01 โ Overview
CloudNexus is committed to protecting your data privacy and managing your information responsibly. This Data Retention Policy describes the principles, practices, and procedures we follow regarding the collection, use, storage, and deletion of data across our cloud infrastructure platform.
We retain data only for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. Our approach balances operational needs with your right to privacy and data minimization.
Scope of This Policy
This policy applies to all data collected through CloudNexus's cloud hosting services, managed infrastructure, CDN, databases, APIs, customer portals, and related systems. It covers both personally identifiable information (PII) and operational data.
02 โ Scope & Definitions
Understanding the key terms and scope is essential to this policy.
Key Definitions
Data Retention
The period during which data is actively stored and accessible by CloudNexus systems before deletion or archival.
Data Archival
Transferring data to long-term, lower-cost storage systems where it is preserved but not actively accessed.
Data Deletion
Secure erasure of data from all active, backup, and archival systems so it can no longer be retrieved or reconstructed.
Legal Hold
A preservation directive that suspends normal deletion processes when data is required for litigation or investigation.
What This Policy Covers
- โธ Customer account data and authentication credentials
- โธ Infrastructure usage logs and monitoring data
- โธ Backups, snapshots, and disaster recovery data
- โธ Network traffic and CDN cache data
- โธ Support ticket and communication records
- โธ Billing, invoicing, and financial transaction data
- โธ Application data hosted on CloudNexus infrastructure (user-managed)
What This Policy Does Not Cover
CloudNexus acts as a data processor for application data hosted on our infrastructure. The retention of your customers' data hosted on our servers is governed by your own policies and the agreements you have with your end users. We do not access, audit, or control that data.
03 โ Retention Periods
The following table outlines the retention periods for each data category we manage. These periods are measured from the date of data collection or the last activity, whichever is later.
| Data Category | Retention Period | Format | Legal Basis |
|---|---|---|---|
| Account & Profile Data | Lifetime of Account | Encrypted DB | Contract fulfillment |
| Billing & Invoicing | 7 Years | Encrypted DB + Archive | Tax & financial regulations |
| Authentication Logs | 12 Months | Encrypted Logs | Security & compliance |
| System Access Logs | 12 Months | Encrypted Logs | SOC 2 compliance |
| Network & CDN Logs | 90 Days | Streaming โ Object Store | Operational optimization |
| Performance Metrics | 18 Months | Time-series DB | Service monitoring |
| Support Tickets | 36 Months | Encrypted DB | Service improvement |
| Email Communications | 36 Months | Encrypted DB | Service documentation |
| Backups & Snapshots | Up to 90 Days | Encrypted Storage | Disaster recovery |
| API Request Logs | 30 Days | Streaming Logs | Debugging & analytics |
| Temporary Cache Data | 1โ72 Hours | RAM / Redis | Performance optimization |
| Cookie & Tracking Data | Up to 13 Months | Browser Storage | User consent / Legitimate interest |
| Deleted Account Data | 30-Day Grace Period | Quarantined Storage | Accidental recovery window |
| Incident & Breach Records | 7 Years | Encrypted Archive | Regulatory & legal obligations |
| Compliance Audit Records | 7 Years | Encrypted Archive | SOC 2, ISO 27001 requirements |
Data Minimization Principle
Where possible, we employ data aggregation, anonymization, and pseudonymization techniques to reduce the amount of personally identifiable information stored. Raw logs are often reduced to aggregated metrics within their retention window.
04 โ Data Classification
All data processed by CloudNexus is classified into categories that determine retention handling, security controls, and access restrictions.
Data Classification Levels
Confidential โ Customer Data
Application data, database contents, file storage, and encrypted payloads hosted on our infrastructure. Retention is controlled by the customer. CloudNexus has no independent retention rights over this data.
Restricted โ Account Data
PII, billing information, API keys, authentication tokens, and profile data. Retained per the periods defined in this policy with encryption at rest and in transit.
Internal โ Operational Data
System logs, performance metrics, network traffic data, and internal analytics. Retained for operational purposes and deleted according to the schedule above.
Public โ Published Data
Status page information, documentation, API references, and service descriptions. No retention constraints apply to publicly published content.
Customer-Hosted Data
For data hosted by customers on CloudNexus infrastructure (virtual machines, object storage, managed databases, etc.), the following principles apply:
- โธ Customer-Controlled: Retention is entirely at the customer's discretion. CloudNexus does not delete, modify, or access application data without explicit customer authorization.
- โธ Deletion Window: Upon customer deletion request, data is removed from active storage within 30 days. The data may persist in backup systems for up to 90 days as part of disaster recovery procedures, after which it is cryptographically erased.
- โธ Data Residency: Customer data remains within the selected geographic region unless the customer initiates a migration. Cross-region replication is only performed with explicit consent.
