Data Retention Policy
1. Introduction
This Data Retention Policy describes how Ataraxia GRC, LLC (“Ataraxia GRC,” “we,” “us,” or “our”) collects, retains, and disposes of data within the Ataraxia GRC CMMC compliance platform (the “Service”).
We are committed to retaining your data only as long as necessary to provide our Service and comply with legal obligations, and to securely deleting your data when it is no longer needed.
2. What Data We Collect and Store
The Service stores the following categories of data on behalf of your organization:
- Organization profile: company name, CAGE code, NAICS code, employee count, CMMC level target, and CUI handling designation.
- User accounts: name, email address, role, and authentication credentials (hashed).
- Assessment data: control responses, objective responses, implementation descriptions, and SPRS scores.
- Documents: System Security Plans (SSP), policies, and generated document content.
- POA&M items: remediation plans, milestones, deadlines, and completion status.
- Evidence files: uploaded documents, screenshots, and configuration exports linked to specific controls.
- Tech stack selections: products and tools selected for inherited control analysis.
- Audit trail: timestamped log of all actions taken within the platform, including who performed each action.
- AI Copilot conversations: questions asked and responses provided by the compliance copilot.
- Subcontractor records: subcontractor names, CMMC status, and flowdown requirements.
Important: Ataraxia GRC does not store actual Controlled Unclassified Information (CUI). All CUI references in our system are metadata only — descriptions of how your organization handles CUI, not the CUI itself.
3. Retention Schedule
We retain your data according to the following schedule:
| Data Type | Retention Period | What Happens After Expiry |
|---|---|---|
| Active subscription data | Indefinite while subscribed | Retained as long as subscription is active |
| Data after subscription cancellation | 90 days after cancellation | Notification sent, then permanent deletion |
| Free trial data (no conversion) | 30 days after trial ends | Notification sent, then permanent deletion |
| Audit trail | 3 years | Archived, then permanently deleted |
| Evidence files | Tied to organization lifecycle | Deleted with organization |
| Copilot conversations | 90 days | Automatically deleted |
| Payment records | As required by law (typically 7 years) | Retained per legal/tax requirements |
| Deletion logs (metadata only) | 3 years | Retained for compliance audit trail |
4. What Happens When You Cancel
When your subscription is cancelled:
- Immediate: You will receive an email confirming cancellation and informing you that your data will be retained for 90 days.
- During the 90-day window: Your data remains intact. You can reactivate your subscription at any time to resume access. You can also export your data using the Data Export feature in Settings.
- 7 days before deletion: You will receive a final reminder email with options to export your data or reactivate your subscription.
- After 90 days: All organization data is permanently and irreversibly deleted, including all assessment data, documents, evidence files, and team member access.
For free trial accounts that do not convert to a paid subscription, the same process applies with a 30-day retention window.
5. What Happens When You Delete Your Account
Organization deletion
Organization owners can permanently delete their organization and all associated data from Settings > Data & Privacy. This action:
- Permanently removes all assessment data, control responses, and objective responses
- Permanently removes all SSP documents and implementation descriptions
- Permanently removes all POA&M items
- Permanently removes all uploaded evidence files from storage
- Removes all team member access
- Removes all subcontractor records
- Is immediate and cannot be undone
A minimal deletion record (containing only the organization name, deletion date, and data counts — no actual user data) is retained for our own compliance records.
Individual account deletion
Individual users can delete their own account from Settings > Data & Privacy. If you are the sole owner of an organization, you must transfer ownership or delete the organization before deleting your account.
6. How to Request a Data Export
You can export all of your organization's data at any time from Settings > Data & Privacy. The export includes:
- Organization profile and settings
- All assessment data, control responses, and objective responses
- SSP descriptions and generated documents
- All POA&M items with status and milestones
- Evidence file manifest (filenames, dates, and control mappings)
- Tech stack selections
- Team member list
- Full audit trail
The export is delivered as a ZIP file containing JSON files. Evidence files are not included in the export due to their potentially large size and sensitive nature — they can be downloaded individually from the Evidence Library.
Exports are rate-limited to one per hour per organization.
7. How to Request Data Deletion
You can delete your organization's data at any time using the self-service deletion feature in Settings > Data & Privacy. This is the fastest way to exercise your right to erasure.
Alternatively, you can submit a formal deletion request by emailing privacy@ataraxiagrc.com. We will process your request within 30 days.
After deletion, we retain only a minimal deletion log (containing no personal data) to document that the deletion was performed, as required for our own compliance obligations.
8. Automated Deletion Process
We use automated processes to enforce our retention schedule. These processes:
- Send email notifications before any automated deletion occurs
- Permanently delete data from both our database and file storage
- Cannot be reversed once completed
- Log all deletions for compliance audit purposes
We recommend exporting your data before your retention window expires if you wish to keep a copy.
9. Contact for Data Requests
For questions about data retention, export requests, deletion requests, or any other data-related inquiries, contact us at:
- Email: privacy@ataraxiagrc.com
- Response time: Within 30 days for all formal requests
- General support: hello@ataraxiagrc.com
Under GDPR, CCPA, and other applicable privacy regulations, you have the right to access, correct, delete, restrict processing of, and port your data. See our Privacy Policy for a full description of your data rights.