Data Retention & Destruction Policy
As of October 11, 2024
Purpose
It is the policy of Intensity Analytics (“IA”) to ensure that it retains only the data necessary to responsibly conduct and support its business activities, and that all data not preserved, is disposed of in an appropriate manner. This Policy sets forth the guidelines on data retention and destruction, and is to be consistently applied throughout the organization.
Scope
This Policy covers all data collected by, or created by, IA and stored on IA-owned or leased systems and media, regardless of location. It applies to both data held electronically and data that is collected and held as paper files.
This Policy applies to all business units, processes, and systems in all countries in which IA conducts business and has dealings or other business relationships with third parties.
This Policy applies to all IA officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including, but not limited to, personal data and/or sensitive personal data). It is the responsibility of all of the above to familiarize themselves with this Policy and ensure adequate compliance with it.
Administration
The Data Protection Officer (“DPO”) is the officer in charge of the administration of this Policy and the implementation of processes and procedures to ensure that the Policy is followed, including the maintenance of the Data Retention Schedule. The DPO is authorized to make modifications to the Policy from time to time to ensure that it is in compliance with all local, state, and federal laws.
To ensure this, the DPO will monitor local, state and federal laws affecting record and data retention and destruction, and annually review this Policy for compliance.
Exceptions
The need to retain or destroy certain data may be mandated by federal or local law, applicable regulations, and other legitimate business purposes, as well as the EU General Data Protection Regulation (“GDPR”). In all cases, those legal obligations will supersede the relevant portions of this Policy.
In the event IA is served with any subpoena or request for information, or any employee becomes aware of a governmental investigation or audit concerning IA, or the commencement of any litigation against, or concerning IA, such employee shall inform the DPO and any further disposal or destruction of data shall be suspended until such time as the DPO, with the advice of counsel, determines otherwise. No data shall be concealed, altered, or destroyed with the intent to obstruct the investigation or litigation. The DPO shall immediately inform the CEO and Board Chair, and take such steps as necessary to promptly inform all staff of any suspension or modification to this Policy as may be required.
Enforcement and Compliance
Any suspicion of a breach of this Policy must be reported immediately to the DPO. All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.
Non-compliance with this Policy by permanent, temporary, or contract employees, or any third parties, who have been granted access to IA premises or data, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
Retention Rules
In the event, for any category of data not specifically defined elsewhere in this Policy (and in particular within the Data Retention Schedule) and unless otherwise mandated differently by applicable law, the required retention period for such data will be deemed to be 7 years from the date of creation of the document.
Reasons for Retention
In the ordinary course of business activities, IA creates, collects, and stores data, which may be retained for a variety of reasons, including, but not limited to:
- providing an ongoing service (e.g., ongoing training or support, processing of employee benefits);
- support the company’s operations;
- compliance with applicable laws and regulations associated with financial reporting by IA;
- compliance with applicable labor, tax, and immigration laws, or other regulatory requirements;
- a security incident or other investigation;
- intellectual property preservation, or;
- litigation.
Data Safeguards
Appropriate controls shall be in place that prevent the permanent loss of essential information to IA as a result of malicious or unintentional destruction of information. All electronic data should be protected by access controls, firewalls, and other security settings to ensure only authorized personnel with the appropriate level of clearance may view, edit, copy, or otherwise interact with the data.
The possibility that data media used for archiving or backups will wear out, shall be considered for the purpose of meeting the requirements of this Policy. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes.
Physical documents and media will be stored in a protected condition, with reasonable provisions made to limit exposure to environmental factors that may lead to degradation or accidental destruction, for the duration of the Document Retention Schedule.
Destruction Rules
IA and its employees shall review all data on a regular basis, to identify when the retention period for given data expires, or to determine whether to destroy any other data once the purpose for it is no longer relevant. If an individual believes that there exists a legitimate business reason why certain data should not be destroyed at the end of the given retention period, they should identify this data to their supervisor and provide information as to why the data should not be destroyed. Any exceptions must be approved by the DPO, who has overall responsibility for the data destruction.
Once the decision is taken to dispose of data according to the Data Retention Schedule, that data should be deleted, shredded, or otherwise destroyed to a degree equivalent to the value to others and the level of confidentiality. The method of disposal varies and is dependent upon the nature of the data. For example, any data that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste, and be subject to secure electronic deletion, while some expired or superseded contracts may only warrant in-house shredding.
In this context, the employee shall perform the tasks and assume the responsibilities relevant for the information destruction in an appropriate way. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the DPO subcontracts for this purpose.
The DPO shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.
Implementation
Implementation of this Policy shall be deemed effective as of January 1, 2019. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
The CIO will review this Policy in consultation with the DPO on a regular schedule and, if necessary, update this Policy at least once a year.
