Data Retention & Deletion Policy
This policy establishes mandatory retention periods, secure deletion procedures, and periodic review cycles for all categories of data processed by the Organization, in compliance with applicable data privacy laws.
Purpose & Scope
This Data Retention and Deletion Policy ("Policy") establishes the mandatory framework governing how long data is retained, when and how it is securely deleted, and the review mechanisms that ensure ongoing compliance. This policy applies to all data, electronic, physical, or verbal, processed, stored, or transmitted by Brent Norris ("the Organization") on behalf of clients, prospects, and internal operations.
The objectives of this policy are to:
- Define enforceable retention periods for every category of data the Organization processes
- Establish secure, auditable deletion procedures that prevent unauthorized data recovery
- Ensure compliance with HIPAA, CCPA, IRS requirements, and general data protection best practices
- Minimize data exposure by retaining only what is legally or operationally necessary
- Provide a structured review cycle to adapt to evolving regulatory requirements
Non-compliance with this policy may result in regulatory penalties, breach of contractual obligations, or disciplinary action. All personnel, contractors, and third-party processors are bound by this policy.
Definitions
| Term | Definition |
|---|---|
| Retention Period | The defined duration for which a specific category of data must be stored before deletion is permitted or required |
| Secure Deletion | Irreversible removal of data using cryptographic erasure, secure overwrite, or physical destruction such that recovery is computationally infeasible |
| Legal Hold | A directive suspending normal deletion schedules for data relevant to pending or anticipated litigation, regulatory investigation, or audit |
| Data Subject | Any identified or identifiable individual whose personal data is processed by the Organization |
| Cryptographic Erasure | Deletion of encryption keys rendering encrypted data permanently unreadable without decrypting and overwriting the underlying data |
| Disposal Certificate | Documented evidence confirming that data has been securely deleted, including method, date, authorizer, and scope |
Legal & Regulatory Framework
This policy is designed to satisfy the retention and deletion requirements of the following legal and regulatory frameworks:
- HIPAA (45 CFR §164.530(j)): HIPAA-related documentation must be retained for 6 years from the date of creation or the date when it was last in effect, whichever is later
- CCPA (Cal. Civ. Code §1798.105): Consumers have the right to request deletion of personal information, subject to enumerated exceptions including legal obligations and ongoing service provision
- IRS Record Retention (26 CFR §1.6001-1): Tax-related financial records must be retained for a minimum of 7 years from the date of the relevant return
- SOC 2 Trust Services Criteria (CC6.5): Controls must exist for secure disposal of data when no longer needed
- NIST SP 800-88 Rev. 1: Guidelines for media sanitization providing approved methods for clearing, purging, and destroying data
Where regulations impose conflicting retention periods, the longest applicable period governs. Where no specific regulation applies, retention defaults to the Organization's operational schedule defined in Section 5.
Data Classification for Retention
Data is classified into the following categories, each with distinct retention and deletion requirements. Classification determines retention period, deletion method, and review priority.
| Classification | Description | Deletion Method |
|---|---|---|
| Restricted | PHI, encryption keys, credentials, BAAs | Cryptographic erasure + disposal certificate |
| Confidential | Client PII, financial records, contracts, invoices | Cryptographic erasure or secure overwrite |
| Internal | Audit logs, email logs, analytics, internal notes | Standard deletion with verification |
| Public | Published website content, marketing materials | Standard removal from publication |
Retention Schedule
The following retention schedule is binding. Data must be deleted within 30 days of the retention period expiration unless a legal hold or documented exception applies (see Section 8).
5.1 Client & Business Data
| Data Category | Retention Period | Legal Basis | Review Trigger |
|---|---|---|---|
| Client account records | Engagement duration + 3 years | Contractual, statute of limitations | Client offboarding |
| Invoices & financial records | 7 years from transaction date | IRS 26 CFR §1.6001-1 | Annual tax review |
| Contracts & proposals | Engagement duration + 6 years | Statute of limitations | Contract expiration |
| Lead/prospect data | 1 year from last contact (if no engagement) | Legitimate interest | Quarterly lead review |
| Feature requests | Duration of client engagement + 1 year | Contractual | Client offboarding |
5.2 Security & Operational Data
| Data Category | Retention Period | Legal Basis | Review Trigger |
|---|---|---|---|
| Security audit logs | 2 years | Security, SOC 2 | Semi-annual review |
| Email delivery logs | 1 year | Operational, deliverability | Quarterly purge cycle |
| Site health check data | 1 year (rolling) | Service delivery | Monthly automated purge |
| Session/analytics data | 90 days (anonymized thereafter) | Legitimate interest | Automated expiry |
| Encrypted credentials | Until rotation or revocation | Security | 90-day rotation schedule |
| Email suppressions | Indefinite (compliance requirement) | CAN-SPAM, deliverability | Annual review |
5.3 HIPAA-Regulated Data
| Data Category | Retention Period | Legal Basis | Review Trigger |
|---|---|---|---|
| Business Associate Agreements | 6 years from last effective date | HIPAA §164.530(j) | BAA expiration |
| HIPAA policies & procedures | 6 years from creation or last effective date | HIPAA §164.530(j) | Annual policy review |
| PHI access logs | 6 years | HIPAA §164.312(b) | Semi-annual review |
| Security incident records | 6 years from resolution date | HIPAA §164.530(j) | Post-incident review |
| Training records | 6 years from training date | HIPAA §164.530(j) | Annual training cycle |
Deletion Procedures
All deletion activities must follow the procedures below, selected based on data classification. No data may be deleted without verifying that the retention period has expired and no legal hold applies.
6.1 Electronic Data Deletion
| Classification | Method | Verification |
|---|---|---|
| Restricted | Cryptographic erasure (key destruction) per NIST SP 800-88 | Disposal certificate + audit log entry |
| Confidential | Cryptographic erasure or 3-pass secure overwrite | Audit log entry + spot verification |
| Internal | Standard database DELETE with cascade verification | Audit log entry |
| Public | Content removal from publication platforms | URL verification (404 check) |
6.2 Deletion Workflow
Every deletion action follows this four-step workflow:
- Pre-Deletion Check: Verify retention period has expired, confirm no active legal hold, check for dependent records
- Authorization: Restricted/Confidential deletions require AI Information Security Officer approval; Internal/Public may be automated
- Execution: Apply the deletion method specified for the data classification, including backup purging
- Verification & Logging: Confirm deletion success, generate disposal certificate (Restricted), write audit log entry with timestamp, scope, method, and authorizer
6.3 Backup Deletion
- Backup copies must be purged within 30 days of primary data deletion
- Point-in-time recovery snapshots containing deleted data expire per their defined retention window (7 days for daily, 30 days for weekly)
- Off-site backups are subject to the same deletion timelines as primary storage
Individual Deletion Requests
Data subjects may request deletion of their personal information under CCPA (Cal. Civ. Code §1798.105) and general data protection principles. The Organization processes these requests as follows:
- Submission: Requests must be submitted to brentfm@gmail.com with subject line "Data Deletion Request"
- Identity Verification: Requestor identity must be verified before processing. Verification requires matching two of: email on file, phone number, account credentials
- Scope Assessment: Within 10 business days, the Organization identifies all systems containing the requestor's data
- Processing Timeline: Deletion completed within 45 calendar days of verified request. Complex requests may extend to 90 days with notice
- Confirmation: Written confirmation of deletion is provided to the requestor, specifying categories deleted and any exceptions applied
7.1 Permitted Exceptions to Deletion
The Organization may deny or partially deny a deletion request when data is required for:
- Completing a transaction or providing a requested service
- Detecting security incidents, protecting against fraud, or prosecuting offenders
- Compliance with a legal obligation (HIPAA, IRS record-keeping)
- Active litigation, legal hold, or regulatory investigation
- Internal uses reasonably aligned with consumer expectations
When an exception applies, the requestor is informed in writing with the specific exception cited, the expected retention period, and the date when deletion will proceed.
