Effective Date: March 6, 2024
To ensure that information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.
All CamelQA data, information and information systems.
CamelQA classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.
Information systems and applications shall be classified according to the highest classification of data that they store or process.
Highly sensitive data requiring the highest levels of protection; access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner, or a company executive. Examples include:
CamelQA proprietary information requiring thorough protection; access is restricted to employees with a "need-to-know" based on business requirements. This data can only be distributed outside the company with approval. This is default for all company information unless stated otherwise. Examples include:
Documents intended for public consumption which can be freely distributed outside CamelQA. Examples include:
Confidential data is subject to the following protection and handling requirements:
Restricted data is subject to the following protection and handling requirements:
No special protection or handling controls are required for public data. Public data may be freely distributed.
CamelQA shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use. Retention periods shall be documented in the Data Retention Matrix in Appendix B to this policy.
Data classified as restricted or confidential shall be securely deleted when no longer needed. CamelQA shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet CamelQA requirements for secure data disposal shall be used for storage and processing of restricted or confidential data.
CamelQA shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of, disposal.
Confidential and Restricted hardcopy materials shall be shredded or otherwise disposed of using a secure method.
Management shall review data retention requirements during the annual review of this policy. Data shall be disposed of in accordance with this policy.
Under certain circumstances, CamelQA may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by CamelQA legal counsel. Such records and information are exempt from any other requirements specified within this Data Management Policy and are to be retained in accordance with requirements identified by the Legal department. All such holds and special retention requirements are subject to annual review with CamelQA’s legal counsel to evaluate continuing requirements and scope.
CamelQA will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.
Requests for an exception to this policy must be submitted to the CRO, Isabella Reed for approval.
Any known violations of this policy should be reported to the Isabella Reed CRO. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
Date: 06 Mar 2024
Description: First Version
Author: Isabella Reed
Approved by: Isabella Reed
CamelQA’s Engineering Team is responsible for setting and enforcing the data retention and disposal procedures for CamelQA managed accounts and devices.
Customer accounts and data shall be deleted within sixty (60) days of contract termination through manual data deletion processes.
Employee devices will be collected promptly upon an employee’s termination. Remote employees will be sent a shipping label and the return of their device shall be monitored. Collected devices will be cleared to be re-provisioned—or removed from inventory; CamelQA will securely erase the device when reprovisioning. Device images may be retained at the discretion of management for business purposes. In cases where a device is damaged in a way that CamelQA cannot access the Recovery Partition to erase the drive, CamelQA may optionally decide to use an E-Waste service that includes data destruction with a certificate. CamelQA will keep certificates of destruction on record for one year. Physical destruction can be optional if it is verified that the device is encrypted with Full Disk Encryption, which would negate the risk of data recovery. Management will review this procedure at least annually.
This table outlines the data retention periods for various systems and applications within CamelQA.
System or Application | Data Description | Retention Period |
---|---|---|
CamelQA SaaS Products (AWS) | Customer Data | Up to 60 days after contract termination |
CamelQA AutoSupport | Customer instance and metadata, debugging data | Indefinite |
CamelQA Customer Support Tickets (Salesforce) | Support Tickets and Cases | Indefinite |
CamelQA Customer Support Phone Conversations (TalkDesk) | Support Phone Conversations | Indefinite |
CamelQA Security Event Data (Splunk) | Security and system event and log data, network data flow logs | On-Premise - Indefinite AWS Instance - 1 year |
CamelQA Vulnerability Scan Data (Qualys) | Vulnerability scan results and detection data | 6 months host (asset) data is retained until removed and purged from Qualys |
CamelQA Customer Sales (Salesforce) | Opportunity and Sales Data | Indefinite |
CamelQA QA and Testing Data (TestRail) | QA, testing scenarios and results data | Indefinite |
Security Policies | Security Policies | 1 year after archive |
Temporary Files | AWS /tmp ephemeral storage | automatically when process finishes |