制定数据保留政策

Data Retention and Disposal Policy for Registration and KYC Data

1. Purpose and Scope

• Purpose: Define mandatory retention, minimization, and disposal requirements for customer registration and Know Your Customer (KYC) data to ensure compliance with data protection and anti-money laundering (AML) obligations.
• Scope: Applies to all systems, environments, regions, and third parties that collect, process, store, or dispose of registration and KYC data for customers, prospective customers, and beneficial owners.
• Regulatory drivers: GDPR (including storage limitation and data minimization), CCPA/CPRA (retention disclosure and purpose limitation), applicable AML laws (e.g., EU AMLD/UK MLR requiring 5-year retention of CDD records; FinCEN rules requiring 5-year retention of certain AML records in the U.S.), ePrivacy/telecom retention rules where applicable, and local statute-of-limitations and recordkeeping laws.

2. Definitions

• Registration Data: Information collected to create and maintain an account or profile (e.g., name, contact details, credentials, device identifiers, basic demographics, communication preferences).
• KYC/CDD Data: Identity verification data and records collected to satisfy AML/CTF obligations, including identity documents, verification outputs, risk assessments, sanctions/PEP screening results, beneficial ownership, and ongoing monitoring artifacts.
• Relationship End: The later of (a) account closure/termination and (b) the last customer-initiated activity or financial transaction, unless otherwise defined by local law.
• Anonymization: Irreversible de-identification such that individuals are no longer identifiable by any means reasonably likely to be used.
• Legal Hold: Suspension of normal retention/destruction due to litigation, regulatory inquiry, or investigation.

3. Roles and Responsibilities

• Data Protection Officer (DPO)/Privacy: Owns policy, validates regulatory alignment, approves exceptions.
• AML Compliance: Confirms AML retention obligations and evidence requirements.
• Data Owners/System Owners: Implement retention schedules and deletion controls within their systems.
• Information Security: Ensures secure storage, encryption, access control, and secure disposal.
• Procurement/Vendor Management: Ensures third-party contracts enforce equivalent retention and deletion obligations.
• Engineering/IT Operations: Implements automation, logging, backup handling, and verification of deletion.

4. Legal and Regulatory Principles

• Storage limitation: Retain personal data no longer than necessary for the stated purpose or as required by law.
• AML precedence: Where AML laws require retention (commonly 5 years from Relationship End; some jurisdictions allow an additional period if necessary and proportionate), these requirements override routine deletion, subject to strict access controls.
• CPRA transparency: Disclose retention periods (or criteria) by category of personal information in the privacy notice and avoid retaining longer than reasonably necessary.
• Rights and exemptions: Honor data subject/consumer rights; where AML or legal obligations apply, deny or limit deletion/objection requests to the extent required, documenting the legal basis.

5. Data Categories, Purposes, and Retention Schedule Note: Periods below are defaults; apply stricter local rules where they exist. “Relationship End” is the default trigger for KYC retention.

A. Registration Data

• Account profile (name, email/phone, username, preferences, identifiers):

  • Retention: For the life of the account + 2 years after Relationship End.
  • Purpose: Account servicing, fraud prevention, dispute handling.
  • Rationale: Reasonably necessary for support and limitation periods; reduce if local statutes are shorter.
  • Disposal: Secure deletion or irreversible anonymization.

• Authentication and access logs (login, MFA events, device/browser fingerprinting where applicable):

  • Retention: 12 months rolling; extend to 24 months for elevated-risk services or if required by security standards.
  • Purpose: Security monitoring, fraud prevention, incident response.
  • Disposal: Secure deletion.

• Unverified/abandoned registrations:

  • Retention: 90 days from last activity; extend to 12 months if fraud signals are present.
  • Purpose: Account recovery assistance, abuse prevention.
  • Disposal: Secure deletion; retain only hashed identifiers if necessary for abuse prevention.

B. KYC/CDD Data

• Identity documents (passport/ID images, document numbers, proof of address):

  • Retention: 5 years after Relationship End (default AML baseline). Only extend beyond 5 years if explicitly required by local law/regulator and documented.
  • Purpose: Evidence of CDD/KYC compliance.
  • Disposal: Secure deletion; ensure redaction or destruction of images and document scans across all storage.

