1. Purpose
This Data Retention Policy defines how long Cloudryption retains different categories of data, how deletion is carried out, and how retention decisions balance security, compliance, customer value, and data minimisation.
The policy applies to Customer Data (cloud metadata, findings, attack paths, reports), account data, logs, backups, support records, and operational records processed by Cloudryption.
2. Principles
Minimise: collect and retain only data needed to provide, secure, support, improve, or legally operate the service.
Separate: distinguish Customer Data processed as processor from Cloudryption controller records (billing, security, legal).
Protect: retain security metadata long enough to support auditability, incident investigation, abuse prevention, and enterprise compliance needs.
Delete safely: deletion from active systems is followed by expiration from backups according to the backup lifecycle, typically 30–90 days.
3. Retention schedule
| Data type | Default retention target | Notes |
|---|---|---|
| Customer cloud metadata & graph snapshots | Active contract term; deleted or exported within 30 days after termination request, subject to backup windows and legal holds | Enterprise customers may configure scan history retention (90 / 180 / 365 days or custom) |
| Findings, attack paths, recommendations, reports | Active contract term; same deletion target as Customer Data | May be retained longer if customer configures historical trend reporting |
| Audit logs | Minimum 365 days for enterprise tenants | Security-critical; may be retained after termination for abuse, legal, and forensic needs |
| Authentication / session logs | 180–365 days depending on severity and plan | Failed login and privileged access logs may warrant longer retention |
| Application / diagnostic logs | 30–90 days by default | Secrets and sensitive payloads are excluded from logs by design |
| Backups | 30–90 days rolling backup window | Deleted through backup expiration cycle unless legal hold applies |
| Support tickets | Up to 3 years after closure unless deletion requested and legally permissible | Customer secrets are removed from tickets where detected |
| Billing / contract records | 7 years or as required by applicable accounting / tax law | Controller records; not normally deleted on account deletion |
| Website analytics / cookies | Generally 13 months or less where possible | Subject to cookie banner configuration and applicable jurisdiction |
4. Customer deletion and export
Customers may request export or deletion of Customer Data according to their agreement and the Data Processing Addendum.
Cloudryption supports tenant deletion workflows that remove active Customer Data from production systems and mark backup expiration according to the backup schedule. Full data removal from backups occurs within the backup lifecycle window (typically 30–90 days).
Deletion does not automatically remove:
- Legal, billing, and security records that Cloudryption is permitted or required to retain as an independent controller
- Audit logs subject to legal hold or required for ongoing security investigations
For deletion or export requests, contact: support@cloudryption.com
5. Scan history and trend reporting
Cloudryption's platform value depends partly on historical comparison: risk trends over 90, 180, and 365 days; before/after remediation comparisons; scan-to-scan drift; crown-jewel exposure trends; and attack path reduction over time.
For enterprise customers, retention of scan history is configurable by tenant plan or contract:
- Standard: 90 days of scan history
- Professional: 180 days of scan history
- Enterprise: 365 days or custom retention as agreed in contract
Where historical retention is reduced or not configured, Cloudryption may lose the ability to provide long-term trend reporting and historical comparisons.
6. Legal holds and exceptions
Cloudryption may suspend scheduled deletion where required for:
- Legal obligations or regulatory requests
- Active litigation or dispute preservation
- Security investigation or abuse prevention
- Sanctions compliance
Legal holds are documented, approved by appropriate authority, reviewed periodically, and removed when no longer required.
7. Contact
For questions about this policy, to request data export, or to request deletion of Customer Data, contact: support@cloudryption.com
For GDPR or data subject rights requests, see the Privacy Policy.