely deleted when no longer needed. Terrastruct, Inc. shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet Terrastruct, Inc. requirements for secure data disposal shall be used for store and process restricted or confidential data.
Terrastruct, Inc. shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of disposal.
Data storage policy
Confidential Data Handling
- Confidential data is subject to the following protection and handling requirements:
- Access for non-preapproved-roles requires documented approval from the data owner
- Access is restricted to specific employees, roles and/or departments
- Confidential systems shall not allow unauthenticated or anonymous access
- Confidential Customer Data shall not be used or stored in non-production systems/environments
- Confidential data shall be encrypted in transit over public networks
- Mobile device hard drives containing confidential data, including laptops, shall be encrypted
- Mobile devices storing or accessing confidential data shall be protected by a log-on password or passcode and shall be configured to lock the screen after five (5) minutes of non-use
- Backups shall be encrypted
- Confidential data shall not be stored on personal phones or devices or removable media including USB drives, CD’s, or DVD’s
- Paper records shall be labeled “confidential” and securely stored and disposed
- Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
- Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner
Restricted Data Handling
- Restricted data is subject to the following protection and handling requirements:
- Access is restricted to users with a need-to-know based on business requirements
- Restricted systems shall not allow unauthenticated or anonymous access
- Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner
- Paper records shall be securely stored and disposed
- Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroye
Public Data Handling
- No special protection or handling controls are required for public data. Public data may be freely distributed.
Data hosting details
Cloud hosted
App/service has sub-processors
no