• Verification outputs (liveness results, match scores, document authenticity results, verification timestamps):

  • Retention: 5 years after Relationship End.
  • Purpose: Demonstrate KYC control effectiveness to regulators/auditors.
  • Disposal: Secure deletion or retain minimally necessary metadata if mandated.

• Biometric data used for KYC (face images, templates, liveness video):

  • Retention: Delete raw biometric images/videos immediately after verification or within 24 hours where immediate deletion is not technically feasible. Do not retain biometric templates unless strictly necessary and justified by law; if retained, limit to 5 years after Relationship End with heightened controls and conduct a DPIA.
  • Purpose: Identity verification.
  • Disposal: Secure deletion; ensure vendors also purge promptly.

• Sanctions/PEP screening results and watchlist hits, including adverse media summaries:

  • Retention: 5 years after Relationship End; or 5 years from screening date for point-in-time screenings—whichever is later.
  • Purpose: AML/CTF compliance, audit trail.
  • Disposal: Secure deletion; retain minimal identifiers if needed to prevent re-onboarding of sanctioned parties as permitted by law.

• Customer risk assessments and periodic KYC reviews (risk scores, rationale, reviewer notes):

  • Retention: 5 years after Relationship End.
  • Purpose: Ongoing due diligence evidence.
  • Disposal: Secure deletion.

• Transaction monitoring alerts related to KYC/CDD and supporting documentation:

  • Retention: As per AML law; default 5 years from alert closure or filing date of related report.
  • Purpose: AML monitoring evidence.
  • Disposal: Secure deletion following AML retention expiry.

• Suspicious activity/transaction reports (SAR/STR) and supporting records:

  • Retention: As required by applicable jurisdiction (commonly 5 years from filing). Do not disclose existence of SAR/STR to the customer.
  • Purpose: Legal compliance.
  • Disposal: Secure deletion after statutory period; retain legal hold if instructed by regulator/law enforcement.

• Failed/denied KYC attempts (mismatches, fraud flags):

  • Retention: 1 year from final decision; extend up to 3 years where necessary for fraud prevention and allowed by local law.
  • Purpose: Prevent re-attempted fraud; audit trail.
  • Disposal: Secure deletion; document balancing test if relying on legitimate interests.

C. Business Communications Related to Registration/KYC (emails, notices)

• Retention: 2 years after Relationship End, or aligned to enterprise email retention policy if stricter.
• Purpose: Evidence of notices and user communications.
• Disposal: Secure deletion in line with enterprise records policy.

6. Triggers and Exceptions

• Standard triggers: Relationship End; decision date for failed/denied KYC; last activity for abandoned registrations; closure date for monitoring alerts.
• Legal holds: Suspend deletion immediately upon notice; document scope and duration; resume deletion once hold is lifted.
• Extended retention: Only when (a) required by law or regulator, (b) necessary for establishment, exercise, or defense of legal claims, or (c) to investigate security incidents or fraud. Document justification and review every 12 months.

7. Data Minimization and Anonymization

• Collect only data required for registration and AML/KYC purposes.
• Prefer storing verification outcomes and minimal metadata over raw documents/biometrics.
• Where analytics are needed, use anonymized or properly pseudonymized datasets with re-identification keys stored separately and for limited durations.

8. Security Controls for Retained Data

• Encryption: Data at rest and in transit using industry-standard cryptography; manage keys via centralized KMS; rotate keys per policy.
• Access: Role-based access control with least privilege; restrict KYC access to vetted AML personnel; multi-factor authentication; quarterly access reviews.
• Logging: Immutable audit logs of access to KYC data; retain access logs for at least 12 months (24 months for high-risk environments).
• Segmentation: Store KYC artifacts in segregated repositories with additional controls and limited egress.
• Vendor controls: Require equivalent controls contractually; verify via audits or certifications.

9. Backups and Archival

• Backups: Apply the same retention clock; upon deletion in production, data becomes logically inaccessible and is purged from backups per backup rotation (maximum backup retention 90 days unless law requires longer).
• Archives: Avoid archival of raw KYC images; if archival is legally required, encrypt with restricted keys and record business justification and retention end date.

