This Data Retention Policy describes how MakingITworc collects, stores, retains, and disposes of information in the course of providing managed IT services. It supplements our Terms and Conditions and our Privacy Policy, and applies to all personal information and Client data we handle, in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
1. Scope
This policy covers:
- Personal information about Client representatives (names, business email addresses, phone numbers, business addresses, titles)
- Operational and technical data we collect while delivering services (device inventories, network diagrams, ticket histories, log files, configuration data, credential vault entries)
- Financial and contractual records (quotes, Statements of Work, Purchase Orders, invoices, signed agreements)
- Personal information about Client end-users that we may access while supporting Client systems
2. Categories of Data and Retention Periods
2.1 Client Account and Contract Records
Includes: business contact details, Statements of Work, Purchase Orders, signed agreements, invoices, payment records.
Retention: Seven (7) years after the end of the engagement, to comply with Canada Revenue Agency record-keeping requirements and to support warranty, audit, and dispute resolution.
2.2 Service Tickets and Communications
Includes: JIRA Service Management tickets, email threads, chat transcripts, remote-session notes.
Retention: Three (3) years after ticket closure, then archived for an additional two (2) years before secure deletion. Communications referenced in unresolved disputes are retained until the dispute is resolved.
2.3 System Documentation and Configurations
Includes: network diagrams, device inventories, credential vault entries, runbooks, scripts, and automation maintained on the Client’s behalf.
Retention: For the duration of the engagement and, consistent with our Statement of Work termination provisions, securely deleted as requested by the Client or following the transition assistance window described in Section 4 below.
2.4 Endpoint and Network Telemetry
Includes: Meraki Systems Manager telemetry, monitoring data, security event logs, RMM agent logs, anti-malware detections.
Retention: Ninety (90) days online for active operational use, then archived for nine (9) additional months for security investigation purposes, then securely deleted.
2.5 Backups and Recovery Data
Includes: backups we create or manage on behalf of Clients (only where backup services are explicitly added by amendment, since standard managed IT engagements do not include backup configuration or monitoring — see Out of Scope in our Terms).
Retention: As defined in the applicable Statement of Work amendment. In the absence of a specific schedule: daily backups retained 30 days, weekly backups retained 12 weeks, monthly backups retained 12 months. Backup data is purged on termination unless restored to the Client first.
2.6 Security Incident Records
Includes: incident reports, forensic evidence collected during the response to a confirmed or suspected security incident.
Retention: Seven (7) years from incident closure, in accordance with cybersecurity insurance and breach-reporting obligations.
2.7 Marketing and Prospect Data
Includes: contact details collected from prospects, mailing-list subscribers, and website inquiries.
Retention: Until the individual unsubscribes or requests deletion, or after twenty-four (24) months of inactivity, whichever comes first.
3. Storage and Security
All Client data is stored on systems with industry-standard access controls, encryption at rest where supported, encrypted transport for data in transit (TLS), multi-factor authentication for administrative access, and least-privilege access principles. Credential vaults use additional encryption. Physical storage of paper records (where unavoidable) is in locked premises with access limited to authorized personnel.
4. Handling on Termination
Consistent with Section 15 of our Terms and Conditions, upon termination of a service engagement:
- MakingITworc will provide reasonable transition assistance to a new provider for up to forty-five (45) days at the standard hourly rate.
- All access credentials, documentation, and Client data will be returned or securely deleted as requested by the Client, subject to this Data Retention Policy.
- Records that we are legally required to retain (e.g., tax records, signed contracts, invoices) will be kept for the applicable statutory period as described in Section 2 above.
- Backup copies that exist in our managed backup infrastructure (where backup services were in scope) will be purged unless restored to the Client first.
5. Sub-Processors and Third Parties
We rely on third-party services to deliver our offering. Current sub-processors are listed in our Privacy Policy. Each sub-processor is contractually bound to handle data in accordance with its own privacy and security obligations. Data stored within a sub-processor’s platform is also subject to that provider’s retention practices.
6. Cross-Border Data Transfer
Some sub-processors store or process data outside of Canada (commonly in the United States or European Union). Where this is the case, the data remains subject to the privacy laws of the jurisdiction in which it is stored. Clients with specific Canadian data-residency requirements should notify us in writing so we can confirm whether a Canadian-resident option is available for the affected service.
7. Your Rights
Individuals whose personal information we hold have the right to:
- Request access to their personal information
- Request correction of inaccurate or incomplete information
- Request deletion, subject to legal retention requirements (e.g., tax records)
- Withdraw consent to non-essential processing
- File a complaint with the Office of the Privacy Commissioner of Canada
To exercise these rights, contact us at the address in Section 9. We will respond within thirty (30) days.
8. Secure Disposal
When retention periods expire or data is no longer needed:
- Digital records are deleted from primary systems and backup media using methods consistent with NIST SP 800-88 guidelines (clear, purge, or destroy as appropriate)
- Decommissioned drives that held Client data are cryptographically erased or physically destroyed before disposal or resale
- Paper records, where applicable, are cross-cut shredded
9. Breach Notification
If we become aware of a security breach involving personal information that creates a real risk of significant harm, we will notify the affected Client and the Office of the Privacy Commissioner of Canada as required by PIPEDA, and we will assist the Client in meeting any additional notification obligations to their end-users.
10. Contact
Questions or requests regarding this Data Retention Policy can be directed to:
MakingITworc
Email: support@makingitworc.ca
Web: makingitworc.ca
11. Changes to This Policy
We may update this policy from time to time. Material changes will be posted here with a revised “Last Updated” date. Where the change materially affects existing Clients, written notice will be provided in advance of the change taking effect.