Data Retention & Deletion Policy — SecNinjaz

Introduction

This Data Retention & Deletion Policy outlines how SecNinjaz retains and disposes of personal data and service data in compliance with Section 8(7) of the Digital Personal Data Protection Act, 2023 and Rule 5 of the DPDP Rules, 2025, which mandate erasure of personal data when the specified purpose is no longer being served or consent is withdrawn.

1. Guiding Principles

Purpose Limitation — Data is retained only as long as it serves the specific purpose for which it was collected.
Minimization — We collect the minimum data necessary and delete it at the earliest opportunity.
Automation — Deletion is automated, not dependent on manual processes.
Irreversibility — Deleted data cannot be recovered. There are no backups or archives of personal data after deletion.
Transparency — Retention periods are clearly communicated and consistently enforced.

2. Retention Schedule

2.1 Vulnerability Assessment Tool Data

Data Category	Examples	Retention Period	Deletion Method
Email Address	user@domain.com	144 hours (6 days) from submission	Automated purge job; encrypted records deleted from PostgreSQL
IP Address	Client IP (encrypted)	144 hours (6 days) from submission	Automated purge job; encrypted records deleted from PostgreSQL
User-Agent String	Browser identifier	144 hours (6 days) from submission	Deleted with parent submission record
Domain / Target URL	https://example.com	144 hours (6 days) from submission	Deleted with parent submission record
Domain Verification Tokens	quickscan-verify-abc123	144 hours (6 days) from submission	Deleted with parent submission record
OTP (One-Time Password)	8-character code (hashed)	10 minutes	Auto-expired in Redis; hash deleted on verification
Email Verification Token	Session verification token	30 minutes	Auto-expired in Redis
Session Token	UUID-based identifier	Until browser tab is closed + 72 hours server-side	Browser: cleared on tab close; Server: auto-expired
Scan Results & Findings	Vulnerability details, CVSS scores, CVEs	144 hours (6 days) from scan completion	Cascade-deleted with parent submission
Generated Reports	Executive summaries, remediation steps	144 hours (6 days) from generation	Cascade-deleted with parent submission
Scan Schedules	Recurring scan configurations	Until user cancels or 144 hours after last associated submission	Deleted with parent submission
Application Logs	PII-masked request logs	30 days	Rotated and purged automatically

2.2 Report Accessibility Timeline

Time 0          : Scan completes, report generated
  |
  | [Active Access Period - 72 hours]
  |   Report accessible via session token
  |   Report can be exported (JSON/Markdown/PDF)
  |
Hour 72         : Report access expires (HTTP 410 Gone)
  |
  | [Grace/Cleanup Period - 72 hours]
  |   Data awaiting automated deletion
  |   No access possible
  |
Hour 144        : ALL DATA PERMANENTLY DELETED
  |
  | [Nothing remains]

3. Automated Deletion Process

3.1 Background Cleanup Job

A server-side background job runs every 6 hours.
It identifies all submissions older than 144 hours.
It performs cascade deletion: submission + all associated scans, findings, reports, and schedules.
Encrypted PII fields (email, IP address) are deleted along with their encryption keys.
Redis entries (OTPs, verification tokens, session data) auto-expire based on their configured TTL.

3.2 Deletion Verification

Each cleanup run is logged in the application audit log (with PII-masked references).
The cleanup job records the count of deleted submissions, scans, and reports.
No personal data is retained in logs — all PII is masked before logging.

4. On-Demand Deletion (Data Erasure Requests)

In compliance with Section 12(2) of the DPDP Act, you may request immediate deletion of your personal data before the automated retention period expires.

How to request:

Email dpo@secninjaz.com with the subject "Data Erasure Request."
Provide the email address and/or domain associated with your submission for identification purposes.
We will process your request within 72 hours.
You will receive confirmation once deletion is complete.

What gets deleted:

Your email address and all encrypted PII
Domain and target URL records
All scan results, findings, and reports
All verification tokens and session data
All associated log entries are purged or rendered non-identifiable

5. Data That Is NOT Retained

We explicitly do not maintain:

Backups of personal data — There is no backup retention after the 144-hour lifecycle.
Shadow copies or archives — No data is moved to cold storage or archives.
Aggregated personal data — We do not create aggregate datasets from personal data.
Third-party copies — We require our Data Processors to delete personal data in accordance with our retention schedule.

6. Exceptions to Retention Schedule

Data may be retained beyond the standard retention period only if:

Legal obligation — Required by an order of the Data Protection Board of India, a court, or under applicable Indian law.
Active legal proceeding — Data is relevant to an ongoing legal dispute or investigation.
Active security incident — Data is needed for investigation of a confirmed security breach.

In such cases:

Only the minimum necessary data is retained.
Retention is limited to the duration required by the legal obligation.
The Data Protection Officer oversees and documents the extended retention.
The affected Data Principal is notified where legally permissible.

7. Third-Party Data Processor Retention

Our Data Processors are contractually required to:

Process personal data only for the purposes specified by SecNinjaz.
Delete or return personal data upon completion of the service or upon our instruction.
Not retain copies of personal data beyond what is strictly necessary for service delivery.
Comply with the same retention timelines outlined in this policy.

8. Contact

For questions about data retention or to request data deletion:

Data Protection Officer

Email: dpo@secninjaz.com
Website: https://secninjaz.com

Questions about this policy?

Reach our team at dpo@secninjaz.com.