Appcircle Data Retention and Disposal Policy¶
Effective date: 2025-04-04 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)
Purpose¶
This policy describes Appcircle's approach to retaining, managing, and securely disposing of information throughout its lifecycle. It ensures that data is kept only as long as necessary and that disposal prevents unauthorized recovery.
Scope¶
This policy applies to:
- Appcircle's workforce (employees, contractors, and temporary staff) and anyone granted access to Appcircle information or systems.
- All information created, received, processed, or stored by Appcircle, regardless of format.
- Appcircle-operated environments, including cloud infrastructure, corporate IT systems, and product services.
- Third parties that process Appcircle or customer data on our behalf, as defined by contract and applicable law.
Self-hosted customer deployments are excluded; data lifecycle in those environments is the customer's responsibility.
Regulatory alignment¶
This policy supports compliance with:
- SOC 2 (Trust Services Criteria) — disposal and confidentiality controls
- ISO/IEC 27001:2022 — information deletion, secure disposal, and asset management controls
- ISO/IEC 27701:2019 — PII processing limitation, erasure, and disposal controls
- GDPR (EU 2016/679) — storage limitation and right to erasure
- KVKK (Turkey, No. 6698) — retention limitation and deletion/destruction requirements
Policy principles¶
Appcircle's data retention and disposal practices are guided by the following principles:
- Purpose limitation: Data is retained only for as long as it is needed to fulfill the purpose for which it was collected, or as required by law.
- Storage minimization: Unnecessary data is not retained. When the retention purpose expires, data is scheduled for disposal.
- Secure disposal: Disposal methods are selected to ensure data cannot be recovered, with stronger methods applied to higher-sensitivity data.
- Classification-driven controls: Retention periods and disposal methods are determined by data classification (Restricted, Confidential, Internal, Public).
- Legal compliance: Where legal or regulatory requirements mandate a specific retention period, the longer period applies.
- Accountability: Disposal activities are logged and auditable.
Data classification¶
Information is classified into levels that determine the applicable retention and disposal requirements:
- Restricted: Highest sensitivity. Unauthorized disclosure would cause severe harm (e.g., credentials, encryption keys).
- Confidential: Business-sensitive data requiring controlled access (e.g., customer data, PII, billing records).
- Internal: For internal use only; not intended for public disclosure (e.g., internal documentation, operational logs).
- Public: Approved for public disclosure (e.g., marketing materials, public documentation).
Retention¶
Appcircle maintains a detailed retention schedule that defines retention periods for each data category, including:
- Customer data (source code, build artifacts, account data)
- Security and operational logs
- Billing and financial records
- Employee and HR records
- Contracts and legal documents
- Support and communication records
- Backup data
Retention periods are determined based on business need, contractual obligations, and applicable legal requirements. The detailed retention schedule is maintained as an internal document.
Customer account termination¶
When a customer account is deleted by customer:
- Data is deleted in a staged process, progressing from account deactivation to permanent deletion.
- Upon request, a deletion confirmation is provided to the customer.
Data subject rights¶
Appcircle supports data subject rights related to retention and disposal as required by GDPR and KVKK, including:
- Right to erasure: Data subjects may request deletion of their personal data, subject to legal retention obligations.
- Right to restriction of processing: Data subjects may request that their data be retained but not processed.
- Data portability: Data subjects may request their data in a structured, machine-readable format.
Requests are fulfilled within the timeframes required by applicable law. Where a legal obligation requires continued retention, the data subject is informed of the specific legal basis.
Disposal methods¶
All disposal is performed using methods appropriate to the data classification and storage medium, ensuring data is rendered irrecoverable. Appcircle's disposal approach covers:
- Cloud environments: Leveraging cloud-native deletion mechanisms and cryptographic erasure in accordance with NIST SP 800-88 guidelines.
- On-premise environments: Secure overwrite, cryptographic erasure, or physical destruction as appropriate.
- Personnel work devices: Secure wipe or factory reset before reassignment, return, or disposal.
- Physical media: Cross-cut shredding or certified destruction through vetted vendors.
- SaaS and third-party tools: Deletion via built-in capabilities or API, verified against vendor disposal practices.
Backup data is disposed of in alignment with source data retention, at the next scheduled backup rotation.
Legal hold¶
When litigation, regulatory investigation, or audit is reasonably anticipated, a legal hold may be issued to preserve relevant data. Legal holds override normal retention schedules until explicitly lifted, and are documented with scope, reason, and affected data categories.
Roles and responsibilities¶
- Engineering Management (Policy Owner): Owns this policy; ensures review, updates, and communication; approves exceptions and legal holds.
- Engineering / Platform / Operations: Implements retention and disposal controls; executes deletions; maintains disposal logs.
- Data Protection Contact: Handles data subject requests and advises on privacy compliance.
- All personnel: Follows retention and disposal requirements; reports concerns promptly.
Exceptions¶
Exceptions to this policy must be:
- Documented with justification, scope, duration, and compensating controls.
- Approved by the policy owner or an authorized delegate.
- Reviewed before expiry and retired when no longer required.
Policy review and updates¶
This policy is reviewed at least annually and when significant business, technology, or regulatory changes occur.
Note
This public policy describes Appcircle's data retention and disposal posture. Detailed internal standards and procedures (including specific retention periods, disposal methods, and technical configurations) are maintained separately and may be shared under appropriate agreements when required.
Related policies¶
- Information Security Policy
- Data Classification Policy
- Data Protection Policy
- Backup Policy
- Incident Response Plan
- Vendor Management Policy