Security and Compliance
Security Controls
DM.7.03 - Data Retention and Disposal Policy

Control Statement

A record retention policy and schedule define data retention and disposal practices to ensure data is properly stored and erased when no longer needed.


Securely disposing of both electronic and physical media adds a layer of protection from the data being disposed by unauthorized persons. There are several effective, publicly available tools and techniques to recover data from electronic and physical media, including hard drives and shredded paper. This control aims to reduce the risk of data being recovered by unauthorized persons and shows customers, IllumiDesk team-members, and partners we take measures to protect their data even after it's done being used.


This control applies to Red and Orange data as defined in the Data Classification Policy


  • Control Owner: IT Ops
  • Process owner(s):
    • IT Ops: 100%


Certificates or logs of erasure should be maintained in accordance with the Record Retention Policy

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Data Retention and Disposal Policy issue.
Examples of evidence an auditor might request to satisfy this control:
  • Record Retention Policy
  • Record Retention Schedule
  • Certificate(s) or log(s) of disposal
  • Records indicating media is disposed of when appropriate

Framework Mapping

  • SOC2 CC
    • CC6.5