Data Retention Policy

Updated 27 Aug 2024

 

Table of Contents

1.       Introduction. 2

2.       Scope. 2

3.       Roles and Responsibilities. 2

4.       Data Retention Principles. 3

5.       Data Retention Periods. 4

6.       The Retention Lifecycle. 4

7.       Security. 5

8.       Storage Location. 5

9.       Data Reviews. 5

10.          Data Disposal 6

10.1.           De-Identification and Anonymization. 6

10.2.           Documentation and Reporting. 7

11.          Compliance. 7

12.          Policy Review and Updates. 7

 

 

1.  Introduction

Manitou Research Inc. (hereinafter “the Company”, “Manitou”, or “articleOne”) is dedicated to ensuring that we manage personal and confidential information (hereinafter “Company Data”) responsibly, securely, and in compliance with applicable laws and regulations. This Data Retention Policy (Policy) outlines our guiding principles and obligations around the retention of Company Data, whether determined through a legal requirement or Business Purpose.

 

This Policy should be read in relation to other relevant policies, standards and implementation guidance. Because laws and regulations vary between jurisdictions, Data Owners should ensure their practices reflect the requirements of local law, provided they are consistent with this Policy.

2.  Scope

This Policy applies to all employees, contractors, and Service Providers (Data Processors) who handle or manage data on behalf of Manitou Research Inc. anywhere we operate. Manitou employees must read and follow this Policy prior to collecting, disposing of, or destroying Company Data.

This Policy should be applied any time we retain Company Data, including, but not limited to, personal data, organization information, information pertaining to the legislative process, proprietary information, affiliation information, political information, financial data, operational data, and any other sensitive information.

 

Please direct questions about this Policy to the Chief Operating Officer (COO) and refrain from deleting Company Data until you have obtained clear guidance from the COO.

3.  Roles and Responsibilities

Role	Responsibilities
Chief Operating Officer	·       Responsible for managing, implementing, and enforcing the Data Retention Policy ·       Ensures all retention and destruction activities comply with applicable laws, regulations, and internal policies.  ·       Oversees and approves periodic reviews and updates to the Policy.  ·       Ensures the Policy aligns with the company's overall data management and cybersecurity strategies.  ·       Works with Senior Management to evaluate continuing requirements and the scope of data retention and destruction activities.
Senior Management	·       Periodically reviews the scope and requirements of data retention and destruction activities with the DPO.
Data Team	·       Identify and classify data under their control according to the Company’s data classification scheme.  ·       Determine specific retention periods for Company Data based on business, operational, and legal requirements.  ·       Communicate with the DPO during periodic data reviews and before data destruction to confirm retention requirements and pending legal needs.
Legal	·       Guides legal and regulatory retention requirements.  ·       Issues "litigation hold" notices when necessary to preserve relevant records during legal proceedings, audits, or investigations.  ·       Collaborates with Senior Management to ensure compliance with legal holds and special retention requirements.
Engineering Team	·       Implements technical controls and processes for data retention and destruction, ensuring compliance with this Policy.  ·       Conducts periodic scans of information systems to identify data that has exceeded its retention period.  ·       Ensures that all archived data is encrypted and securely stored. ·       Ensures that Personal Information is De-identified where possible to enhance data security.  ·       Ensures complete and secure archiving and destruction of electronic data.  ·       At the direction of the Legal Department, implements technical controls to comply with legal holds.
Employees and Contractors	·       Adhere to data retention and destruction policies and procedures.  ·       Request exceptions in writing whenever Policy cannot be upheld. ·       Report any Policy violations to the DPO/CPO.  ·       Ensure no Company Data is destroyed unless it meets appropriate criteria.

 

4.  Data Retention Principles 

Manitou’s data retention principles are designed to ensure we meet our legal and contractual obligations, support business and strategic goals, provide appropriate protections to maintain the confidentiality, integrity, and availability of Company Data, and uphold our commitments to our customers and partners.

 

·      Lawfulness and Fairness: Manitou has established rules and guidelines to ensure that we only process information legally and in line with customer expectations.

