Data Retention Policy
1. Introduction
This Data Retention Policy outlines the principles, guidelines, and procedures governing the retention and disposal of data on SafeStack’s learning platform. This policy is designed to ensure the platform's compliance with data protection regulations, security standards, and the responsible management of data.1
2. Purpose
The purpose of this policy is to:
2.1. Define the data categories managed by SafeStack’s learning platform.
2.2. Specify the retention periods for each data category.
2.3. Ensure data is securely stored and disposed of when it is no longer needed.
2.4. Comply with relevant data protection laws and regulations.
2.5. Reduce data-related risks, such as breaches and misuse.
3. Data Categories
SafeStack’s learning platform processes various data categories, including but not limited to:
3.1. User Account Information: Email addresses and user preferences.
3.2. Company Information: Company (organization) information, including company name, website and contact information
3.3. Learning Data: Training progress, assessment scores, and training history.
3.4. Administrative Data: Records of user activity, support interactions, and access logs.
3.5. Payment Data: Billing and payment information (excluding credit card information) for paying customers.
3.6. Content Data: Training courses and materials.
4. Data Retention Periods
4.1. User Account Information: Retained for the duration of the user's account.
4.2. Company Information: Retained for as long as at least one user account from the company exists in SafeStack’s learning platform.
4.3. Learning Data: Retained for the duration of the user's account.
4.4. Administrative Data: Retained for 24 months for security and auditing purposes.
4.5. Payment Data: Retained for as long as necessary to complete financial transactions and for a period relevant for various tax and auditing purposes.
4.6. Content Data: Retained for the duration of its relevance to the training program. Outdated content will be archived or deleted as per the content lifecycle policy.
5. Data Security
All data on SafeStack’s learning platform will be stored securely, and access will be restricted to authorized personnel only. Data at rest and in transit will be encrypted to protect against unauthorized access.
6. Data Disposal
6.1. User Account Data: Once a user’s account is deleted, all user account information is removed from our learning platform and some user account information is retained for internal analytics, security and auditing purposes.
6.2. Company Information: Once the final user account from a company is deleted, all company information is removed from our learning platform and some company information is retained for internal analytics, security and auditing purposes.
6.3. Learning Data: Once a user’s account is deleted, their learning data will be anonymized and retained indefinitely.
6.4. Administrative Data: Administrative data will be securely deleted after at least a 24-month retention period.
6.5. Payment Data: Payment data will be securely deleted as soon as it is no longer necessary to complete financial transactions or for various tax and auditing purposes.
6.6. Content Data: Outdated or obsolete training content will be archived or deleted according to the content lifecycle policy.
7. Compliance, Review and Revision
This Data Retention Policy will be reviewed and updated as necessary to ensure compliance with changing laws and regulations, industry standards, technology and the evolving needs of SafeStack.
8. Requesting deletion or purging of your data
Any request to delete or purge data can be made via email to support@safestack.io.
9. Implementation and Training
All personnel with administrative access to SafeStack’s learning platform and its data will receive training on this policy to ensure its proper implementation.
10. Reporting and Violations
Any violations of this policy should be reported to the designated security officer via email to security@safestack.io. Violations may result in disciplinary action or legal consequences, depending on the nature and severity of the breach.
By implementing and adhering to this Data Retention Policy, SafeStack aims to safeguard data, protect privacy, and maintain compliance with applicable laws while promoting responsible data management on SafeStack’s learning platform.
Definition of terms
1. SafeStack’s learning platform: The online learning platform available at https://learn.safestack.io/, where users will do their SafeStack training. This excludes third parties that provide functionality for cloud services, authentication, content management, content streaming, badge management, payment processing, logging, monitoring, auditing, operational, and data analysis functionality used within the platform and used to develop the platform.
2. Data Retention Periods: The specific duration of time for which each category of data is preserved on the platform before it is subject to anonymization or deletion, in accordance with this policy.
3. Anonymization: A process that removes personally identifiable information (PII) from data, rendering it impossible to associate with a specific individual. Anonymized data is typically used for research, analytics, or historical reference without compromising user privacy.
4. Data Security: The measures and protocols in place to protect data from unauthorized access, breaches, or malicious activities. This includes encryption of data at rest and in transit.
5. Data Disposal: The process of permanently and securely removing data that has met its retention period or is no longer required. This may involve deletion, shredding, or rendering data irretrievable in a manner consistent with data protection regulations.
6. Compliance: The state of adhering to relevant laws, regulations, industry standards, and internal policies governing data retention, protection, and privacy.
7. Security Officer: A designated individual responsible for ensuring that the organization complies with data protection laws and policies, including overseeing data security, privacy, and related matters.
8. Content Lifecycle Policy: A separate policy that defines the lifecycle stages and management of training content on the platform, including archiving and deletion protocols based on relevance and usefulness.