Data Retention Schedule
The following types of documents will be retained for the following periods of time. At least one copy of each document will be retained according to the following schedule.
Corporate Records
Article of Incorporation
|
Permanent
|
Bylaws
|
Permanent
|
Resolutions
|
Permanent
|
Board meeting minutes
|
Permanent
|
Tax or employee identification number designation
|
Permanent
|
Annual corporate filings
|
Permanent
|
Annual reports
|
Permanent
|
Licenses and Permits
|
Permanent
|
Materials with historic value (pictures, publications, etc.)
|
Permanent
|
Policies and Procedures
|
Current version with revision history
|
Legal Records
Court Orders
|
Permanent
|
Legal Memoranda and Opinions (including all subject matter files)
|
10 years after close of the matter
|
Litigation Files
|
10 years after expiration of appeals or time for filing appeals, whichever is later
|
Patent correspondence and supporting materials
|
25 years after the patent is issued
|
Requests for departure from Data Retention & Destruction Policy
|
10 years
|
Financial Records
Chart of Accounts
|
Permanent
|
Fiscal Policies and Procedures
|
Permanent
|
Audits
|
Permanent
|
Financial statements
|
Permanent
|
General Ledger
|
Permanent
|
Check registers/books
|
7 years
|
Business or employee expenses documents
|
7 years
|
Bank deposit slips
|
7 years
|
Cancelled checks
|
7 years
|
Invoices
|
7 years
|
Investment records (deposits, earnings, withdrawals)
|
7 years after sale of investment
|
Property/asset inventories
|
7 years
|
Petty cash receipts/documents
|
3 years
|
Credit card receipts
|
3 years
|
Tax Records
Annual tax filings for the organization
|
Permanent
|
IRS or other government audit records
|
Permanent
|
Payroll registers
|
Permanent
|
Filings of fees paid to professionals (IRS Form 1099 in the USA)
|
7 years
|
Payroll tax withholdings
|
7 years
|
Earnings records
|
7 years
|
Tax bills
|
7 years
|
Payroll tax returns
|
7 years
|
W-2 statements
|
7 years
|
Personnel Records
Employee offer letters
|
Permanent
|
Confirmation of employment letters
|
Permanent
|
Benefits descriptions per employee
|
Permanent
|
Pension records
|
Permanent
|
Employee applications and resumes
|
7 years after separation
|
Promotions, demotions, letter of reprimand, termination
|
7 years after separation
|
Job descriptions, performance goals
|
7 years after separation
|
Employee evaluations
|
7 years after separation
|
Workers’ compensation records
|
5 years
|
Salary ranges per job description
|
5 years
|
I-9 Forms
|
7 years after separation
|
Time reports
|
3 years after separation
|
Insurance Records
Property insurance policy
|
Permanent
|
Directors and Officers insurance policy
|
Permanent
|
Workers’ Compensation insurance policy
|
Permanent
|
General Liability insurance policy
|
Permanent
|
Insurance claims applications
|
Permanent
|
Insurance disbursements / denials
|
Permanent
|
Contracts
Insurance contracts
|
Permanent
|
Employee contracts
|
Permanent
|
Construction contracts
|
Permanent
|
Legal correspondence
|
Permanent
|
Non-disclosure agreements
|
Permanent
|
Memorandums of understanding
|
Permanent
|
Loan or mortgage contracts
|
Permanent
|
Leases or deeds
|
Permanent
|
Vendor contracts
|
7 years after expiration
|
Warranties
|
7 years after expiration
|
Management Plans
Strategic plans
|
7 years
|
Budget plans
|
3 years
|
Marketing plans
|
3 years
|
Routine Records
Certain records may be routinely destroyed, per the discretion each IA department, unless subject to a legal inquiry, regulation, or other requirement as noted in the Data Retention & Destruction Policy.
Employee correspondence (including emails)
|
5 years, then as needed
|
Support documentation and related data
|
As needed
|
Announcements and notices of routine meetings or events
|
As needed
|
Requests for ordinary information, such as travel directions
|
As needed
|
Reservations for internal meetings without charges or costs
|
As needed
|
Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, and similar items that accompany other documents but do not add any value
|
As needed, unless the attached document falls under other retention rules, in which case that rule applies
|
Message slips
|
As needed
|
Duplicates such as CC and FYI copies, unaltered drafts, snapshot printouts, or extracts from databases
|
As needed
|
IA publications which are obsolete or superseded
|
As needed
|
Trade magazines, vendor catalogues, flyers, and newsletters from vendors or other external organizations
|
As needed
|
Non-Disclosure Agreement Records
Any data received under non-disclosure, and any copies of that data, along with any materials incorporating or based on that data, should be destroyed immediately when a request is received by IA from the disclosing party.