Oso must retain certain kinds of data for a minimum amount of time, to comply with legal requirements. At the same time, Oso wants to avoid retaining any identifiable data for longer than is necessary, in case of a breach.
This policy applies to all data assets handled by Oso, including data from customers, potential customers, third parties, and employees.
Data should be retained for a set period of time, depending on the type of data:
Category | Data | Retention period |
Corporate | Charter and bylaws | Indefinite |
Shareholder records | Indefinite | |
Board minutes | Indefinite | |
Policies and procedures | Indefinite | |
Contracts | Indefinite | |
Financial | Accounts payable/ receivable | 7 years |
Financial statements | Indefinite | |
Sales records | 7 years | |
Expense records | 7 years | |
Payroll records | 7 years | |
Insurance | Insurance records | Indefinite |
Inventions | Patents and patent applications | Indefinite |
Copyright and copyright applications | Indefinite | |
Trademark and trademark applications | Indefinite | |
Licenses | Indefinite | |
Employee | Personnel files | Indefinite |
Compensation information | Indefinite | |
Benefit plans | Indefinite | |
Customer | Contracts | Indefinite* |
Payment and billing information | 7 years* | |
Usage logging and analytics | 5 years* | |
Support communications | 5 years* |
*In response to a customer request and in compliance with legal requirements, Oso may also delete customer data prior to the end of the retention period.
Where not specified, customer data should be retained no longer than is needed to provide the service, and anonymized or deleted afterwards.
Oso must delete customer data in accordance with the commitments, if any, made in Oso’s Privacy Policy. If the privacy policy is updated, the above retention periods should also be updated to reflect any changes.
Data may be destroyed by overwriting on disk, deleting a cloud resource, encrypting and destroying the key, resetting a device, and/or physical destruction.