DefectDojo DefectDojo
Trust Center

Data Retention Policy

1. Purpose

The purpose of this policy is to ensure the appropriate retention of data in accordance with applicable legislative, regulatory, and contractual requirements. It also informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding the retention of data stored across all systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo.

2. Scope

This policy applies to data retention as it relates to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

3. Compliance

3.1 Compliance Measurement

The Information Security Management team will verify compliance with this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

3.2 Exceptions

Any exception to this policy must be reviewed and approved in advance by the Management Review Team.

3.3 Non-Compliance

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

3.4 Continual Improvement

This document is updated and reviewed as part of the continual improvement process.

4. Requirements

4.1 Roles and Responsibilities

4.1.1 DefectDojo Staff

All DefectDojo Staff must follow the Data Retention Principles outlined below.

4.1.2 Security Operations

The Security Operations team is responsible for:

  • Setting the Data Retention Policy and ensuring that it is being followed.
  • Defining audit processes for compliance with data retention regulations.
  • Reviewing data retention periods periodically and at least annually.

4.2 Data Retention Principles

  • All Customer Data is retained for the duration of the contract, unless indicated otherwise by the Customer.
  • Upon the end of the retention period, all Customer Data must be permanently removed from the Cloud Provider(s) where it is stored (e.g., AWS, Azure, GCP), including all backups, where applicable.
  • All other data is retained in accordance with the Data Retention Schedule.

5. Relevant Documents

  • Data Retention Schedule
Prev
Data Classification Policy
Next
Employee Training and Development Policy