Data and Log Retention Policy

1. Introduction

Ambrstack ("the Company," "we," "us," or "our") is committed to managing its data—particularly system, application, and security logs—in a secure, compliant, and efficient manner. The primary goal of this Data & Log Retention Policy ("Policy") is to ensure that Ambrstack retains logs and other relevant records in a way that supports business operations, meets legal and regulatory requirements, and respects data privacy obligations.

2. Purpose & Scope

Purpose:

Define retention schedules for various categories of data and logs, including how long data is stored and when it is securely deleted.
Ensure consistency with applicable laws and regulations (GDPR, local data protection laws).
Facilitate compliance, auditing, and operational continuity for Ambrstack and its customers.

Scope:

This Policy applies to all system and application logs generated and managed by Ambrstack's applications, services, and supporting infrastructure.
It covers data and logs generated in both production and non-production environments (development, QA, and staging), where applicable.
All employees, contractors, and third-party service providers (sub-processors) who handle or manage Ambrstack's data or logs must comply with this Policy.

3. Definitions

Log Data:: Records of system, application, security, or network events stored in text, structured, or binary format.
Retention Period:: The length of time for which Ambrstack is required or chooses to retain specific data before archiving or deleting it.
Archival:: The process of moving data or logs that are no longer actively used but may still be needed for compliance or historical purposes to a separate storage location.
Deletion:: The secure and irreversible destruction of data or logs, using methods that prevent reconstruction.

4. Categories of Data & Retention Schedules

Ambrstack categorizes its logs and data to apply different retention policies according to their operational and legal relevance. Below is a high-level overview:

Category	Description	Retention Period	Rationale
Application & Service Logs	Records containing operational data about how our services and applications function (API requests, error messages, and performance metrics).	Typically 90 days, with an option to archive critical logs for up to 12 months	90 days is sufficient for day-to-day troubleshooting and performance analysis Extended retention (up to 12 months) for logs that may be required by certain customers or legal requirements
Security & Access Logs	Logs that capture authentication events (successful and failed login attempts), changes to user permissions, firewall logs, intrusion detection/prevention system alerts, and other security-related events.	Minimum of 12 months, with optional extension to 24 months	Extended retention helps detect, investigate, and respond to security incidents Facilitates forensic analysis, compliance with standards (ISO 27001, SOC 2), and satisfies regulatory demands
Audit Logs & Compliance-Related Records	Logs and records specifically required for compliance, auditing, or legal proceedings (changes to system configurations, data subject access requests, and backup logs).	Up to 24 months or longer based on specific legal, regulatory, or customer contractual requirements	Ensures traceability and accountability for critical changes and actions Aligns with various international regulations that may require a 1–2 year retention period
Transactional & Billing Data	Logs of financial or contractual transactions, such as invoices, payment records, or service usage metrics for billing.	Typically 5–7 years	Required for financial audits, dispute resolution, and compliance with accounting standards

5. Storage, Access, & Security Controls

Storage Methods:

Primary Storage: Active logs are maintained on secure servers or cloud-based solutions AWS, MongoDB, GCP, and Google Firestore.
Archival Storage: Old or rarely accessed logs may be moved to lower-cost, encrypted archival storage with appropriate access controls.

Access Controls:

Least Privilege Principle: Access to logs is granted only to authorized personnel who need the information to perform their roles (security analysts, and DevOps engineers).
Multi-Factor Authentication (MFA): Required for all administrative log access to prevent unauthorized viewing or tampering of log data.

Encryption:

Data in Transit: All log data transfers occur over secure channels.
Data at Rest: Logs are encrypted at rest where supported by the underlying storage system AES-256.

Monitoring & Alerts:

Automated systems monitor for anomalous patterns in log data.
Access attempts are logged, and suspicious activities trigger real-time alerts.

6. Deletion & Destruction

Deletion Protocol:

Once a log reaches the end of its retention period, it is marked for deletion or archival, depending on business or compliance requirements.
Automated scripts or processes handle the scheduled deletion of logs to ensure consistency.

Secure Destruction:

Secure wiping of data uses industry-standard methods to ensure the data cannot be recovered.
Certificates of destruction may be generated for critical or compliance-related data, as necessary.

7. Exemptions & Exceptions

Legal Holds:

If logs are subject to litigation or a regulatory investigation, they are placed on a legal hold and are not deleted until the hold is lifted.
Ambrstack's Legal Department coordinates such processes.

Customer Requirements:

In some cases, customer-specific contracts or SLAs may require different retention durations.
These are handled on a case-by-case basis, and relevant teams are notified to adjust retention settings accordingly.

Extension of Retention Period:

Security or operational concerns may justify extending the retention period for specific logs. Any extension must be approved by the Chief Information Security Officer (CISO).

8. Compliance & Audits

Regulatory Compliance:

This Policy is designed to align with key regulations such as GDPR, local data protection laws, and relevant industry standards (ISO 27001, and SOC 2).
Any change in applicable laws or regulations may result in immediate updates to this Policy.

Internal & External Audits:

Ambrstack conducts periodic internal audits to ensure compliance with this Policy.
Customers or external auditors (ISO or SOC certifications) may review log retention processes under NDA or relevant contractual obligations.

9. Roles & Responsibilities

Chief Information Security Officer

Oversees compliance with data protection regulations and ensures that this Policy meets GDPR and other global requirements.
Maintains the technical standards and tools needed for log management and retention.
Coordinates with the IT and DevOps teams to ensure logs are properly stored, encrypted, archived, and deleted.

IT & DevOps Teams:

Implement and maintain automated processes for data retention, archival, and deletion.
Monitor logs and respond to any anomalies or breaches in line with the separate Ambrstack Incident Response & Security Vulnerability Policy.

Legal & Compliance Teams:

Advise on legal holds, contract clauses, and evolving regulatory requirements that may influence data retention schedules.

10. Policy Management & Review

Revision & Approval:

This Policy is reviewed at least annually or upon significant changes to technical infrastructure, regulatory requirements, or business needs.
Any revisions require approval from the CISO and the CEO or equivalent executive authority.

Publication & Awareness:

This Policy is published internally on Ambrstack's documentation portal and externally on our website (if applicable).
Training sessions may be conducted to educate employees and contractors on their responsibilities under this Policy.

11. Contact & Further Information

For questions or more information regarding this Data and Log Retention Policy, please contact:

Abhishek Singh

Co-founder, Ambrstack

talk@ambrstack.com