10. Third Parties and Cross-Border Transfers

• Contracts: Data Processing Agreements must specify retention periods, deletion timelines after contract end (e.g., 30–90 days), and pass-through obligations to subprocessors.
• Deletion SLAs: Vendors must complete deletion and provide a certificate of destruction upon request.
• International transfers: Use approved transfer mechanisms (e.g., SCCs where applicable). Retention durations must not be extended due to transfer or vendor location.

11. Data Subject/Consumer Requests

• Access/Portability: Provide records unless disclosure would breach AML secrecy or reveal SAR/STR existence. Redact third-party or investigative content as required.
• Deletion: Deny or limit where retention is required by AML or legal obligations. Clearly communicate basis for denial and retention end date/criteria.
• Restriction/Objection: Assess on a case-by-case basis; where processing is based on legitimate interests (e.g., fraud prevention for denied KYC), document a balancing test.

12. Governance, Documentation, and Review

• Records of Processing: Maintain a ROPA entry covering registration and KYC, including retention periods and legal bases.
• DPIA: Conduct and maintain a DPIA for KYC (especially if biometrics or automated decisioning are used).
• CPRA Disclosure: Publish category-level retention periods or criteria in the privacy notice and consent flows.
• Review Cycle: Annual review by Privacy and AML Compliance, or sooner upon regulatory changes or new processing activities.
• Metrics: Track deletion success rates, overdue records, and exceptions; report quarterly to the privacy/AML steering committee.

13. Disposal Methods

• Electronic data: Cryptographic erasure or secure overwrite consistent with NIST SP 800-88 or equivalent.
• Physical media: Shredding, degaussing, or certified destruction.
• Verification: Maintain deletion logs and certificates of destruction for regulators/auditors; sample-based verification of vendor deletions.

14. Regional Notes (Guidance)

• EU/EEA/UK: Retain CDD/KYC records for 5 years after Relationship End as a baseline; extension beyond 5 years requires legal basis under local AML law and necessity/proportionality assessment. Apply GDPR Article 17 exemptions for legal obligations and legal claims.
• U.S.: Financial institutions should align with federal AML recordkeeping (e.g., many AML records for 5 years) and applicable state statutes. CCPA/CPRA requires disclosure of retention periods and prohibits retaining longer than reasonably necessary.
• Other jurisdictions: Where local AML rules specify different periods, that period supersedes the baseline. Record jurisdiction-specific deviations in the retention register.

15. Default Retention Summary (high level)

• Registration profiles: Life of account + 2 years
• Auth/security logs: 12 months (up to 24 months for high risk)
• Unverified accounts: 90 days (up to 12 months if fraud risk)
• KYC images/docs/outputs/risk assessments/screening logs: 5 years after Relationship End
• Transaction monitoring alerts and related evidence: 5 years after closure
• SAR/STR and supporting documentation: Per local law (commonly 5 years from filing)
• Failed/denied KYC: 1 year (up to 3 years if needed for fraud prevention)
• Biometric raw data: Immediate deletion or within 24 hours after verification

Implementation Notes

• Configure retention timers at record level with event-driven triggers (account closure, KYC decision, alert closure).
• Use immutable metadata to store retention end dates and prevent premature deletion.
• Ensure consistent deletion across primary databases, data lakes, caches, search indexes, file stores, and vendor systems.
• Prevent analytical systems from extending retention inadvertently; enforce automated purges and anonymization jobs.
• Maintain a centralized retention register mapping each data store to the above categories and retention periods.

This policy establishes compliant defaults and controls for registration and KYC data. Where local law mandates different durations or handling, document the variance and ensure technical enforcement within affected systems.

