This policy sets the required retention periods for specified categories of data stored by A2X (further: the "Company"). It also sets out the general standards applied to data while stored and retained by the Company, as well as processes applied when destroying data no longer retained.
This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, advisors, or service providers that may collect, process, or have access to data (including personal data and / or sensitive personal data). It is the responsibility of all of the above to familiarize themselves with this Policy and ensure adequate compliance with it.
This policy applies to all data collected to support processing of customer data, including from third-party sales channels through API integration of customer transaction information, and customer support records. Examples of this data include:
Company will define a retention schedule for all customer-related data in use within the organization and will document that in the Data Retention Schedule below.
As a general rule, customer data is stored for a period of 7 years. Company processes financial and accounting data for customers and in the event of an audit this data is stored to support customer tax records. Data retained for this period includes:
As an exemption, retention periods within data retention schedule can be prolonged in cases such as:
No data covered under this policy shall be printed in hardcopy format, or stored outside of approved digital storage locations as outlined by overall system architecture and design.
Data Protection Officer defines the time period for which data and electronic records should be retained.
Measures will be taken to ensure that the information can be accessed only by authorized users during the retention period and will be stored according to data security best practices.
Data security controls include:
Data safeguarding is the responsibility of the Company engineering team.
The Company and its employees should therefore, on a regular basis, review all data, whether held electronically on their devices or stored within third-party providers, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. Overall responsibility for the destruction of data falls to the Data Protection Officer.
Once the decision is made to dispose of data according to the Retention Schedule, data will be deleted from all necessary systems to fulfill the retention schedule requirements. Data will be disposed of appropriately upon the nature of the document. All data managed under this policy is digital and will be disposed of accordingly.
The Company Data Protection Office is responsible for ensuring compliance with this policy and will assist with the protection of Company systems and data. Any employee found to willfully or intentionally violate this policy may be subject to disciplinary action, up to and including termination of employment.