Data Retention & Destruction Policy

As of June 16, 2024

Purpose

It is the policy of Intensity Analytics (“IA”) to ensure that it retains only the data necessary to responsibly conduct and support its business activities, and that all data not preserved, is disposed of in an appropriate manner. This Policy sets forth the guidelines on data retention and destruction, and is to be consistently applied throughout the organization.

Scope

This Policy covers all data collected by, or created by, IA and stored on IA-owned or leased systems and media, regardless of location. It applies to both data held electronically and data that is collected and held as paper files.

This Policy applies to all business units, processes, and systems in all countries in which IA conducts business and has dealings or other business relationships with third parties.

This Policy applies to all IA officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including, but not limited to, personal data and/or sensitive personal data). It is the responsibility of all of the above to familiarize themselves with this Policy and ensure adequate compliance with it.

Administration

The Data Protection Officer (“DPO”) is the officer in charge of the administration of this Policy and the implementation of processes and procedures to ensure that the Policy is followed, including the maintenance of the Data Retention Schedule. The DPO is authorized to make modifications to the Policy from time to time to ensure that it is in compliance with all local, state, and federal laws.

To ensure this, the DPO will monitor local, state and federal laws affecting record and data retention and destruction, and annually review this Policy for compliance.

Exceptions

The need to retain or destroy certain data may be mandated by federal or local law, applicable regulations, and other legitimate business purposes, as well as the EU General Data Protection Regulation (“GDPR”). In all cases, those legal obligations will supersede the relevant portions of this Policy.

In the event IA is served with any subpoena or request for information, or any employee becomes aware of a governmental investigation or audit concerning IA, or the commencement of any litigation against, or concerning IA, such employee shall inform the DPO and any further disposal or destruction of data shall be suspended until such time as the DPO, with the advice of counsel, determines otherwise. No data shall be concealed, altered, or destroyed with the intent to obstruct the investigation or litigation. The DPO shall immediately inform the CEO and Board Chair, and take such steps as necessary to promptly inform all staff of any suspension or modification to this Policy as may be required.

Enforcement and Compliance

Any suspicion of a breach of this Policy must be reported immediately to the DPO. All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.

Non-compliance with this Policy by permanent, temporary, or contract employees, or any third parties, who have been granted access to IA premises or data, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.

Retention Rules

In the event, for any category of data not specifically defined elsewhere in this Policy (and in particular within the Data Retention Schedule) and unless otherwise mandated differently by applicable law, the required retention period for such data will be deemed to be 7 years from the date of creation of the document.

Reasons for Retention

In the ordinary course of business activities, IA creates, collects, and stores data, which may be retained for a variety of reasons, including, but not limited to:

Data Safeguards

Appropriate controls shall be in place that prevent the permanent loss of essential information to IA as a result of malicious or unintentional destruction of information. All electronic data should be protected by access controls, firewalls, and other security settings to ensure only authorized personnel with the appropriate level of clearance may view, edit, copy, or otherwise interact with the data.

The possibility that data media used for archiving or backups will wear out, shall be considered for the purpose of meeting the requirements of this Policy. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes.

Physical documents and media will be stored in a protected condition, with reasonable provisions made to limit exposure to environmental factors that may lead to degradation or accidental destruction, for the duration of the Document Retention Schedule.

Destruction Rules

IA and its employees shall review all data on a regular basis, to identify when the retention period for given data expires, or to determine whether to destroy any other data once the purpose for it is no longer relevant. If an individual believes that there exists a legitimate business reason why certain data should not be destroyed at the end of the given retention period, they should identify this data to their supervisor and provide information as to why the data should not be destroyed. Any exceptions must be approved by the DPO, who has overall responsibility for the data destruction.

Once the decision is taken to dispose of data according to the Data Retention Schedule, that data should be deleted, shredded, or otherwise destroyed to a degree equivalent to the value to others and the level of confidentiality. The method of disposal varies and is dependent upon the nature of the data. For example, any data that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste, and be subject to secure electronic deletion, while some expired or superseded contracts may only warrant in-house shredding.

