SOC 2 Retaining Personal Information (P4.2)

Overview:
The entity retains personal information consistent with the entity’s objectives related to privacy.

Action Items:
1) Create a data retention and disposal policy and related procedures and publish on the company intranet for employees to access and review.
2) Inspect the data retention and disposal policy to determine that documented data retention and disposal policies are in place to guide personnel on the procedures for retention and disposal of confidential information.
3) Inspect the customer agreements’ provisions and production database backup configuration and logs to determine that the company backs up customer data on a recurring basis and as outlined in the backup policy, and retains data for the duration of the customer agreement.

Related Documents:
1) Data retention and disposal policy
2) Sample of customer agreements and signed terms and conditions
3) Production database backup configurations and logs

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Retains Personal Information—Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise.
2) Protects Personal Information—Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information.