Data Destruction Policy

Acutus AI

1. Introduction

Acutus AI is committed to ensuring secure and responsible data management, including the proper disposal of sensitive data. This Data Destruction Policy outlines the guidelines for the secure destruction of data to prevent unauthorized access, data breaches, or leaks.

2. Scope

This policy applies to all employees, contractors, and third-party vendors handling data on behalf of Acutus AI. It covers all electronic and physical data stored on company-owned or employee-owned devices used for company purposes.

3. Data Classification

Before destruction, data must be classified into the following categories:

• Public Data: Non-sensitive data that can be freely shared.

• Internal Data: Information meant for internal use but not considered confidential.

• Confidential Data: Sensitive business, employee, or customer information requiring protection.

• Restricted Data: Highly sensitive data that, if disclosed, could cause significant harm to the company or its stakeholders.

4. Data Retention Period

Data must be retained for the period specified in Acutus AI's Data Retention Clause in the Privacy Policy.
Once the retention period expires, data must be securely destroyed unless required for legal, regulatory, or business purposes.

5. Approved Data Destruction Methods

Depending on the storage medium, the following destruction methods will be used:

            Digital Data Destruction:
            Secure deletion software for permanently erasing files.
Cryptographic wiping for encrypted data.
Physical destruction of storage devices if necessary (e.g., shredding of hard drives, SSDs, and USB
                    drives).

        

            Paper Document Destruction:
            Shredding using a cross-cut shredder.
Secure disposal through authorized document destruction services.

        

6. Data Handling & ETL Process

Acutus AI follows an ETL process in which all extracted data undergoes filtering to remove demographic information and personally identifiable information (PII).
Once filtered, the data becomes non-confidential and non-sensitive.
This processed data is used exclusively for AI model training and is subsequently destroyed as per this Data Destruction Policy.
Acutus AI does not use client data to train AI models that are not intended for that specific client. No foreign models are trained using customer data.

7. Responsibilities

Employees must follow this policy when handling or disposing of data.
IT and security teams are responsible for implementing secure data destruction measures and monitoring compliance.
Third-party vendors managing Acutus AI's data must adhere to the same destruction standards and provide a certificate of destruction when applicable.

8. Data Destruction Documentation

A log must be maintained for the destruction of confidential and restricted data, including:

Description of data destroyed
Date and method of destruction
Person responsible for destruction

Certificates of destruction must be obtained from vendors handling secure disposal.

9. Compliance & Auditing

Regular audits will be conducted to ensure compliance with this policy.
Employees found violating data destruction protocols may face disciplinary action.
The policy will be reviewed periodically to align with industry standards and regulatory requirements.

10. Exceptions

Any exceptions to this policy must be approved by Acutus AI's management and documented accordingly.

By enforcing this Data Destruction Policy, Acutus AI aims to protect sensitive information, mitigate data security risks, and comply with regulatory obligations.

Data Retention

Data Type	Retention Period	Notes
Survey Response Data	Up to 12 months	Retained for data analysis and client reporting. Deleted after project closure unless otherwise agreed.
Processed & Anonymized Data	Up to 24 months	If used for modelling, training, or analysis, data is retained in anonymized form.
Client Project Files	Up to 12 months	Includes raw data, reports, and analytics. Deleted after final delivery unless extended per contract.
System Logs & Audit Trails	Up to 6 months	Used for security and compliance audits. Automatically purged thereafter.
Backup Files	Up to 90 days	Encrypted backups stored securely. Deleted post-retention period.