Data Retention and Disposal Policy

LEAP -- Data Retention and Disposal Policy

Document Number POL-GL-COM-DATARD-V1.0
Target audience InfoSec, DevSecOps, DevOps, GRC, IT Ops, Legal & Privacy
Effective Date

Cover page layout

Contents

  • 1. Purpose
  • 2. Scope
  • 3. Definitions
  • 4. Roles and Responsibilities
  • 5. Data Classification and Handling
  • 6. Retention Principles
  • 7. Retention Schedule
  • 8. Disposal Requirements
  • 8.1. General Disposal Process
  • 8.2. Client Data Disposal
  • 8.3. CHD Data
  • 8.4. Media and Device Disposal
  • 8.5. Cryptographic Erasure
  • 9. System Guidance
  • 9.1. AWS and Datastores
  • 9.2. O365
  • 9.3. Endpoint and Mobile
  • 9.4. Product/AI Services
  • 10. Any References
  • 11. Policy Exceptions
  • 12. Policy Enforcement
  • 13. Policy Monitoring
  • 14. Awareness & Communication
  • 15. Version History

Purpose

This policy defines the principles, responsibilities, retention schedules, and disposal requirements governing the lifecycle of LEAP information assets. It mitigates risks of non-compliance with regulatory, legal, contractual, and audit obligations, and aligns with business, privacy, and security objectives across all LEAP entities.

Scope

This policy applies to all LEAP data assets regardless of format or location, including:

  • Cloud services (AWS, Azure, M365, SaaS platforms)
  • Managed endpoints, mobile devices, and BYOD under MDM/MAM
  • On-premise repositories, collaboration platforms (SharePoint, Confluence), and monitoring systems
  • Backups, snapshots, and disaster recovery copies
  • Third-party systems under LEAP control or processing agreements

Covered data includes, without limitation: Intellectual Property (IP), customer and employee Personally Identifiable Information (PII), Personal Health Information (PHI), Cardholder Data (CHD), Business-Sensitive Information (BSI), financial records, logs, audit trails, and product/system configurations.

It covers all LEAP employees, contractors, vendors, and partners who create, store, process, or dispose of LEAP information assets, across all LEAP legal entities and operating regions.

Definitions

Term Definition
Data Owner The accountable business leader for a dataset who defines, documents, and enforces retention and disposal requirements for their information asset
Data User Any person or system accessing, processing, or storing LEAP data under authorisation of the Data Owner.
Record Information created or received and maintained as evidence of activities and obligations (e.g. contracts, invoices, audit logs, security events).
Retention The mandated period a record or dataset must be preserved in accessible form to meet legal, regulatory, contractual, or business requirements.
Disposal The irreversible, secure destruction or deletion of data once the retention period ends, including removal from backups where feasible and required. Must be verifiable and auditable
Legal Hold A suspension of normal disposal processes due to litigation, regulatory investigation, or internal audit. Overrides all retention schedules.
RTO / RPO Recovery Time Objective / Recovery Point Objective
Data Classification LEAP's framework for categorising information by sensitivity (e.g. Public, Internal, Confidential, Restricted/Sensitive), which governs applicable controls.
Certificate of Destruction Written evidence from an authorised party confirming irreversible disposal of a media asset or dataset. Required for Confidential and above classifications.

Roles and Responsibilities

Role Responsibilities
CISO Policy Owner. Accountable for policy maintenance, review, and enforcement. Reviews data lifecycle risk posture at management review
Data Owners Classify data and document legal, regulatory, and contractual retention and disposal requirements. Approve system-level retention configurations. Coordinate with Legal on legal holds and with GRC on audits and policy reviews.
GRC / Information Security Maintain this policy and map controls to ISO 27001 Annex A and SOC 2 Trust Services Criteria. Monitor adherence, conduct periodic reviews, and coordinate evidence for certification audits.
IT Operations / DevOps / Infrastructure Implement and maintain technical retention and disposal controls across infrastructure, SaaS, endpoints, and backups. Operate secure media sanitisation and destruction processes. Retain certificates of destruction.
Legal Advise on statutory and contractual retention obligations. Trigger, manage, escalate, and release legal holds. Ensure disposal processes honour applicable privacy rights
All Staff / Data Users Handle data consistent with its classification and applicable retention and disposal rules. Report suspected policy breaches to GRC.

Data Classification and Handling

  • Retention and disposal must align with LEAP's Data Classification standards for AWS and enterprise systems. Systems holding Sensitive, Confidential, Private, Proprietary, or Public data must implement controls commensurate with risk and classification.

Operational requirements:

  • Tag all data stores with classification metadata (e.g. AWS tag DataClassification, M365 sensitivity labels)
  • Apply retention labels in M365 (SharePoint, OneDrive, Exchange) aligned to record type and classification
  • Enforce access controls appropriate to data classification to simplify lifecycle management and audit evidence
  • Duplicates and copies must follow the same or shorter retention period as the system of record, proliferation should be minimised

Retention Principles

  • Minimum necessary: Retain data only for legitimate business, legal, regulatory, or contractual needs.
  • Definitive schedules: Follow the documented schedule below unless stricter obligations apply.
  • System-of-record driven: Retention is governed by the authoritative record repository, duplicates should be minimized and follow the same or shorter retention.
  • Backups: Backups are for availability and disaster recovery, they should not be used to circumvent disposal requirements.
  • Legal hold supremacy: All disposal is suspended when a legal hold is in force.
  • Privacy rights: Where lawful erasure requests are received, data must be evaluated against retention obligations and deleted promptly where no legal basis for retention exists

