Home Use Cases Applications Methodology About Contact
Governance & Compliance

Data Retention —
what we keep,
and for how long.

This policy defines exactly how long VIGIL retains each category of data, the legal basis for each retention period, and how data is securely deleted when it reaches the end of its life. No data is held longer than necessary. No exceptions.

Effective: 01 July 2026 Last Reviewed: July 2026 Version: 1.0 Owner: ARRC Global
Governing Principle

Data held longer than necessary is not an asset — it is a liability. Every retention period in this policy is the minimum required to fulfil a legal obligation or a legitimate operational purpose. When that purpose ends, the data is deleted. That is the standard we apply to all data, without exception.

01Purpose & Scope

What this policy covers

This Data Retention Policy establishes the periods for which Anshin Risk and Resilience Consulting Private Limited (trading as ARRC Global) retains data processed in connection with the VIGIL platform and its associated operations. It applies to:

  • All personal data processed through the VIGIL platform, including platform user data, client account data, and any personal data within client-uploaded materials
  • All operational data generated by platform use — logs, audit trails, session data, and system records
  • All business and legal records generated by ARRC Global's commercial operations, including contracts, financial records, and correspondence
  • All data held by ARRC Global on its own infrastructure in Germany (Hetzner) and on any authorised internal systems

This policy applies to all ARRC Global personnel, contractors, and any third party acting on ARRC Global's behalf in connection with the VIGIL platform. Compliance is mandatory.

Where a client's Data Processing Agreement specifies retention periods that differ from the defaults in this policy, the DPA terms govern for that client's data. The defaults in this policy apply in all other cases.

02Governing Principles

The rules that determine every retention period

  • Purpose limitation. Data is retained only for as long as the purpose for which it was collected requires. When that purpose is exhausted and no legal obligation requires continued retention, deletion is initiated without further delay.
  • Minimum necessary. Retention periods are set at the minimum required — not the maximum permitted. We do not retain data "just in case" without a documented lawful basis for doing so.
  • Legal obligation first. Where applicable law requires a specific minimum retention period — tax law, employment law, data protection law — that minimum is applied. We do not retain data beyond the legally required period without a separate documented justification.
  • Specific over general. Each data category has its own retention period derived from its specific purpose and legal context. A blanket retention period applied to all data is not acceptable under this policy.
  • Deletion is irreversible. When a retention period expires, data is deleted or anonymised in a manner that makes reconstruction impossible. We do not archive data in a state that permits future reconstruction as a substitute for proper deletion.
  • Client data is the client's. Client data is not ARRC Global's to retain beyond the contracted service relationship. Retention of client data after subscription termination is governed strictly by the applicable DPA and this policy.
03Retention Schedule

Periods, categories, and legal bases

The following schedule defines the retention period for each data category processed by ARRC Global in connection with VIGIL. All periods run from the date specified in the "Period Starts" column.

Data Category Retention Period Period Starts Legal Basis & Rationale
Platform User & Account Data
Active user account data — name, email, job title, role Duration of active subscription Account creation Contract performance — necessary to provide the platform service
Account data post-termination 30 days Subscription termination date Legitimate interest — allows data export and dispute resolution window before deletion
Authentication credentials — hashed passwords, MFA tokens Duration of active account + 30 days Account creation Contract performance; security — credentials deleted with account
Session tokens Session expiry + 24 hours Token issuance Security — expired tokens retained briefly to detect replay attacks
Client-Uploaded & Assessment Data
Client-uploaded site intelligence and documents Duration of active subscription + 30 days Upload date / subscription termination Contract performance; DPA. Default 30-day post-termination window for client export. Overridden by DPA if client specifies otherwise.
Assessment outputs — MSI, MCI, MRI scores, reports Duration of active subscription + 30 days Assessment completion / subscription termination Contract performance — outputs belong to the client and are deleted with client data
Risk registers and recommendation records Duration of active subscription + 30 days Record creation / subscription termination Contract performance
Website & Enquiry Data
Contact form and demonstration request submissions 12 months Date of submission Legitimate interest — reasonable follow-up period if no engagement proceeds. Deleted at 12 months if no active relationship.
Marketing consent records Until consent withdrawn + 3 years Date consent withdrawn Legal obligation — consent records retained as evidence of lawful basis for prior marketing
Website analytics data (anonymised) 26 months Collection date Legitimate interest — industry standard for year-on-year trend analysis. Data is anonymised; no individual is identifiable.
Security & Operational Logs
Platform access and activity logs 12 months Log creation date Legitimate interest; legal obligation — security audit trail, incident investigation, and regulatory compliance
Authentication and failed login logs 12 months Log creation date Legitimate interest — brute force detection and security investigation
Security incident records 5 years Incident closure date Legal obligation; legitimate interest — regulatory reporting obligations and insurance/litigation purposes
VAPT reports and findings 5 years Report date Legitimate interest — evidence of security diligence for client assurance and regulatory purposes
System and infrastructure logs 90 days Log creation date Legitimate interest — operational troubleshooting and performance monitoring
Commercial & Legal Records
Executed contracts and agreements — subscriptions, DPAs, NDAs 7 years Contract expiry or termination Legal obligation — limitation periods for contractual claims under applicable law
Invoices and financial records 7 years Financial year end Legal obligation — tax and accounting requirements under Indian law (Companies Act 2013; Income Tax Act 1961)
Client correspondence relevant to disputes 7 years Date of correspondence Legitimate interest — evidence preservation within limitation periods
General business correspondence 3 years Date of correspondence Legitimate interest — operational record and reasonable follow-up period
Personnel & Vendor Records
Employee and contractor records 7 years End of employment or engagement Legal obligation — employment law, tax, and provident fund requirements under Indian law
Recruitment records — unsuccessful candidates 12 months Outcome notification date Legitimate interest — potential re-engagement and discrimination claim defence period
Vendor and sub-processor agreements 7 years Agreement expiry or termination Legal obligation — contractual limitation periods
04Client Data

