Data Retention and Destruction

Purpose

The purpose of this policy is to define the activities associated with the provision of data retention and destruction plans and programs that protect Evercam’s information systems, networks, data, databases and other information assets. Additional policies governing data management activities will be addressed separately.  

Scope

The scope of this data retention and destruction policy is all information technology systems, software, databases, applications and network resources needed by Evercam to conduct its business. The policy is applicable to all Company employees, contractors and other authorised third-party organisations.

Statement of Compliance

This policy is designed to be compliant with the U.S. Data Protection Act of 1998, Freedom of Information Act of 2000, Fair and Accurate Credit Transactions Act of 2003 and Europe's General Data Protection Regulation.

Data retention and destruction policy compliance is managed by the IT department, with support from Compliance department, leadership and subject matter experts. To achieve compliance, data retention and destruction programs include appropriate procedures, and identify staffing and technology resources to meet compliance requirements. Compliance verification (especially for data destruction) is performed monthly by the IT department, internal audit or other appropriate entity. 

Policy

The Information Technology (IT) department, with support from the Compliance department, is responsible for managing all data retention and destruction activities for the Company. Other departments, such as Finance and Accounting, Operations and Human Resources, are also responsible for providing the IT and Compliance departments with their requirements for data retention and destruction. The IT and Compliance departments are responsible for developing, executing and periodically testing data retention and destruction procedures. The IT and Compliance departments also acknowledge they will comply with appropriate industry standards for data retention and destruction in its activities.

The company shall develop comprehensive data retention and destruction plans in accordance with good data management practices as defined by established standards.

Data retention and destruction activities shall be performed as part of the company's data management program, which administers and manages the overall technology data management program, which includes:

  • Planning and design of data retention and destruction activities;

  • Identification of data retention and destruction teams, defining their roles and responsibilities and ensuring they are properly trained and prepared to perform their duties;

  • Planning, design and documentation of data retention and destruction plans;

  • Scheduling of updates to data retention and destruction risk analyses;

  • Planning and delivery of awareness and training activities for employees and data retention and destruction team members;

  • Planning and execution of data retention and destruction plan exercises;

  • Designing and implementing data retention and destruction maintenance activities to ensure that plans are up to date and ready for use;

  • Preparing for management review and auditing of data retention and destruction plan(s); and

  • Planning and implementation of continuous improvement activities for data retention and destruction activities and plans. 

Formal Risk Assessments (RAs) and Business Impact Assessments (BIAs) shall include requirements for data retention and destruction activities; RAs and BIAs shall be updated at least annually to ensure they are in alignment with the business and its technology requirements.

Data retention and destruction plans shall address:

  • electronic data stored on electronic media such as CDs, hard disk drives, solid state disk drives, magnetic tape and other appropriate media where applicable.

  • electronic information systems (e.g., servers, routers, switches) and components (e.g., cabling and connectors, power supplies, storage racks) and other assets that are currently out of production or scheduled to be phased out of production environments.

  • the storage requirements and associated metrics (e.g., length of storage, type of storage media) for electronic information as well as systems supporting the IT infrastructure.

  • the parameters for destruction of electronic data (e.g., overwriting, reformatting, degaussing, firmware-based erasure, physical data media destruction), non-electronic data (e.g., shredding of hard copy), and systems and components (e.g., third-party destruction services).

  • periodically reviewed and tested plans in a suitable environment to ensure that data, databases, media, systems and other relevant elements can be retained or destroyed and that Evercam’s management and employees understand how the plans are to be executed as well as their roles and responsibilities.

All employees must be made aware of the data retention and destruction program and their own roles and responsibilities.

Data Storage

The cloud recordings are stored on dedicated cloud service providers, primarily on Hetzner servers located in Germany and AWS servers located in Ireland. In addition, physical hard drives are placed at the project site and connected to the cameras for local storage in addition to SD cards located inside the camera.

