Data Retention and Disposal Policy and Procedures

Date last updated: September 27, 2023

A formal data retention policy effectively identifies the type of data that needs to be retained, where such data resides, and the measures in place to securely delete and/or destroy the data as soon as it is no longer needed.

In accordance with mandated organizational security requirements set forth and approved by
management, Fulcrum has established a formal data retention and disposal policy and supporting procedures. This policy is to be implemented immediately along with all relevant and applicable procedures. Additionally, this policy is to be evaluated on an annual basis for ensuring its adequacy and relevance regarding Fulcrum’s needs and goals.

This policy and applicable supporting procedures are designed to provide Fulcrum with a
documented and formalized process for data retention and disposal. Additionally, compliance
with the stated policy and supporting procedures helps ensure the confidentiality, integrity, and availability (CIA) of Fulcrum’s system components.

This policy and supporting procedures encompass all system components that are owned,
operated, maintained, and controlled by Fulcrum and all other system components, both
internally and externally, that interact with these systems.

• Internal system components are those owned, operated, maintained, and controlled by Fulcrum and include all network devices (firewalls, routers, switches, load balancers, other network devices), servers (both physical and virtual servers, along with the operating systems and the underlying application(s) that reside on them) and any other system components deemed in scope.
• External system components are those owned, operated, maintained, and controlled by any entity other than Fulcrum, but for which such external resources may impact the confidentiality, integrity, and availability (CIA) and overall security of the aforementioned description of “Internal system components”.

Implementing and adhering to organizational policies and procedures is a collaborative effort, requiring a true commitment from all personnel, including management, internal employees and users of system components, along with vendors, contractors, and other relevant third parties.

Additionally, by being aware of one’s roles and responsibilities as it pertains to Fulcrum information systems, all relevant parties are helping promote the Confidentiality, Integrity, and Availability (CIA) principles for information security in today’s world of growing cybersecurity challenges.

• Management Commitment: Responsibilities include providing overall direction, guidance, leadership and support for the entire information systems environment, while also assisting other applicable personnel in their day-to-day operations.
• Internal Employees and Users: Responsibilities include adhering to the organization’s information security policies, procedures, practices, and not undertaking any measures to alter such standards on any Fulcrum system components. Additionally, end users are to report instances of non-compliance to the VP of Operations, specifically those by other users. End users—while undertaking day-to-day operations—may also notice issues that could impede the safety and security of Fulcrum system components, and are to also report such instances immediately to the VP of Operations.
• Vendors, Contractors, other Third-Party Entities: Responsibilities for such individuals and organizations are much like those stated for end users: adhering to the organization’s information security policies, procedures, practices, and not undertaking any measure to alter such standards on any such system components.

Fulcrum is to ensure that all applicable users adhere to the following policies for purposes of complying with the mandated organizational security requirements set forth and approved by management:

• Comprehensive policies, procedures, and processes are to be developed, implemented, and in place regarding the following:
  • All legal, regulatory, and business requirements for data retention. Specifically, limiting data storage amount and retention time to that which is required for the applicable legal, regulatory, and business requirements.
  • Specific requirements for retention of customer data, such as to how long
    customer data needs to be held (i.e., time period) and the reasons why (i.e.,
    business justification).
  • Secure deletion of customer data when no longer needed for legal, regulatory, or business reasons.
  • A quarterly process for identifying and securely deleting stored customer data that exceeds defined retention requirements.
  • Additionally, all locations of stored customer data are to be included in the data retention and disposal processes.
• Appropriately configure, examine, and confirm system settings and all necessary configurations for system components to ensure that the data stored does not exceed the requirements defined in the data retention policy.
• Appropriately configure, examine, and confirm system settings and all necessary configurations for system components to ensure that data is deleted securely.

Once the maximum retention period has been reached for customer data, they may be removed
from all electronic media.

Only authorized personnel may establish and modify data retention periods. These activities are considered highly sensitive in nature, so they must be justifiable by a compelling business or operational requirement(s). Personnel authorized to conduct these activities include the following:

Personnel who own the policies and processes to ensure that data disposal is completed:

VP of Operations is responsible for ensuring that the aforementioned policy initiatives—and if applicable, the relevant procedures—are kept current as needed for purposes of compliance with mandated organizational security requirements set forth and approved by management.

Fulcrum reserves the right to change and modify the aforementioned document at any time and
to provide notice to all users in a reasonable and acceptable timeframe and format.