Khoros Data Retention and Media Destruction Policy for Customer Data

Last Update: 04/11/2018

Data Retention

Customer data is retained for the duration of the customer’s contract with Khoros, unless otherwise instructed by the customer. When the contract ends, Khoros Support contacts the customer to offer data return. Then, after the data has been returned or declined by the customer, the data is deleted. Deletion occurs within thirty days with the following exceptions:

  • Data on back up systems or media is maintained for 90 days in order to maintain sound business continuity practices and then deleted
  • Log files are maintained for up to twelve months for security reasons and then deleted
  • Klout data for which Khoros acts as a controller is retained for longer periods of time based on Khoros’s legitimate interested in maintaining the integrity of Klout analysis that is dependent on historical data.

During and after the life of the contract, Khoros can use aggregated and anonymized data for metrics and reporting purpose. This data does not include any personal information nor any information about the customer or the end user.

Data Backup and Restoration

Information on backup tapes is encrypted using AES 256-bit information and tapes are over written every ninety (90) days. Access to the backup tapes is restricted to authorized individuals. Offsite tapes are kept in a secure facility. Backups are made daily and full backups weekly. We conduct backup restoration testing every six (6) months, in January and July.

Data Destruction

When the contract ends, if the customer wishes to have a copy of the data, we provide the information to the customer in an XML format via our secure SFTP servers. The information on the SFTP servers remain intact for 30 days after which time it is deleted, unless otherwise instructed by the customer. The active data bases are also dropped from the production servers as well after the XML extraction is transferred to the customer.
After the media used for storage is retired, it is scrubbed or destroyed using NIST SP 800-88 guidelines.