- โธ Cryptographic Erasure: When customer data is scheduled for deletion, we perform cryptographically secure erasure using NIST 800-88 Rev. 1 guidelines for digital media sanitization.
05 โ Data Collection Practices
We only collect data that is necessary for providing and improving our services. Here is what we collect:
Account-Related Data
- โธ Name, email address, and organization details โ retained for the lifetime of the account
- โธ Payment information (tokenized) โ retained per financial regulations (7 years for billing records)
- โธ API keys and access tokens โ rotated according to customer settings; revoked tokens are logged for 12 months
- โธ Two-factor authentication data โ securely hashed and stored indefinitely while account is active
Operational Data
- โธ Server and infrastructure usage metrics โ retained for 18 months for trend analysis
- โธ Network traffic metadata (not payload) โ retained for 90 days
- โธ DNS query logs โ retained for 90 days
- โธ SSL/TLS certificate data โ retained for the certificate validity period plus 1 year
Support & Communication Data
- โธ Support tickets and chat transcripts โ retained for 36 months
- โธ Email correspondence โ retained for 36 months
- โธ Video call recordings (if applicable) โ retained for 30 days unless customer requests longer storage
06 โ Storage & Security
Data stored by CloudNexus is protected using multiple layers of security controls at rest and in transit.
Encryption Standards
Encryption at Rest
AES-256 encryption for all stored data. Customer data is encrypted with per-tenant keys managed via AWS KMS or equivalent provider. Keys are rotated annually.
Encryption in Transit
TLS 1.3 for all data transfers. HSTS enforced across all endpoints. Certificates from trusted CAs with automated renewal.
Key Management
HSM-backed key management with FIPS 140-2 Level 3 validated modules. Separation of duties between key administration and data access.
Network Security
Micro-segmentation, private VPCs, DDoS mitigation, and zero-trust architecture for internal network access.
Access Controls
- โธ Principle of Least Privilege: Access to data is granted on a need-to-know basis. All access is logged and audited.
- โธ Multi-Factor Authentication: Required for all employee access to production systems and customer data.
- โธ Regular Access Reviews: Quarterly review of all data access permissions with automatic revocation of unused accounts.
- โธ Privileged Access Management: All privileged access requires explicit approval and is time-bound with session recording.
07 โ Data Deletion Process
CloudNexus follows a structured, auditable process for data deletion that ensures no recoverable traces of data remain after the retention period expires.
Deletion Workflow
Step 1 โ Scheduling
Data approaching its retention limit is flagged by automated monitoring systems. The deletion is queued and scheduled during a maintenance window to minimize operational impact.
Step 2 โ Verification
Before deletion, the system verifies that the retention period has expired, that no legal holds apply, and that the deletion has been authorized by the appropriate workflow.
Step 3 โ Secure Deletion
Data is cryptographically erased using NIST 800-88 Rev. 1 standards. For SSD storage, ATA Secure Erase or NVMe Format NVM commands are executed. Encryption keys are destroyed, rendering any encrypted copies unrecoverable.
Step 4 โ Audit & Certification
A deletion audit record is generated with timestamp, data category, volume, method, and operator identity. This record is itself retained for 7 years for compliance verification. The deletion is logged in our immutable audit trail.
Backup Retention Note
Deleted data may persist in backup systems for up to 90 days as part of disaster recovery procedures. After this period, backup data is overwritten or cryptographically erased. We do not maintain backups longer than necessary.
08 โ Legal Holds & Regulatory Requirements
Certain data may be subject to extended retention periods due to legal, regulatory, or investigative requirements.
Legal Hold Triggers
- โธ Active litigation involving CloudNexus or its customers (where lawful data preservation is required)
- โธ Government subpoenas or court orders for data preservation
- โธ Ongoing regulatory investigations
- โธ Internal fraud or security incident investigations
- โธ Tax authority data preservation requests
Extended Retention Periods
Tax & Financial Records
Invoices, receipts, and transaction records are retained for 7 years per international tax regulations and financial reporting requirements (IRS, HMRC, and equivalent).
SOC 2 & ISO 27001 Records
Audit logs and compliance evidence are retained for a minimum of 7 years per certification requirements. These records cannot be deleted until the period expires.
GDPR Article 17 Exceptions
Where data is necessary for exercising the right of freedom of expression, compliance with a legal obligation, reasons of public interest, or legal claims, the right to erasure does not apply.
Law Enforcement Requests
Data may be retained where required by valid legal process. We review all requests for validity and scope before any data is shared or retained beyond normal periods.
09 โ Your Data Rights
Under applicable data protection laws including GDPR, CCPA/CPRA, and other regional regulations, you have specific rights regarding your personal data.
Right to Access
Request a copy of all personal data we hold about you, including the categories of data, purposes of processing, and retention periods.
Right to Rectification
Request correction of inaccurate or incomplete personal data. We will correct the data within 30 days.
Right to Erasure
Request deletion of your personal data where there is no legal basis for retention. Subject to exceptions outlined in Section 8.