The physical hard drives are sized according to your project duration. If storage fills up, the customer can either replace the HDD (paid option with data retention) or allow the system to overwrite old footage (default, free option). Evercam notifies customers 60 days before capacity is reached, offering clear steps for action. For more information please refer to the Storage Device Sizing & Retrieval document.

At the end of the project, the customer has the option to retain the physical hard drives or store them securely with us. The SD cards will be destroyed as they only retain 5-7 days worth of data. We take every precaution to ensure the security and confidentiality of the data.

Regular audits are conducted to ensure the integrity and security of the data stored in the cloud and physical hard drives. These routine checks enable us to identify and address any potential issues or concerns promptly, ensuring the safety and confidentiality of our clients' data.

Evercam Data at Rest Diagram

Evercam Data at Rest Diagram

Data Retention and Destruction Specifications

Following are specific data retention and destruction technical requirements:

Retention Periods

Evercam typically stores a copy of client data for 90 days after a project has been completed, unless the client requests to delete the footage earlier. After this period, data storage can be extended at the Client's expense, with several storage options available. The data is stored both on cloud-based servers and physical hard drives for redundancy and backup purposes.

See also Project Archiving

Data/System Retention

Cloud recordings will continue to be stored on dedicated cloud service providers, primarily on Hetzner servers located in Germany for the agreed retention period. Hard drives will be stored in the nearest Evercam HQ for the agreed retention period. Regular audits are conducted to ensure the integrity and security of the data stored in the cloud and physical hard drives. These routine checks enable us to identify and address any potential issues or concerns promptly, ensuring the safety and confidentiality of our clients' data.

Once the agreed retention period has been reached, the Client will choose from one of the following options:

Extend: Data will continue to be stored by Evercam. The nature of the storage and associated costs to be agreed at the time of extension

Transfer: Data will be transferred to the Client. The manner in how the data is transferred and associated costs to be agreed the time of transfer 

Delete: The Client will confirm that they will wish for all data to be deleted and Evercam will provide a formal Data Deletion Certificate.

Evercam reserves the right to delete data after the agreed data retention period has expired.

Data Retrieval (Hard Drive) 

Evercam will engage with the Client nominated site contact to coordinate the removal of the hard drives from the site and for them to be shipped by a trusted courier to the nearest Evercam office (see Appendices). As logistics can vary per site, hard drive retrieval may be carried out by an Evercam nominated 3rd party or in conjunction with the nominated Client site contact. The best approach for each site will be agreed in conjunction with Client.

Responsibility for, and costs of, camera decommissioning and hardware retrieval will be agreed on a per project basis due the logistical variations. 

Data Recovery, Fire and Theft (Cloud Recording and Local Recordings)

Cloud Recordings are stored in ISO27001 certified data centres with their own internal Security and Disaster Recovery protocols. If required, Evercam can use the Local Recordings stored on the physical hard drive to repopulate the Cloud recordings that are accessible to the Client on the Evercam platform.

Local Recordings, which are stored on physical hard drives, will be secured in the nearest Evercam regional HQ. The hard drive will be stored in secured areas where necessary steps are taken to protect them against fire, theft and any other physical damage. The hard drives themselves are also encrypted.

Retention and Destruction Requests

To initiate the process of data deletion, the client can send a request to our support team at support@evercam.io. Our team will verify the request with the nominated Client contact and take the necessary steps to securely delete the data from our servers and physical media. A Certificate of Deletion or Retention can be provided upon request, as the case may be.

Data Destruction Procedures

Once the data retention period has expired, or if the client requests deletion of their data, Evercam ensures complete and secure removal of the data. This involves deleting the data from the servers and wiping the hard drives of any physical media to prevent any unauthorised access or recovery of the data. We take every precaution to ensure that the data is completely and irreversibly erased, in accordance with industry best practices and data privacy regulations. 

Data can be sent to the customer on request (physical HDD or uploaded). Charges will apply and will be quoted at time of client request.
—————————————————————

Created by: Compliance Manager (ISMS team)

Creation date: 17.02.2023

Last modification date: 27.11.2025

Document approver: Head of Compliance