A2X Data Retention Policy

Purpose, Scope, and Users

This policy sets the required retention periods for specified categories of data stored by A2X (further: the "Company"). It also sets out the general standards applied to data while stored and retained by the Company, as well as processes applied when destroying data no longer retained.

This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, advisors, or service providers that may collect, process, or have access to data (including personal data and / or sensitive personal data). It is the responsibility of all of the above to familiarize themselves with this Policy and ensure adequate compliance with it.

This policy applies to all data collected to support processing of customer data, including from third-party sales channels through API integration of customer transaction information, and customer support records. Examples of this data include:

• Raw transaction data files stored in Google Cloud Storage Buckets
• Synthesized accounting data stored in A2X database(s)
• Customer support notes, email, call recordings, and other customer artifacts

General Retention Policy

Company will define a retention schedule for all customer-related data in use within the organization and will document that in the Data Retention Schedule below.

Data retention schedule for customer data

As a general rule, customer data is stored for a period of 7 years. Company processes financial and accounting data for customers and in the event of an audit this data is stored to support customer tax records. Data retained for this period includes:

• Raw customer transaction files gathered from third party integrations;
• Transaction and other customer profile information stored within the Company datastores
• Database and file backups replicated to AWS
• Customer support ticket information stored in Intercom

As an exemption, retention periods within data retention schedule can be prolonged in cases such as:

• Ongoing investigations from Member States authorities, if there is a chance records of personal data are needed by the Company to prove compliance with any legal requirements; or
• When exercising legal rights in cases of lawsuits or similar court proceeding recognized under local law.

No data covered under this policy shall be printed in hardcopy format, or stored outside of approved digital storage locations as outlined by overall system architecture and design.

Data Protection Officer defines the time period for which data and electronic records should be retained.

Safeguarding of Data During Retention Period

Measures will be taken to ensure that the information can be accessed only by authorized users during the retention period and will be stored according to data security best practices.

Data security controls include:

• All data stored within the Google Cloud Platform (GCP) infrastructure is encrypted at rest
• Strict Identity and Access Management (IAM) controls are enforced within the GCP
• Application controls prevent unauthorized access except as approved through application privileges and credentials

Data safeguarding is the responsibility of the Company engineering team.

Destruction of Data

The Company and its employees should therefore, on a regular basis, review all data, whether held electronically on their devices or stored within third-party providers, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. Overall responsibility for the destruction of data falls to the Data Protection Officer.

Once the decision is made to dispose of data according to the Retention Schedule, data will be deleted from all necessary systems to fulfill the retention schedule requirements. Data will be disposed of appropriately upon the nature of the document. All data managed under this policy is digital and will be disposed of accordingly.

Policy Enforcement

The Company Data Protection Office is responsible for ensuring compliance with this policy and will assist with the protection of Company systems and data. Any employee found to willfully or intentionally violate this policy may be subject to disciplinary action, up to and including termination of employment.