Right to Portability
Receive your data in a machine-readable format and transmit it to another service provider where technically feasible.
Right to Restrict Processing
Request that we limit the processing of your personal data in certain circumstances, such as during a dispute over accuracy.
Right to Object
Object to processing based on legitimate interests or direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds.
How to Exercise Your Rights
- โธ Submit requests through the CloudNexus Customer Portal โ Privacy Center
- โธ Email privacy@cloudnexus.com with "Data Rights Request" in the subject line
- โธ We will respond within 30 days of receiving a verifiable request
- โธ For complex or numerous requests, we may extend the response period by an additional 60 days with notification
10 โ International Data Transfers
CloudNexus operates data centers across multiple geographic regions. Data transfers between regions are conducted in compliance with applicable data protection laws.
Data Residency Options
Customers can select their preferred data residency region at the time of provisioning. Our primary regions include:
- โธ Americas: US East (Virginia), US West (Oregon), Canada Central (Montreal), South America (Sรฃo Paulo)
- โธ Europe: EU West (Frankfurt), EU North (Stockholm), UK (London)
- โธ Asia-Pacific: AP Southeast (Singapore), AP Northeast (Tokyo), AP South (Mumbai), AP Australia (Sydney)
Transfer Safeguards
- โธ EU-US Data Privacy Framework: CloudNexus is certified under the EU-U.S. Data Privacy Framework and adheres to its principles.
- โธ Standard Contractual Clauses (SCCs): Where applicable, we use EU Commission-approved SCCs for cross-border data transfers.
- โธ Binding Corporate Rules (BCRs): For intra-group transfers within the CloudNexus organization.
- โธ Data Processing Addendum (DPA): Available for all customers and incorporated into service agreements.
Cross-Region Replication
By default, data remains within the selected region. Cross-region replication is only enabled when explicitly configured by the customer or when required for high availability with customer consent. No cross-border transfers occur without your authorization.
11 โ Data Breach Response Protocol
In the event of a data breach, CloudNexus follows a structured incident response plan to contain, investigate, and notify affected parties.
Breach Notification Timelines
Internal Detection โ 1 Hour
Automated monitoring systems detect anomalies. The security operations center (SOC) responds within 1 hour with initial containment actions.
Investigation โ 72 Hours
The incident response team investigates the scope, impact, and root cause within 72 hours. Forensic analysis is conducted by certified professionals.
Regulatory Notification โ 72 Hours
Per GDPR and other regulations, supervisory authorities are notified within 72 hours of confirmed breach awareness.
Customer Notification โ As Required
Affected customers are notified without undue delay, typically within 72 hours, with clear information about the breach and recommended actions.
Breach Containment Procedures
- โธ Immediate isolation of affected systems and services
- โธ Preservation of evidence and forensic artifacts
- โธ Emergency key rotation and credential revocation
- โธ Deployment of additional monitoring and detection rules
- โธ Engagement of third-party forensics firm if needed
- โธ Post-incident review and remediation plan implementation
12 โ Policy Updates & Changes
This policy may be updated periodically to reflect changes in our practices, technology, or regulatory requirements.
- โธ Material Changes: Significant changes to data retention practices will be communicated via email at least 30 days before they take effect.
- โธ Minor Updates: Non-material clarifications or formatting updates may be published without prior notice. All updates are logged in the change history.
- โธ Notification Channels: Updates are posted on this page, published in the status dashboard, and communicated via customer portal notifications.
- โธ Version History:
| Version | Date | Changes |
|---|---|---|
| 3.2 | Jan 15, 2025 | Added CDN log retention schedule; clarified backup deletion procedures |
| 3.1 | Sep 1, 2024 | Updated legal holds section; added APAC region data residency |
| 3.0 | Mar 15, 2024 | Major revision: aligned with GDPR, CCPA, and SOC 2 Type II requirements |
| 2.1 | Nov 1, 2023 | Added international data transfer safeguards section |
| 2.0 | Jun 1, 2023 | Expanded data classification and added breach response protocol |
| 1.0 | Jan 1, 2023 | Initial publication |
We encourage customers to review this policy regularly. Continued use of CloudNexus services after policy updates constitutes acceptance of the revised terms.
13 โ Contact & Inquiries
If you have questions, concerns, or requests regarding this Data Retention Policy or how we handle your data, please contact us through any of the channels below.
Postal Mail
CloudNexus DPO
200 Innovation Drive, Suite 400
San Francisco, CA 94105
United States
Supervisory Authorities
If you believe your data protection rights have been violated and are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority:
- โธ EU: Your local Data Protection Authority (find at edpb.europa.eu)
- โธ UK: Information Commissioner's Office (ico.org.uk)
- โธ USA (California): California Privacy Protection Agency (oag.ca.gov/privacy)
- โธ Other regions: Refer to your local data protection regulator