top of page

DATA RETENTION & STORAGE POLICY

Owner: DPO/Compliance

Effective date: 23rd August 2025

Review cadence: Annual, and upon material change

 

Arno is an NDPC-approved Data Controller/Processor of Major Importance (DCPMI) under NDPA 2023 / GAID 2025. This can be verified on the NDPC registerā€‹. View our NDPC certification here

ā€‹

Purpose: This Policy defines how long Arno keeps personal and operational data, and how we store and delete it, applying the storage-limitation and security principles of NDPA 2023 / GAID 2025. Where we process data of individuals in Kenya, we implement Kenya’s DPA 2019 and Data Protection (General) Regulations 2021. Statutory retention overrides (e.g., tax, employment, AML, litigation) apply where longer periods are mandated.

 

Scope: Production and staging environments, logs, analytics, backups, test/sandbox datasets, and ad-hoc exports. Applies to all staff and vendors.

ā€‹

 

1) Controls

  • Encryption: TLS 1.2+ in transit; AES-256 at rest with cloud KMS.

  • Access: RBAC/least-privilege; MFA for admin roles; quarterly access reviews.

  • Backups: Encrypted; 30-day rolling retention; quarterly restore tests for Tier-1 data and an annual full-restore drill; maintain immutable/offline copies for ransomware resilience.

  • Deletion SLAs: Soft delete immediately; hard delete ≤ 30 days of verified request; backups expire with the rolling window; legal holds pause deletion. All deletion actions are logged; for vendor deletions we obtain Certificates of Destruction where available. Where data is retained in aggregate, it is irreversibly anonymized (no reasonable means of re-identification).

2) Standard Retention Schedule

Retention runs from the later of (i) collection, (ii) end of purpose, or (iii) last activity, unless a legal hold applies.

Before talents data, is removed, an email should be sent to talent or user to confirm if they still want us to keep their data. If response is not received after a certain period (1 month, We can automatically delete it)

Category

Examples

Default Retention

Disposal

Talent accounts & profiles

name, contact, CV fields

name, contact, CV fields

Hard delete (Users will be notified at least 30 days before scheduled data deletion. If no response is received and no sign-in occurs within that window, Arno will proceed to delete data in line with the Data Retention & Storage Policy); analytics anonymized

Recruiter/admin accounts

work email, role/permissions

name, contact, CV fields

Hard delete (Users will be notified at least 30 days before scheduled data deletion. If no response is received and no sign-in occurs within that window, Arno will proceed to delete data in line with the Data Retention & Storage Policy); audit trails retained per below

Job applications & matching artifacts

CVs, match scores, interview notes

24 months after vacancy closure

Delete artifacts; keep aggregated stats

Talent pool (consented)

retained for future roles

Until withdrawal or 24 months

Delete on withdrawal; keep consent log

Communications

in-app messages, emails

24 months after last activity

Purge message bodies; retain minimal metadata +12 months if needed

Support tickets

requests, attachments

24 months after closure

Delete

Marketing & preferences

opt-ins/outs, campaign logs

Until opt-out; suppression for 24 months

Delete PII; keep aggregates

Payments & billing

invoices, receipt

7 years

Secure archive then delete

Contracts & legal

MSAs, NDAs, DPAs

7 years after expiry/termination

Secure archive then delete

Auth logs

sign-in events

180 days

Log rotation/TTL

Admin/audit logs

admin actions, changes

365 days

Log rotation/TTL

Telemetry/analytics

usage metrics

12 months (pseudonymized)

Aggregate-only thereafter

Cookies/SDK IDs

non-essential IDs

≤ 13 months

Auto-expire via CMP

Backups

snapshots, archives

30-day rolling

Auto-expire; no restore beyond window

Consent & preference records

cookie consent, marketing opt-in/out

24 months after last change (or per law)

Keep minimal proof; delete excess PII

Data-subject request (DSR) files

IDV evidence, request threads, fulfillment logs

24 months after closure

Secure archive then delete

Security incidents & IR artifacts

alerts, timelines, forensics, post-mortems

7 years (or as law/insurer requires)

Secure archive then delete

System/server/CDN logs

web/CDN/proxy logs

90 days (unless needed longer for security)

Rotation/TTL

API gateway & app diagnostics

request IDs, error traces (no PII)

180 days

Rotation/TTL

Configuration & IaC history

baseline configs, TF plans

12 months (critical 24 months)

Archive then delete

Vendor due-diligence & contracts

DPAs, AOCs/SOC2/ISO, TIA summaries

Contract term + 3 years

Secure archive then delete

HR/Workforce records (if applicable)

staff files, training logs

Per local employment law (≥ 3–7 years)

Secure archive then delete

Vendors must mirror or beat Arno TTLs. On termination they must return or delete data and confirm in writing (deletion certificate or equivalent).

3) Roles & Exceptions

  • DPO/Compliance: maintains schedule; approves written exceptions with expiry and compensating controls; records and quarterly reviews legal holds.

 

  • Engineering/SRE: enforces TTLs; documents data flows; secure disposal; automates expiry where feasible.

  •  Product: in-product deletion and consent flows; ensures users can exercise rights easily.

 

  • Vendors: comply with our DPAs; mirror TTLs; provide deletion confirmation on request. 

4) Review & Assurance

  • Quarterly checks of TTL expiries, sampled deletions, backup restores, and vendor confirmations; findings logged with remediation owners and target dates.

 

  •  Annual policy review (or upon material change) with leadership sign-off

5) Monitoring & Evidence

  • Maintain evidence of: automated TTL jobs, deletion tickets, restore-test reports, vendor AOCs/SOC2/ISO and deletion confirmations, and legal-hold registers.

 

  •  Store evidence in the compliance repository with access controls and retention per this Policy. 

Change Log

  • v1.1: Added Kenya scope; statutory overrides; sandbox/exports; immutable/offline backups; logged deletions & vendor Certificates of Destruction; anonymization standard; expanded retention table (consent, DSR, incidents, logs, configs, vendor evidence, HR); vendor TTL mirroring; quarterly legal-hold review; Review & Assurance + Monitoring & Evidence. 

  • v1.0: Initial issue with category TTLs, deletion SLAs, backup window, roles, and reviews.

bottom of page