数据保留政策（日志与备份）

1. 目的与适用范围

• 目的：规范组织对日志数据与备份数据的收集、保存、访问与销毁，确保在合规与安全要求下实现业务连续性与事件调查能力，同时遵循数据最小化与存储限制原则。
• 适用范围：适用于组织内所有生产与非生产环境的日志与备份数据，包括本地与云环境、第三方托管服务与内部系统。
• 数据性质：日志与备份可能包含个人数据（如IP地址、用户标识符、设备标识、时间戳、访问记录、交易元数据等）。政策对含个人数据的处理具有同等约束。

2. 合规原则与依据

• 存储限制与数据最小化：
  • GDPR：仅在实现目的所必需的期间内保存（Art. 5(1)(c)、5(1)(e)）；采取适当技术与组织措施保障安全（Art. 32）；隐私保护设计与默认（Art. 25）；具备合法基础（Art. 6）。
  • CCPA/CPRA：仅在实现披露目的的合理必要期限内保留；在隐私声明中告知各类个人信息的保留期限或确定方法；过期后不得继续保留或使用超出目的的范围。
• 信息主体权利：
  • 在活跃数据中支持访问、纠正与删除（GDPR Art. 15–17；CCPA删除权）。备份中不逐项修改，但须确保恢复后立即同步删除或屏蔽，且不得将备份用于与原目的不一致的处理。
• 账务/行业要求（如适用）：例如PCI DSS一般要求审计日志至少保留一年并确保三个月可即时检索；特定行业（金融、医疗、公共部门）可能有更长法定保留期，应在本政策的例外机制中加以登记与证明。

3. 角色与职责

• 数据保护官（DPO）：监督合规、审查保留周期与隐私影响。
• 信息安全负责人（CISO/SecOps）：实施技术控制、日志管线配置、备份加密与密钥管理。
• 系统所有者：定义业务目的与保留需求，按最小化原则配置日志级别。
• 法务与合规：评估法规要求与诉讼保全（Legal Hold）。
• 运维与数据工程：执行保留与销毁计划、审计与报告。
• 供应商/处理者：按照合同与DPA履行保留与销毁义务并提供证明。

4. 日志分类与保留周期（基线） 说明：以下为默认基线，用于在无更高法定或合同要求时执行。具体系统如涉及欺诈调查、财务审计或监管义务，可在“例外与保全”中延长并备案。所有周期以事件生成时间为起点。

• 安全事件与SIEM汇总（IDS/IPS、EDR、DLP、WAF、异常行为）：12–18个月；用途为威胁狩猎、入侵调查与合规审计。
• 身份与访问日志（SSO/IAM、MFA、权限变更、会话活动）：12个月；对溯源与违规调查必要。
• 数据库审计与特权操作日志（DDL/DML审计、管理员操作）：18–24个月；对数据完整性与高风险访问可延长。
• 应用与API网关日志（请求元数据、错误码、性能指标；避免含业务敏感负载）：90–180天；支持故障定位与容量规划。含个人数据字段应尽量缩短至90天或进行脱敏。
• 系统与基础设施日志（操作系统、容器/编排、存储与计算节点）：90天；可按安全需要延长至180天。
• 网络与边界日志（防火墙、VPC Flow、负载均衡、DNS）：180天；用于流量分析与异常定位。
• 云服务活动日志（例如云审计/访问踪迹）：12个月；遵循云提供方保留能力与成本优化。
• 邮件与消息网关日志（投递与安全事件元数据）：180天；不记录邮件正文与敏感内容。
• 监控与告警历史（指标、阈值触发记录）：180天；与安全事件相关部分按安全事件周期保留。

数据最小化与敏感抑制：

• 禁止在日志中记录密码、完整支付卡号、完整身份证号、健康信息正文、自由文本中的个人敏感信息。
• 对可识别标识使用哈希/标记化；仅在必要时保留原值，并限制访问。
• 采用结构化日志，按字段控制保留与脱敏，便于选择性清除与压缩。

5. 备份策略与保留周期 适用对象：数据库、文件存储、配置与关键系统镜像，以及日志归档。 目标：在满足RPO/RTO的前提下，遵循存储限制原则；备份仅用于灾难恢复与业务连续性，不作二次分析。

