1.0 Overview

The need to retain data varies widely with the type of data. Some data can be immediately deleted and some must be retained until reasonable potential for future need no longer exists. Since this can be somewhat subjective, a retention policy is important to ensure that the company's guidelines on retention are consistently applied throughout the organization.

2.0 Purpose

The purpose of this policy is to specify the company's guidelines for retaining different types of data.

3.0 Scope

The scope of this policy covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location.

Note that the need to retain certain information can be mandated by local, industry, or federal regulations. Where this policy differs from applicable regulations, the policy specified in the regulations will apply.

4.0Policy

4.1Data Retention

The company does not wish to simply adopt a "save everything" mentality. That is not practical or cost-effective, and would place an excessive burden on the IT Staff to manage the constantly-growing amount of data.

Data must be retained in order to protect the company's interests, preserve evidence, and generally conform to good business practices. Data retention include:

(a)Tax Records. Tax records include, but may not be limited to, documents concerning payroll, expenses, proof of deductions, business costs, accounting procedures, and other documents concerning the Company's revenues. Tax

records should be retained for at least six years from the date of filing the applicable return.

(b)Employment Records/Personnel Records. State and federal statutes require the Company to keep certain recruitment, employment and personnel information. The Company should also keep personnel files that reflect performance reviews and any complaints brought against the Company or individual employees under applicable state and federal statutes. The Company should also keep all final memoranda and correspondence reflecting performance reviews and actions taken by or against personnel in the employee's personnel file. Employment and personnel records should be retained for six years.

(c)Partnership Meetings. Meeting minutes should be retained in perpetuity in the Company's minute book. A clean copy of all Board and Board Committee materials should be kept for no less than three years by the

Company.

(d)Press Releases/Public Filings. The Company should retain permanent copies of all press releases and publicly filed documents under the theory that the Company should have its own copy to test the accuracy of any document a member of the public can theoretically produce against that Company

(e)Legal Files. Legal counsel should be consulted to determine the retention period of particular documents, but legal documents should generally be maintained for a period of ten years.

(f)Marketing and Sales Documents. The Company should keep final copies of marketing and sales documents for the same period of time it keeps other corporate files, generally three years.

An exception to the three-year policy may be sales invoices, contracts, leases, licenses and other legal documentation. These documents should be kept for a least three years beyond the life of the agreement.

(g)Development/Intellectual Property and Trade Secrets. Development documents are often subject to intellectual property protection in their final form (e.g., patents and copyrights). The documents detailing the

development process are often also of value to the Company and are protected as a trade secret where the Company:

derives independent economic value from the secrecy of the information; and

the Company has taken affirmative steps to keep the information confidential.

The Company should keep all documents designated as containing trade secret information for at least the life of the trade secret.

(h)Contracts. Final, executed copies of all contracts entered into by the Company should be retained. The Company should retain copies of the final contracts for at least three years beyond the life of the agreement, and longer in the case of publicly filed contracts.

(i)Electronic Mail. E-mail that needs to be saved should be either:

printed in hard copy and kept in the appropriate file; or

downloaded to a computer file and kept electronically or on disk as a separate file.

The retention period depends upon the subject matter of the e-mail, as covered elsewhere in this policy.

4.2 Data Duplication

As data storage increases in size and decreases in cost, companies often err on the side of storing data in several places on the network. A common example of this is where a single file may be stored on a local user's machine, on a central file server, and again on a backup system. When identifying and classifying the company's data, it is important to also understand where that data may be stored, particularly as duplicate copies, so that this policy may be applied to all duplicates of the information.

4.3 Data Destruction

Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will not get buried in data, making data management and data retrieval more complicated and expensive than it needs to be. Exactly how certain data should be destroyed is covered in the Data Classification Policy.

When the retention timeframe expires, the company must actively destroy the data covered by this policy. If a user feels that certain data should not be destroyed, he or she

should identify the data to his or her supervisor so that an exception to the policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of the company's executive team.

The company specifically directs users not to destroy data in violation of this policy. Particularly forbidden is destroying data that a user may feel is harmful to himself or herself, or destroying data in an attempt to cover up a violation of law or company policy.

4.4 Applicability of Other Policies

This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

5.0 Enforcement

This policy will be enforced by the Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

6.0 Definitions

Backup To copy data to a second location, solely for the purpose of safe keeping of that data.

7.0 Revision History

Revision 1.0, 10/13/2012

Revision 2.0, 09/09/2014