Special provisions for enterprise client data

Client data — meaning all data uploaded by or generated for an enterprise client within the VIGIL platform — is subject to heightened retention controls reflecting its sensitivity and the contractual relationship under which it is held.

  • No indefinite retention. Client data is never retained indefinitely. The 30-day post-termination default applies unless the client's DPA specifies otherwise.
  • Export before deletion. During the 30-day post-termination window, the client may export all data in standard machine-readable format. ARRC Global will not initiate deletion before this window has elapsed, except where the client requests early deletion in writing.
  • Deletion confirmation. On the client's written request, ARRC Global will provide written confirmation that deletion has been completed, including the date on which deletion was executed.
  • No repurposing. Client data is never analysed, aggregated, or repurposed after the subscription ends. It exists solely to support the contracted service and is deleted when that service ends.
  • Backup deletion. Client data deleted from primary systems is also deleted from encrypted backups within the next scheduled backup rotation cycle — in no case more than 60 days after the primary deletion date.

Client-specified retention. Clients whose compliance obligations require data to be retained for longer than 30 days post-termination — or deleted sooner — should specify this in the Data Processing Agreement. Contact contact@arrcglobal.com to discuss bespoke retention terms.

05Legal Holds

When normal retention is suspended

A legal hold suspends the normal deletion of data that may be relevant to actual or anticipated litigation, regulatory investigation, or audit. Legal holds override the retention periods in Section 3 for the duration of the hold only.

  • Trigger. A legal hold is triggered by written instruction from ARRC Global's legal counsel or, in the absence of formal legal counsel, the founding principal. The trigger events include: receipt of a legal claim, notice of regulatory investigation, internal discovery of a potential dispute, or formal notification from a client of an impending audit or claim.
  • Scope. A legal hold identifies specifically which data categories and which systems are subject to the hold. It does not apply to all data by default — only data that is or may be relevant to the specific matter.
  • Documentation. Every legal hold is documented, including the date initiated, the triggering event, the data categories covered, and the responsible individual. Legal hold records are retained for 7 years from the date the hold is lifted.
  • Lifting the hold. A legal hold is lifted when the matter that triggered it is resolved — whether by settlement, final judgment, regulatory closure, or written legal advice that the risk has passed. The hold is lifted by written instruction from the same authority that triggered it.
  • Normal schedule resumes. When a legal hold is lifted, data subject to the hold reverts to its normal retention schedule. Data that would have been deleted during the hold period is deleted promptly upon lifting.

Client data and legal holds. If ARRC Global receives a legal order or regulatory requirement to retain client data beyond the contracted retention period, ARRC Global will notify the client promptly — unless the order or legal requirement prohibits such notification — and will retain the specific data required by that order only, for only as long as the order requires.

06Deletion Standards

How data is securely destroyed

When a retention period expires and no legal hold applies, deletion is executed in accordance with the following standards. The method applied depends on the data sensitivity and storage medium.

