DATA RETENTION & SECURITY POLICY
This Data Retention & Security Policy (“Policy”) outlines the principles and procedures followed by Creed Financial Crimes Compliance Firm, LLC (“Creed”, “we”, “our”, or “us”) regarding the collection, retention, storage, protection, and disposal of personal and sensitive data. This policy ensures our compliance with applicable state, federal, and international laws—including the Maryland Personal Information Protection Act (PIPA), Gramm-Leach-Bliley Act (GLBA), GDPR, and other relevant data security frameworks.
1. Purpose
The purpose of this policy is to:
- Define how long different categories of data are retained.
- Outline our practices for secure storage, access, and disposal.
- Safeguard client, employee, and vendor information against unauthorized use, loss, or disclosure.
- Demonstrate transparency and accountability in our data lifecycle management.
2. Scope
This Policy applies to:
- All data collected through our website: https://creedfinancialcrimescompliancefirm.com
- Communications via email, forms, consultations, and client engagements.
- Data stored in physical and electronic formats.
- All employees, contractors, vendors, and consultants of Creed.
3. Legal & Regulatory Compliance
Creed’s data retention and security practices are designed to comply with:
- Maryland Personal Information Protection Act (PIPA)
- Code of Maryland Regulations (COMAR) Title 17.06.05
- U.S. Federal Trade Commission (FTC) Safeguards Rule
- General Data Protection Regulation (GDPR) for EU data subjects
- California Consumer Privacy Act (CCPA) for California residents
- Financial industry-specific regulations, such as FINRA, SEC, and AML laws
- Contractual obligations and client confidentiality requirements
4. Data Categories & Retention Periods
#
Data Category
Examples
Retention Period
1
Client Identifiable Data (CID)
Name, email, phone, address, consultation notes
7 years from last activity or engagement
2
Financial Transaction Records
Invoices, payments, wire confirmations
7 years (IRS and audit compliance)
3
Compliance Data (AML/KYC)
ID documents, risk assessments, reports
5–10 years depending on jurisdiction
4
Employment Applications
Resumes, background checks, references
2 years if not hired
5
Employee Records
Contracts, payroll, benefits, performance reviews
7 years post-employment
6
Website Analytics & Cookies
IP addresses, session data, traffic logs
12–26 months, per GDPR/analytics config
7
Marketing & CRM Data
Newsletters, contact forms, outreach interactions
Until opt-out or 5 years inactivity
8
Legal Correspondence
Notices, claims, contracts, litigation records
10 years from final resolution
Note: If required by law or litigation hold, data may be retained longer.
5. Secure Storage and Access Controls
Creed maintains a multi-layered information security architecture designed to ensure:
- Confidentiality: Only authorized personnel access sensitive data.
- Integrity: Protection against unauthorized modification or corruption.
- Availability: Data is accessible to authorized users when needed.
5.1. Technical Safeguards
- Encrypted servers (AES-256)
- SSL/TLS secure transmission
- Role-based access control (RBAC)
- Intrusion detection systems (IDS)
- Daily backups and disaster recovery protocols
- Strong password and multi-factor authentication (MFA)
5.2. Physical Safeguards
- Locked file storage for physical documents
- Restricted access to data rooms and terminals
- Surveillance and logging of premises
5.3. Organizational Safeguards
- Security awareness training for all staff
- Vendor risk assessments and NDAs
- Periodic access audits and penetration testing
6. Third-Party Access and Cloud Storage
We only share personal and sensitive data with trusted, vetted third-party service providers under binding contracts that:
- Prohibit unauthorized use or resale of data.
- Require compliance with all applicable privacy and security laws.
- Include data processing agreements (DPAs), when applicable.
Examples include:
- Secure CRM platforms
- Cloud-based document storage
- Payment processors
- Background screening agencies
7. Data Disposal & Destruction
When data retention periods expire—or when requested by the data subject under valid legal grounds—we permanently delete or destroy data using industry-standard methods.
- Electronic Data: Secure wipe, degaussing, or cryptographic shredding.
- Paper Records: Cross-cut shredding and certified destruction logs.
8. Breach Notification and Incident Response
In the event of a data breach, Creed will:
- Investigate the nature and scope of the breach immediately.
- Notify affected individuals within 45 days, as required under Maryland PIPA.
- Notify the Maryland Attorney General and other regulators when applicable.
- Document remediation actions and security updates to prevent recurrence.
9. Your Rights Under Applicable Laws
Depending on your jurisdiction, you may have the right to:
- Request access to your personal data.
- Request correction or deletion of inaccurate data.
- Object to processing or restrict use.
- Request a copy of data in a portable format.
- File a complaint with a relevant supervisory authority.
To exercise these rights, email us at info@creedfinancialcrimescompliancefirm.com.
10. Policy Review and Updates
This policy is reviewed annually or upon changes in law, data practices, or company operations. Major updates will be posted on our website and communicated via email where appropriate.
Last updated:6/23/2025