• 备份层级与周期（通用基线）：
  • 日常增量：保留30天。
  • 每周完整备份：保留12周。
  • 每月完整备份：保留12个月。
  • 年度归档：仅对存在法定或合同要求的系统启用，保留最长7年；其他系统不启用年度长期归档。
• 保留与删除一致性：
  • 备份中的个人数据保留期限不得超过源系统的最长法定保留期。
  • 当活跃数据到达删除期限，标记为“不可恢复/需删除”。恢复时必须执行同步删除流程，且不得为满足删除请求而单独解压或检索备份。
• 技术控制：
  • 加密：备份静态加密（例如AES-256），传输加密（TLS 1.2及以上）；密钥在KMS/HSM管理，定期轮换。
  • 完整性与不可篡改：对关键审计备份采用不可变存储/写一次读多次（如行业要求），并记录校验和。
  • 分区与地域：按数据驻留与跨境传输要求进行地域隔离；跨境存储需具备合法机制（如SCC、合同保障）。
  • 访问控制：基于角色的最小权限、双人审批与MFA；对突破口（break-glass）访问进行事后审计。
  • 恢复演练：至少每半年验证恢复流程与删除同步机制；记录RTO/RPO达成情况。

6. 删除与销毁

• 日志：
  • 到期后自动执行删除；采用安全擦除或覆盖机制，确保不可恢复。
  • 对集中式日志平台（如对象存储归档）启用生命周期规则（TTL），并验证索引与副本同步删除。
• 备份：
  • 到期后按备份层级批量销毁；云对象存储删除后不保留早期版本；磁带与离线介质遵循物理销毁或认证数据擦除。
• 例外：因调查、审计或监管要求可临时延长；需建立Legal Hold工单，注明范围、依据与期限；解除后立即执行延期数据的销毁。

7. 数据主体请求与隐私声明

• 在隐私声明中明确各类数据（含日志中可能包含的个人数据）的保留期限或确定方法（例如“按安全需要保留不超过12个月”）。
• 删除请求处理：
  • 活跃系统：按法定时限删除或匿名化。
  • 备份：不对备份逐项删除；承诺不对备份进行超出恢复目的的处理；发生恢复时，自动应用活跃系统的删除标记/黑名单，确保一经恢复立即删除相关记录。
• 访问请求：如在日志中检索个人数据成本不成比例且风险较高，可在合法范围内提供摘要与类别说明，并评估对他人数据与安全的影响。

8. 供应商与跨境要求

• 与云/日志服务供应商签署数据处理协议（DPA），明确保留、删除、地域与审计条款。
• 供应商需支持：
  • 生命周期管理（TTL）、删除证明与日志导出。
  • 加密与密钥托管选项。
  • 地域选择与跨境合规机制。
• 定期评估供应商合规证据（如ISO 27001、SOC 2报告）。

9. 审计与监控

• 保留控制审计：每年审查保留配置、删除日志、访问记录与例外登记。
• 持续监控：
  • 监测超期数据与失败删除任务。
  • 校验采集的日志字段是否符合最小化与脱敏策略。
• 报告与问责：记录保留与销毁事件；对异常与违规进行根因分析与改进。

10. 变更管理与评审

• 本政策由DPO与CISO共同维护；至少每年评审一次或在法规/业务变更时更新。
• 重大变更（保留周期、跨境策略、备份地点）需法务与合规批准，并更新隐私声明与数据目录。

11. 实施指南（工程与运维要点）

• 在日志管线中实施字段级脱敏、秘密屏蔽（token/密码/API密钥）、PII标记与可选采样。
• 使用结构化日志（JSON）以支持字段TTL与选择性压缩/裁剪。
• 为高风险类目（特权访问、数据库审计）单独存储与更长保留，并限制可视化与导出权限。
• 为包含个人数据的索引启用“软删除标记”与到期自动清除，避免冷存储与索引残留。
• 在备份恢复流程中集成“删除同步模块”，确保恢复后立即清除已过期或被请求删除的数据。

12. 例外与保全规则

• 触发条件：监管调查、诉讼保全、重大安全事件。
• 要求：创建保全记录，定义范围、期限与法律依据；限制访问与用途；到期后执行销毁。
• 记录：保全开始/结束时间、涉及系统与数据类别、审批人。

附注

• 保留周期为基线建议，应在数据目录与处理记录（GDPR Art. 30）中针对具体处理活动与系统进行登记与差异化管理。
• 如适用特定行业或地区法律（如税务、医疗或金融监管），以更严格要求为准并在例外中备案。

本政策自发布之日起生效；所有相关人员与供应商应在30日内完成配置校验与合规确认。