Software as a Service (SaaS) has become integral for businesses, yet concerns about the protection of customer data persist. Understanding a provider’s data retention policy is essential for ensuring data security against risks like accidental deletion or unauthorized modifications. These policies outline how long data is kept prior to being permanently deleted, aiding organizations in managing data effectively while complying with legal requirements.
Understanding Data Retention Policies
Data retention policies can greatly differ not only between various SaaS vendors but also among different products offered by the same vendor. It’s crucial for users to be aware of these variations across different cloud services. Once data is deleted from a vendor’s system, recovery is impossible unless the organization regularly backs up their data. Thus, selecting the right provider and understanding their policies is vital.
Dropbox
Dropbox facilitates collaboration through its file storage and sharing services. The retention period for deleted files depends on the subscription type: personal plans retain files for 30 days, while Dropbox Professional and Business plans offer a 180-day retention period. Enterprise users benefit from a full year of version history.
For additional data protection, Dropbox Business subscribers can opt for add-ons like Extended Version History, which offers a 10-year history of file versions, and Data Governance features that allow administrators to implement data retention and deletion policies tailored to compliance requirements. However, once files are permanently deleted by users or administrators, they cannot be recovered.
Google’s suite of SaaS products comes with a variety of retention policies. Data retention varies based on how it’s configured by users and what type of data it is. Users can delete files at their discretion, and Google claims the data removal process can take up to two months, with backups potentially lingering for six months. Notably, Google Drive has a policy where files in the trash are deleted automatically after 30 days, a change made in 2020.
Services like Google Cloud Filestore have stricter policies—once a Filestore instance is deleted, all data is irretrievable unless backed up, with no grace period for recovery.
Microsoft
Microsoft’s SaaS offerings feature complex retention policies that can confuse users. In Microsoft 365, data remains accessible for 30 days post-deletion (active deletion) and 180 days after a tenant subscription ends (passive deletion). When subscriptions are terminated, users have an additional 90 days to retrieve data from a limited account. Microsoft also allows for customized retention policies across services like Exchange Online and OneDrive, enabling businesses to keep data indefinitely or delete it after specific timeframes.
Different Microsoft services, such as Azure Application Insights, offer distinct data retention settings, further complicating overall retention management.
Salesforce
Salesforce, known for customer relationship management, prioritizes compliance with data privacy laws. Users are informed of their rights regarding data retention, especially in jurisdictions where the right to be forgotten applies. Standards at Salesforce typically retain data for 180 days, with messages deleted from the recycle bin after 15 days. Users can configure custom retention policies to automate data management practices.
Slack
Slack presents a straightforward approach to data retention. In paid plans, all messages and files are retained for the lifetime of the workspace unless deleted by users. Deleted data is purged from servers nightly and permanently erased within 14 days from backup systems. Administrators can set retention policies that enforce automatic deletions, but all deletions are irreversible. Users can also customize settings for individual conversations, though the overall retention policies apply to all workspace data.