Exceptions & Legal Holds
Legal holds override normal retention and deletion schedules. When a legal hold is issued, the following procedures apply:
- Issuance: Legal holds are issued in writing by the AI Information Security Officer or legal counsel, specifying the scope of data, reason, and anticipated duration
- Implementation: All automated deletion processes affecting in-scope data are suspended within 24 hours of issuance
- Documentation: A legal hold register records: hold ID, issue date, scope, authorizer, and status
- Review: Active legal holds are reviewed every 90 days to determine whether conditions still warrant the hold
- Release: Upon release, normal deletion schedules resume. Data past its retention period is queued for deletion within 30 days of hold release
Enforcement & Accountability
This policy is enforced through the following accountability mechanisms:
AI Information Security Officer
Owns this policy. Authorizes Restricted/Confidential deletions. Conducts review cycles. Investigates policy violations.
System Administrators
Execute deletion procedures. Maintain automated purge schedules. Generate disposal certificates. Report anomalies.
All Personnel & Contractors
Must not retain data beyond authorized periods in personal storage, local devices, or shadow IT systems. Violations reported to ISO immediately.
Policy violations are treated as security incidents and handled per the Organization's Incident Response procedures. Consequences range from mandatory retraining to contract termination and legal action, proportionate to the severity of the violation.
Technical Controls
The following technical controls are implemented to enforce this policy:
- Automated Purge Jobs: Scheduled database functions that identify and delete expired records based on the retention schedule (session data at 90 days, health checks at 1 year)
- Cascade Deletion: Foreign key relationships configured with appropriate cascade rules to prevent orphaned records
- Encryption Key Lifecycle: Credential encryption keys stored in isolated vault services with 90-day automated rotation; old keys destroyed upon rotation
- Row-Level Security: Database RLS policies prevent unauthorized access to data pending deletion, ensuring only admin-role users can execute deletions
- Immutable Audit Trail: Security audit log records all deletion events with timestamp, actor, method, and scope. Audit logs themselves have no DELETE policy for non-admin users
- IP Address Hashing: IP addresses are stored as SHA-256 hashes, never in plaintext, minimizing PII exposure in operational logs
Audit & Verification
Compliance with this policy is verified through the following audit activities:
| Activity | Frequency | Responsible |
|---|---|---|
| Retention compliance scan | Quarterly | ISO |
| Automated purge verification | Monthly | System Administrator |
| Disposal certificate audit | Semi-annually | ISO |
| Legal hold register review | Quarterly | ISO / Legal Counsel |
| Deletion request log review | Quarterly | ISO |
| Third-party processor audit | Annually | ISO |
Audit findings are documented in the Organization's risk register and tracked to resolution. Critical findings require remediation within 30 days.
Review Schedule
This policy is subject to the following mandatory review cycle:
| Review Type | Frequency | Next Scheduled | Scope |
|---|---|---|---|
| Comprehensive Policy Review | Semi-annually | August 15, 2026 | Full policy text, retention periods, deletion procedures |
| Regulatory Update Review | Quarterly | May 15, 2026 | New or amended privacy laws affecting retention requirements |
| Technical Controls Review | Quarterly | May 15, 2026 | Automated purge jobs, deletion scripts, key rotation |
| Incident-Triggered Review | As needed | - | Triggered by data breaches, regulatory inquiries, or audit findings |
All review outcomes are documented with: reviewer name, review date, findings, recommended changes, and implementation timeline. Changes to retention periods require documented justification and ISO approval before taking effect.
Contact Information
For questions about this policy, data deletion requests, or to report a retention violation, contact:
Subject Lines
"Data Deletion Request" for individual requests | "Retention Policy Inquiry" for general questions | "Retention Violation Report" for incidents
Response Times
Deletion requests: 45 calendar days | General inquiries: 30 calendar days | Violation reports: 48 hours
Document Control: Version 1.0 | Effective: February 15, 2026 | Last Updated: February 15, 2026 | Next Review: August 15, 2026
This Data Retention & Deletion Policy should be read in conjunction with the Information Security Policy and Privacy Policy.