  • Database records. Permanent deletion from production databases using hard-delete operations. Soft-deleted or archived states are not used as a substitute for deletion. For personal data, deletion is confirmed at the record level.
  • File storage. Files are securely overwritten and deleted from primary storage. Metadata and file system references are also cleared.
  • Encrypted backups. Data deleted from primary systems is removed from backup sets within the next scheduled backup rotation — in no case more than 60 days from primary deletion. Backup deletion is logged.
  • Logs and audit trails. Log data is deleted by automated purge processes triggered at the applicable retention period boundary. Log deletion is itself logged at the system level.
  • Anonymisation as alternative. Where complete deletion would destroy data that is legitimately needed in aggregate (for example, anonymised usage statistics), data may be anonymised rather than deleted — provided the anonymisation is irreversible and no individual can be identified from the anonymised data. Anonymisation is not a substitute for deletion where an individual's data subject rights require deletion.

ARRC Global does not use physical media (USB drives, external hard drives, printed documents) to store client data in the ordinary course of operations. Where physical media is used in exceptional circumstances, it is subject to secure physical destruction at end of life.

07Data Subject Requests

Deletion requests from individuals

Individuals whose personal data is processed by ARRC Global have the right to request deletion of their data under applicable data protection law — the "right to be forgotten." ARRC Global will action deletion requests as follows:

  • Acknowledgement. Within 5 business days of receiving a deletion request.
  • Decision. Within 30 days — either confirming deletion has been completed, or explaining why a legal basis exists to retain specific data elements despite the request.
  • Grounds to refuse or delay. ARRC Global may decline a deletion request or retain specific data elements where: (a) retention is required to comply with a legal obligation; (b) the data is required for the establishment, exercise, or defence of a legal claim; or (c) processing is necessary to protect the vital interests of another person. The individual will be informed of the specific ground and their right to escalate to a supervisory authority.
  • Platform user data. For data held within the VIGIL platform on behalf of an enterprise client, deletion requests from individual users should in the first instance be directed to the client organisation's platform administrator. ARRC Global will cooperate with the client in processing such requests.

To submit a deletion request, contact contact@arrcglobal.com with subject line "Data Deletion Request — VIGIL."

08Roles & Responsibilities

Who is accountable for what

  • Founding Principal (ARRC Global). Ultimate accountability for this policy and its implementation. Reviews and approves the policy annually. Authorises legal holds. Accountable to clients and regulators for compliance.
  • Development team. Responsible for implementing automated retention enforcement within the VIGIL platform — including automated log purges, account deletion processes, and backup rotation schedules. Responsible for ensuring deletion mechanisms function correctly and are tested after platform updates.
  • All personnel with data access. Responsible for not retaining data beyond applicable retention periods in personal systems, email, or local storage. Responsible for reporting any uncertainty about whether specific data should be retained to the founding principal.
  • Client platform administrators. Responsible for managing data within their client accounts, including initiating deletion of user accounts and data within the platform where appropriate. ARRC Global provides the deletion tools; the client administrator uses them.
09Review & Compliance

Keeping this policy current

  • Annual review. This policy is reviewed annually, or sooner if a material change in law, platform architecture, or business operations requires it. The version number and review date at the top of this page reflect the most recent revision.
  • Automated enforcement. Where technically feasible, retention period enforcement is automated within the VIGIL platform. Automated processes are tested after each platform release that affects data storage or deletion.
  • Manual review. Data categories not subject to automated enforcement are subject to manual review at least annually, with a documented record of the review outcome and any deletions performed.
  • Audit trail. Records of deletion events — including the data category, deletion date, method, and responsible individual or system — are maintained for 3 years.
  • Non-compliance. Any breach of this policy — including retention of data beyond the applicable period without a documented legal hold — must be reported to the founding principal immediately. Non-compliance is treated as a data protection incident and handled accordingly.
  • Client notification. Material changes to this policy that affect how client data is retained or deleted will be communicated to registered clients by email at least 14 days before the change takes effect.
10Request This Document

Full policy document available on request

The complete Data Retention Policy — including implementation procedures, deletion confirmation templates, and legal hold documentation — is available as a formal document to enterprise clients and procurement teams on request.

Controlled Document · Version 1.0 · July 2026
Data Retention Policy
Email us to request the full policy document. We will respond within 3 business days. Include your organisation name and the context for your request.
Request Document
Policy Enquiries
Emailcontact@arrcglobal.com
SubjectData Retention Policy — [your query]
ResponseWithin 3 business days
EntityAnshin Risk and Resilience Consulting Pvt. Ltd. · Trading as ARRC Global · Pune, Maharashtra, India