·      Data minimization: We only collect information relevant and necessary for the Business Purpose and as notified to Data Subjects and/or outlined in a contract.

·      Purpose and Storage Limitation: We only retain information for as long as necessary for the Business Purpose we collected it or as defined in a contract and only use it for the purpose identified.

·      Accuracy: We take practical steps to ensure the information we retain is accurate, up-to-date and complete. In that effort, we regularly review the quality of Company Data, amend inaccurate information and delete or destroy out-of-date information.

·      Security: We implement appropriate physical, technological and administrative measures to maintain the security of Company Data from the point of collection to the point of destruction.

·      Accountability: We maintain processes and mechanisms to ensure employees, contractors and Service Providers are complying with our policies around Company Data.

5.  Data Retention Periods

Company Data is only retained for as long as necessary to fulfill the purposes for which it was collected (i.e. to provide services to the user or organization), comply with legal obligations, address system performance and technical issues, analyze trends, and generally improve the service.

 

Typically, most Personal Information is retained in an identifiable and attributable form for no more than twelve months. After twelve months, Manitou Research strips identifying metadata unless the user has indicated or otherwise caused continuing retention in an identifiable format, such as through sending a new message to a thread that contains message history that is older than twelve months, thereby resetting the rolling twelve-month period of retention.

 

Where we have effectively De-identified data we may retain it for various purposes indefinitely.

Data Type	Description	Retention period
Anonymous	Information that neither Manitou nor any other entity is reasonably able to link to a specific individual, regardless of whether it is combined with additional information.	Indefinitely
Pseudonymous	Information that has been stripped of identifiers and is unable to be linked to a specific individual on its own. Manitou may be able to link it to a specific individual when combined with additional information held separately.	Indefinitely
Personal Information	Information that can reasonably be linked to an identified or identifiable natural person.	12 months

 

6.  The Retention Lifecycle

 

• Identify Business Purpose: Typically, Manitou collects information from a user or organization for the express Business Purpose of providing services to the user or organization, to improve the platform, and to perform aggregated analysis.
  
  
• Collection: We only collect data from a user or organization required to fulfill the Business Purpose as identified in Step 1.
  
  
• Use: We only use the information for the Business Purpose for which we collected it or for related purposes. Where Manitou would like to use Personal Information for secondary uses, we must issue notice of the new use and obtain the Consent of the Data Subject. (See Appropriate Use Policy for more information.)

 

·       Business Need Expires

We only keep information for the length of time necessary for the Business Purposes it was collected unless there is a legal reason to continue to process it in that form, e.g., according to the Retention Schedule.

 

·       Confirm Whether Retention Schedule Applies

In some cases, we may have reason to keep information longer than necessary for the Business Purpose. For example, to comply with tax regulations, we may need to keep financial data from a transaction longer than necessary to complete the transaction. Prior to Deleting or anonymizing Personal Information, we must consult the Retention Schedule to determine whether there is a legal reason to retain the data.

• Secure Deletion or Anonymization: Information shall be destroyed or De-identified using the appropriate approved method when it is no longer needed for the Business Purpose or it reaches its expiration date in the Retention Schedule or privacy statutes. Note: Local copies may not be saved in order to circumvent the Retention Schedule.

7.  Security

Company Data is stored securely using physical, technical, and organizational measures appropriate to the risk it presents to Manitou, our partners, Users, and others. These measures include:

• Access Controls: Access to data is restricted to authorized personnel only, based on the principle of least privilege. This may include Manitou Research employees, contractors, and Data Processors who have been temporarily retained (e.g., for server maintenance) but who, as a condition of their retention, have signed non-disclosure agreements.
• Encryption: Company Data that represents a high level of risk is encrypted at rest and in transit. This information includes but is not limited to Personal Information, proprietary data, data subject to a Data Relationship Agreement.
• De-identification: Whenever we do not need to maintain or transmit information in an identifiable form, we De-identify it using approved methods.
• Backup: Regular backups of critical data are performed to prevent data loss. Like other data associated with the articleOne platform, backups are encrypted to prevent unauthorized access.

