Skip to content
Business Continuity & Data

Data Retention Policy

Version: 1.0
Effective Date: January 28, 2025
Last Updated: January 23, 2026
Status: Approved

1.0 PURPOSE

This Policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within NEO

This Policy applies to all business units, processes, and systems in all countries in which the NEO conducts business and has dealings or other business relationships with third parties.

This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including personal data and/or sensitive personal data).

It is the responsibility of all of the above to familiarise themselves with this Policy and ensure adequate compliance with it.

This policy applies to all information used at NEO. Examples of documents include:

  • Personal Data collected by providing online services
  • Emails
  • Hard copy documents
  • Soft copy documents
  • Video and audio
  • Data generated by physical access control systems.

2.0 POLICY

CTO defines the time period for which the documents and electronic records should be retained through the Data Retention Schedule.

Destruction of Data

The data will be destroyed according to the Disposal and Destruction Policy. The VP of Engineering has the responsibility to ensure that each of the NEO team members complies with this Policy.

Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation, and loss of competitive advantage, financial loss and damage to the Company’s reputation, personal injury, harm or loss. Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access to NEO information, may, therefore, result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.

Routine Retention Schedule

Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:

  • Announcements and notices of day-to-day meetings
  • Requests for ordinary information such as travel directions;
  • Reservations for internal meetings without charges / external costs;
  • Transmission documents such as letters, fax cover sheets, e-mail
  • Messages, routing slips, compliments slips, and similar items that
  • Accompany documents but do not add any value;
  • Message slips;
  • Superseded address list, distribution lists etc.;
  • Duplicate documents such as CC and FYI copies, unaltered drafts,
  • Snapshot printouts or extracts from databases and day files;
  • Stock in-house publications which are obsolete or superseded; and
  • Trade magazines, vendor catalogues, flyers and newsletters from vendors

Data Retention Schedule

  • Emails are retained in accordance with ISO 27001:2022 requirements using the Piler email archiving system, which provides secure, searchable, and compliant retention of all email communications.
  • Google Drive documents are by default kept indefinitely, unless removed
  • Backups are kept according to schedule defined in Backup Policy
  • Confluence pages are kept indefinitely unless removed
  • JIRA tickets are kept indefinitely unless archived by the administrator

References

EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)

Let's build your proposal
Powered by NEO AI - Intelligent Matching Technology