In this context, the employee shall perform the tasks and assume the responsibilities relevant for the information destruction in an appropriate way. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the DPO subcontracts for this purpose.

The DPO shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.

Implementation

Implementation of this Policy shall be deemed effective as of January 1, 2019. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

The CIO will review this Policy in consultation with the DPO on a regular schedule and, if necessary, update this Policy at least once a year.


Data Retention Schedule

The following types of documents will be retained for the following periods of time. At least one copy of each document will be retained according to the following schedule.

Corporate Records

Article of Incorporation Permanent
Bylaws Permanent
Resolutions Permanent
Board meeting minutes Permanent
Tax or employee identification number designation Permanent
Annual corporate filings Permanent
Annual reports Permanent
Licenses and Permits Permanent
Materials with historic value (pictures, publications, etc.) Permanent
Policies and Procedures Current version with revision history

Legal Records

Court Orders Permanent
Legal Memoranda and Opinions (including all subject matter files) 10 years after close of the matter
Litigation Files 10 years after expiration of appeals or time for filing appeals, whichever is later
Patent correspondence and supporting materials 25 years after the patent is issued
Requests for departure from Data Retention & Destruction Policy 10 years

Financial Records

Chart of Accounts Permanent
Fiscal Policies and Procedures Permanent
Audits Permanent
Financial statements Permanent
General Ledger Permanent
Check registers/books 7 years
Business or employee expenses documents 7 years
Bank deposit slips 7 years
Cancelled checks 7 years
Invoices 7 years
Investment records (deposits, earnings, withdrawals) 7 years after sale of investment
Property/asset inventories 7 years
Petty cash receipts/documents 3 years
Credit card receipts 3 years

Tax Records

Annual tax filings for the organization Permanent
IRS or other government audit records Permanent
Payroll registers Permanent
Filings of fees paid to professionals (IRS Form 1099 in the USA) 7 years
Payroll tax withholdings 7 years
Earnings records 7 years
Tax bills 7 years
Payroll tax returns 7 years
W-2 statements 7 years

Personnel Records

Employee offer letters Permanent
Confirmation of employment letters Permanent
Benefits descriptions per employee Permanent
Pension records Permanent
Employee applications and resumes 7 years after separation
Promotions, demotions, letter of reprimand, termination 7 years after separation
Job descriptions, performance goals 7 years after separation
Employee evaluations 7 years after separation
Workers’ compensation records 5 years
Salary ranges per job description 5 years
I-9 Forms 7 years after separation
Time reports 3 years after separation

Insurance Records

Property insurance policy Permanent
Directors and Officers insurance policy Permanent
Workers’ Compensation insurance policy Permanent
General Liability insurance policy Permanent
Insurance claims applications Permanent
Insurance disbursements / denials Permanent

Contracts

Insurance contracts Permanent
Employee contracts Permanent
Construction contracts Permanent
Legal correspondence Permanent
Non-disclosure agreements Permanent
Memorandums of understanding Permanent
Loan or mortgage contracts Permanent
Leases or deeds Permanent
Vendor contracts 7 years after expiration
Warranties 7 years after expiration

Management Plans

Strategic plans 7 years
Budget plans 3 years
Marketing plans 3 years

Routine Records

Certain records may be routinely destroyed, per the discretion each IA department, unless subject to a legal inquiry, regulation, or other requirement as noted in the Data Retention & Destruction Policy.

Employee correspondence (including emails) 5 years, then as needed
Support documentation and related data As needed
Announcements and notices of routine meetings or events As needed
Requests for ordinary information, such as travel directions As needed
Reservations for internal meetings without charges or costs As needed
Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, and similar items that accompany other documents but do not add any value As needed, unless the attached document falls under other retention rules, in which case that rule applies
Message slips As needed
Duplicates such as CC and FYI copies, unaltered drafts, snapshot printouts, or extracts from databases As needed
IA publications which are obsolete or superseded As needed
Trade magazines, vendor catalogues, flyers, and newsletters from vendors or other external organizations As needed

Non-Disclosure Agreement Records

Any data received under non-disclosure, and any copies of that data, along with any materials incorporating or based on that data, should be destroyed immediately when a request is received by IA from the disclosing party.