7.1.                            Security for U.S. Government Accounts

Access to and sharing of information within U.S. government accounts may be subject to the U.S. Constitution’s Speech or Debate Clause. The CEO, CPO, or COO must provide documented approval prior to allowing any access to these accounts.

8.  Storage Location

Manitou retains all United States user and organizational data on servers physically located in the United States. For commercial customers, while we cannot guarantee that all processing and transmission of United States user data will occur within the United States, we make all reasonable efforts to ensure that such data will not pass through international servers. 

 

For U.S. government customers, all data is stored on, processed using, and transmitted within the Azure Government Cloud environment and via SSL-encrypted (HTTPS) means to the User’s browser.

9.  Data Reviews

Manitou will perform regular scans of information systems to identify data that has exceeded its retention period and notify the appropriate Data Owners. Before data destruction, Manitou will communicate with the Data Owner on retention requirements, and review pending legal obligations and other considerations.

 

Once the review has concluded and it is determined the data is no longer necessary for Business Purposes and we have no other legitimate purpose or legal obligation to retain the data, we will destroy it in alignment with our retention principles. 

10.         Data Disposal

Company Data that is no longer necessary or relevant to Manitou or that has met its retention limit in the Data Retention Schedule must be disposed of securely using approved methods. Disposal must be complete to prevent unauthorized access; e.g., where applicable, we must dispose of both cloud-based and locally stored backup copies.

 

Any disposal, deletion, return, or De-identification of Custom Data Manitou Research has acquired is subject to the terms of the applicable Data Relationship Agreement which supersedes the terms of this Policy.

10.1.                      De-Identification and Anonymization

Personal information that is no longer needed for Business Purposes or legal obligations may be eligible for De-identification rather than disposal. When we have Personal Information that can help us identify trends, improve on products or understand how users interact with our services, we may retain the information in a De-identified format.

 

Whenever we retain De-identified information, we must:

·      Take reasonable measures to ensure the data cannot be associated with a Data Subject.

·      Keep any information capable of re-identifying the information separate.

·      Publicly commit to maintaining such data without attempting to re-identify it.

·      Contractually obligate any recipients of the data to comply with privacy and data protection laws related to de-identified information.

Depending on the jurisdiction, Pseudonymous Data may be subject to privacy and data protection laws. We must continue to maintain and protect it as such.

 

In some cases, we may be able to fully Anonymize Personal Information. Anonymized Information is information for which we have no reasonable method to re-identify and we have a reasonable belief that it cannot be re-identified by another entity. Anonymized information is not covered by privacy and data protection laws; however, prior to claiming information is anonymous, we must ensure it cannot be re-identified.

10.2.                      Documentation and Reporting 

Manitou shall maintain detailed records of all data destruction and De-identification activities, ensuring an audit trail for compliance verification. Documentation must include: 

·       Date and method of data destruction. 

·       Types and volumes of data destroyed. 

·       Employees involved in the destruction process. 

·       Justifications and approvals for any deviations from the Policy. 

11.         Compliance

All employees and contractors are responsible for understanding and adhering to this Policy. Manitou will conduct regular audits to ensure compliance with this Policy and identify areas for improvement. 

If it is not possible to comply with the requirements, employees and contractors must seek an exception as soon as possible from the Privacy Team. All exception requests must be in writing and state the scope of the non-compliance, the business justification for this non-compliance, and the name of the Manager who will take responsibility for this non-compliance.   

Please report any non-compliance with this Policy to the designated Data Protection Officer or relevant authority within Manitou Research, typically the Chief Operating Officer at [email address]. 

12.         Policy Review and Updates 

This Policy is reviewed annually to reflect changes in Manitou’s data practices, regulatory obligations, and the privacy landscape in general. The Data Protection Officer and/or Chief Privacy Officer will review and approve changes to this prior to publishing. There may be instances where it is important to change this document outside the formal update schedule; in these circumstances, changes will be managed by the Data Protection Officer and/or Chief Privacy Officer and communicated out.