DATA-09

At the completion of this contract, will data be returned to the institution and/or deleted from all your systems and archives?

Explanation

This question is asking about your data handling procedures at the end of a contract with an educational institution. Specifically, it wants to know what happens to the institution's data when your business relationship ends. The question is important for several reasons: 1. Data ownership: Educational institutions maintain ownership of their data even when it's processed by vendors. 2. Regulatory compliance: Educational institutions must comply with regulations like FERPA (Family Educational Rights and Privacy Act), which protect student data privacy. 3. Risk management: Ensuring data is properly returned or deleted reduces the risk of data breaches after the business relationship ends. 4. Data lifecycle management: Proper data handling throughout the entire lifecycle, including termination, is a fundamental security practice. The guidance specifically asks you to clarify whether data will be returned to the institution, deleted from your systems, or both. The best answers will be specific about: - The exact process for returning data (formats, methods, timeframes) - The deletion process (including backups and archives) - Any verification methods to prove deletion occurred - Any exceptions or special cases - Compliance with relevant regulations This question helps institutions understand how you handle the final phase of the data lifecycle and whether your practices align with their security and compliance requirements.

Guidance

Please specify if it will be returned, deleted, or both.

Example Responses

Example Response 1

Yes, at contract completion, we follow a comprehensive data return and deletion process First, we will export all institution data in industry-standard formats (CSV, JSON, or other formats as requested) and securely transfer it to the institution via encrypted SFTP or our secure file sharing portal Once the institution confirms successful receipt of data (typically within 30 days), we initiate our deletion protocol This includes removing all institution data from production systems, backup systems, and archives using secure deletion methods that comply with NIST 800-88 guidelines We provide a Certificate of Destruction documenting the completion of this process Our data deletion is verified through automated logs and manual spot-checks by our security team The entire return and deletion process is typically completed within 60 days of contract termination.

Example Response 2

Upon contract completion, we provide two options for data handling: (1) Data Return Only: We will package all institutional data in its native format and provide secure download links valid for 30 days We maintain encrypted archival copies for 1 year to support potential regulatory requirements or audits, after which all data is automatically purged from our systems (2) Data Return and Deletion: We return data as described above, then perform immediate deletion of all institutional data from our production environments within 14 days, followed by removal from backups within 90 days as backup cycles complete For either option, we provide detailed documentation of the process and can accommodate special requirements with advance notice Our procedures comply with GDPR, CCPA, and FERPA requirements for data portability and the right to be forgotten.

Example Response 3

Our standard contract does not include provisions for automatic data return or deletion at contract completion Instead, we maintain customer data indefinitely in our secure archives according to our data retention policy If an institution requires data return, this can be arranged for an additional fee based on the data volume and complexity Complete data deletion from our systems, including backups and archives, is not currently supported due to our shared infrastructure architecture However, we can implement logical access controls to prevent access to the data after contract termination We recommend institutions that require complete data deletion discuss these requirements during contract negotiation so we can determine if special accommodations are possible.

Context

Tab
Product
Category
Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron