MobiClocks
____________________________________________________________________________
This policy outlines the requirements and controls/procedures MobiClocks has implemented to manage the retention
and deletion of data.
Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account
is voluntarily closed. Expired account data will be retained for 45 days. After this period, the account and related data
will be removed. Customers that wish to voluntarily close their account should download their data manually prior to
closing their account.
If a customer account is involuntarily suspended, then there is a 90 day grace period during which the account will be
inaccessible but can be reopened if the customer meets their payment obligations and resolves any terms of service
violations.
If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is
brought back to good standing so that the user interface will be available for their use. After 45 days, the suspended
account will be closed and the data will enter the “expired” state. It will be permanently removed 45 days thereafter
(except when required by law to retain).
Before disposal or reuse, MobiClocks will verify that all equipment containing storage media has been purged of any
sensitive data and licensed software. This data will either be securely overwritten or entirely removed.
If a cloud service customer, MobiClocks is responsible for obtaining assurances from cloud service providers that they
have established policies and procedures for the secure disposal or reuse of resources. Cloud service providers engaged
by MobiClocks must ensure that measures are in place for the secure and prompt disposal or reuse of resources,
including but not limited to, equipment, data storage, files, and memory.
All records within MobiClocks will be shielded from loss, destruction, falsification, and unauthorized access or release
in alignment with legislative, regulatory, contractual, and business obligations.
If a Cloud Service Customer, MobiClocks will solicit information from its cloud service provider regarding the security
measures in place for the protection of records collected and stored in the cloud that are pertinent to MobiClocks’s
utilization of cloud services. Cloud service providers utilized by MobiClocks must disclose information about the
safeguarding measures for records they gather and store that relate to MobiClocks’s use of their cloud services.
| CATEGORY TYPE | OWNER | |
| Corporate | CEO | |
| DATA TYPE | STORAGE LOCATION | RETENTION PERIOD |
| Corporate Records (board minutes, committee minutes, corporate seals, articles bylaws, annual reports, etc.) | SharePoint, Email, OneDrive | 7 years after end of life of the organization |
| CATEGORY TYPE | OWNER | |
| HR Files | CEO | |
| DATA TYPE | STORAGE LOCATION | RETENTION PERIOD |
| Employee Personnel Records (including attendance, application forms, job/status change records, performance evaluations, termination papers, withholding information, garnishments, test results, training records, and qualification records) | Regis HR, SharePoint | 7 years after the end of the employment |
| Employment Contracts – Individual | Regis HR, SharePoint | 7 years after the end of the employment |
| Employment Records: Correspondence with Employment Agencies and Advertisements for Job Openings | Regis HR, SharePoint | 7 years after the end of the employment |
| Employment Records: All Non-Hired Applicants (including all applications and resumes: whether solicited or unsolicited, results of post-offer, pre-employment physicals, results of background investigations, if any, related correspondence) | Regis HR, SharePoint | 6 months after the interview |
| Job Descriptions/Postings | Regis HR, SharePoint | 6 months |
| CATEGORY TYPE | OWNER | |
| Log Data | CIO, CTO, CISO | |
| DATA TYPE | STORAGE LOCATION | RETENTION PERIOD |
| CloudWatch Logs | AWS CloudWatch / S3 | 1 year |
| Application Logs | Sumo Logic / S3 | 1 year |
| Security Logs | AWS Guard Duty / S3 / Security providers | 1 year |
| CATEGORY TYPE | OWNER | |
| Customer Data | CIO | |
| DATA TYPE | STORAGE LOCATION | RETENTION PERIOD |
| Time entry logs, daily logs, cost code, production quantities, scheduling data, geolocation data | AWS RDS | Until deleted by the customer or customer environment removed |
| Customer’s Employee information | AWS RDS, AWS S3 | Until deleted by the customer or customer environment removed |
| Time entry photos | AWS S3 | Until deleted by the customer or customer environment removed |
| Time entry biometrics | N/A | Biometric identifiers obtained during the punch process are only used for identification and are not stored |
| Biometric template: | AWS S3 | Biometric identifiers and biometric information are permanently destroyed upon the earlier of: (i) the date the initial purpose for collection (timekeeping, payroll and administration) has been satisfied, which occurs no later than ninety (90) days after the individual’s employment or engagement ends, to allow for the completion of final payroll processing, reconciliation, audits, or data backup integrity checks; or (ii) three (3) years after the individual’s last interaction with the MobiClocks system, whichever occurs first. |
| Biometric template handling for special jurisdictions (Client selectable) | AWS S3 | Immediately upon employee termination or deactivation of an employee’s profile biometric identifiers and biometric information are permanently destroyed |
| CATEGORY TYPE | OWNER | |
| Financial data | CEO | |
| DATA TYPE | STORAGE LOCATION | RETENTION PERIOD |
| Financial data | Microsoft 365, Zero.com, Stripe, Expensify | 7 years after date of signing of accounts or, as applicable, 7 years after award completion (whichever is later) |
| CATEGORY TYPE | OWNER | |
| General contracts and agreements | CEO | |
| DATA TYPE | STORAGE LOCATION | RETENTION PERIOD |
| General contracts and agreements | Microsoft 365, DocuSign | 7 years after contract termination |
| CATEGORY TYPE | OWNER | |
| Privacy notices | CEO | |
| DATA TYPE | STORAGE LOCATION | RETENTION PERIOD |
| Privacy notices | Microsoft 365 | 7 years after end of life of organization |