Retention Schedule

Data/Record Type Owner/System of Record Retention Period Trigger/Event
General Ledger, Annual Audit Reports, Financial Statements, Board Minutes, Chart of Accounts Finance Permanent Creation/Approval
Accounts Payable/Receivable Ledgers & Schedules, Bank Statements, Insurance Records, Risk Assessments, Internal Audit Reports, Employee Payroll, Contractor Payments, Employee Expense Reports Finance, Risk Seven years Fiscal year end, Report issuance
Contracts and Leases Legal, Procurement Seven years after expiration Contract end/termination
Legal Correspondence, Legal Files/Papers Legal Permanent (correspondence), Seven years after matter close (files) Matter closure
Emails (internal/external business records) All Functions, M365 Two years (baseline) Message date
Electronic Documents (business records) SharePoint/OneDrive/Confluence Aligned to record type As per classification
Business-Sensitive Information (BSI) not above Respective Owners As defined by Owner, typically 3--7 years Business event
PII and PHI (employees, customers, third parties) HR, Product, Support For as long as a business purpose or legal requirement exists Employment end, contract end, purpose fulfilled
Cardholder Data (CHD) Payments/Finance Minimum necessary, delete when no longer required Transaction/Settlement complete
System Logs and Audit Trails IT/DevOps/SecOps/Infra Per control needs Log creation
Backups (AWS resources, databases, snapshots) DevOps Per backup policy Backup creation

Disposal Requirements

General Disposal Process

  • Before disposal, confirm the retention period has elapsed and no legal hold is active
  • Obtain Data Owner approval for disposal of Confidential, Restricted, or Sensitive-classified data
  • Document the disposal event: data/asset type, system, method, date, and authorising individual
  • Retain certificates of destruction or disposal logs

Client Data Disposal

  • Disposal follows the governing contract. Absent specific terms, LEAP initiates platform hard-delete via approved scripts for full removal from active systems
  • Where backups exist, they are retained until backup retention expiry, early purge from immutable backups may be infeasible --- communicate this limitation in contracts and deletion confirmations
  • Customer deletion requests must be acknowledged, actioned, and documented within the timeframe stipulated by contract or applicable law

CHD Data

  • Securely delete or render unrecoverable when no longer needed, quarterly review to identify and remove CHD beyond defined retention.

Media and Device Disposal

  • Use certified secure erasure (e.g., BitRaser) prior to redeployment, obtain and archive erasure certificates.
  • For end-of-life hardware, use a certified destruction provider, retain chain-of-custody and certificates by year.
  • Follow LEAP Asset Inventory and Registration Policy disposal evidence requirements prior to status change to DISPOSED.

Cryptographic Erasure

  • For encrypted storage (e.g. AWS S3 with SSE-KMS, encrypted EBS volumes), cryptographic erasure via key deletion is an acceptable disposal method where full overwrite is not feasible
  • Document the key lifecycle and deletion event as the disposal record

System Guidance

AWS and Datastores

  • Enforce resource tags for DataClassification, ensure RDS, DynamoDB, OpenSearch, S3 apply backup and snapshot retention consistent with RPO/RTO and the backup policy.
  • Use platform features for PITR and snapshot retention (e.g., Neon Instant Restore 30‑day snapshots for CRM branch protection) as documented.
  • Enable object lifecycle policies in S3 for automatic expiry and deletion of objects reaching their retention end-date, review policies annually

O365

  • Apply retention policies/labels per record type, for SharePoint/OneDrive, understand Preservation Hold library behavior and storage impact.
  • For user departures, OneDrive content remains under applied retention for the configured duration, automatic deletion follows policy.
  • Configure Exchange Online retention policies for email aligned to the schedule

Endpoint and Mobile

  • Utilize Intune wipe workflows for redeployment, capture audit logs and attach to the asset or ticket per SOP.
  • BYOD app protection ensures corporate data is contained and removable, removing the MDM profile/app protection revokes access and retires protected data per policy.
  • All wipe and disposal events must be recorded.

Product/AI Services

  • Where AI services are used, ensure zero data retention with foundation models and product-specific chat history retention aligned to declared policies, enable user deletion where supported and honor lawful erasure requests.

Any References

  • NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
  • LEAP Information Security Policy
  • LEAP Data Classification Policy
  • LEAP Backup and Recovery Policy
  • LEAP Asset Inventory and Registration Policy
  • LEAP Risk Management Framework

Policy Exceptions

Exceptions in this policy will be risk-assessed by LEAP's Leadership Committee with valid business justification and Policy Owner's approval. Exceptions will be time bound

Policy Enforcement

Any LEAP employee, contractor, third-party found to have violated any part of this policy may be subject to HR disciplinary action, up to and including termination of employment

Policy Monitoring

Compliance with this policy will be monitored through periodic reviews, audits, and management oversight.

Awareness & Communication

This policy is an organisational record. A copy of LEAP security policies is made available to all staff/business units currently employed, or when they join LEAP. Employees requiring further information on any aspects of this Policy should discuss their needs with Trust at LEAP Legal Software trust@leaplegalsoftware.com. Any changes or updates to the policy are immediately communicated to Team Governance, Risk and Compliance (GRC).

Version History

Version Number Date Section Changes Author Approver
1.0 <<enter date>> Initial Release Manager of GRC CISO