A record retention policy and schedule define data retention and disposal practices to ensure data is properly stored and erased when no longer needed.
Securely disposing of both electronic and physical media adds a layer of protection from the data being disposed by unauthorized persons. There are several effective, publicly available tools and techniques to recover data from electronic and physical media, including hard drives and shredded paper. This control aims to reduce the risk of data being recovered by unauthorized persons and shows customers, GitLab team-members, and partners we take measures to protect their data even after it's done being used.
This control applies to Red and Orange data as defined in the Data Classification Policy
Certificates or logs of erasure should be maintained in accordance with the Record Retention Policy
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Data Retention and Disposal Policy issue.
Examples of evidence an auditor might request to satisfy this control: