The new backup retention period of 90 days is necessary to ensure that we can adequately protect our data, which is in our legitimate interest. We now believe that 60 days is on the short side if we want to protect ourselves from, for example, ransomware. We see 90 days as an acceptable trade-off between the risk of data loss and the privacy impact of the individuals whose data we process in these backups.
It should be noted that only the absolutely required personnel at CipherMail has access to these backups. They are only accessed as a last resort in case of a data loss event. We do not provide these backups to third parties. They are stored in encrypted form and are automatically removed after the above retention period.
This is the list of all changes:
- Increase backup retention period from 60 to 90 days
- Reduce the anonimization deadline of raw analytics data from 10 to 7 days
- Provide explanation of our legitimate interest in processing some personally identifiable information (PII)
- Provide information on third party data processing, including sensitive logs stored on third party systems
- Explain that PII in mailing list posts is also publicly archived
- Explain that we are legally required to perform ID checks on GDPR requests
- Improve style and phrasing
If you have any comment on these changes, please let us know.