Tribble

United States

Data Retention Policy Purpose The purpose of this policy is to ensure that necessary records and documents of Tribble are adequately protected and maintained and to ensure that records that are no longer needed by Tribble are of no value are discarded at the proper time. This policy is also for the purpose of aiding employees, contractors, etc. in understanding their obligations in retaining electronic documents - including e-mail, PDF documents, code files, or other file formats. Scope All critical corporate documents, files, policies, information, data, records are governed by this policy. All company personnel (employees and contractors) are required to abide by this policy. Policy This policy represents the retention and disposal of records and retention and disposal of electronic documents. All data should be disposed of when it is no longer necessary for business use according to the retention periods outlined below. Type of Records and Retention Periods Accounting and Finance Type of Record | Retention Period | Accounts Payable ledgers and schedules | 7 years Accounts receivables ledgers and schedules |7 years Bank Statements and canceled checks | 7 years Contracts Type of Record | Retention Period Contracts (vendors, contractors, customers) | Indefinitely Corporate Records Type of Record | Retention Period Annual meeting minutes | Indefinitely Tax Records Type of Record | Retention Period Payroll Tax Records| Indefinitely Tax Bills | Indefinitely Electronic Documents Type of Record | Retention Period Email | 7 years PDF | 7 years Code | Indefinitely Internal Records Type of Record | Retention Period Employee Policies | Indefinitely External Customer PII Type of Record | Retention Period Invoices | 7 years Delivery documents | 7 years Employee Records Type of Record | Retention Period Background checks | Upon termination W2 | 7 years Pay stubs | 7 years Property Records Type of Record | Retention Period Insurance | 7 years Privacy Policies Type of Record | Retention Period External facing privacy notice | 7 years Internal Data Privacy Policy | 7 years All GDPR related documents | 7 years Responsibility This policy is managed and reviewed annually by the Compliance team. Enforcement: The Tribble team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits. All those found in policy violation may be subject to disciplinary action, up to and including termination.

Information and Data Archiving Archiving is defined as secured storage of information such that the information is rendered inaccessible by authorized users in the ordinary course of business but can be retrieved by an administrator designated by company management. Physical (e.g., paper) records must be archived in secured storage (onsite or offsite) and clearly labeled in archive boxes naming the information owner. Electronic records must be archived with strict access controls set by the information owner and appropriate to secure the confidentiality, integrity, and accessibility of the information. The default archiving period of information shall be three years unless an approved exception permits a longer or shorter period. Exceptions must be requested by the information owner. As a guideline, an archiving period of more than three years may be granted for information with a vital historical purpose such as corporate records, contracts, and technical/trade secrets. As a guideline, an archiving period of less than three years may be granted for information with a limited business purpose such as email, travel itineraries, pre-trip advisories, or to comply with specific legal, contractual and/or regulatory requirements. Information and Data Destruction Destruction is defined as the physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially available means. Tribble must maintain and enforce a detailed list of approved destruction methods appropriate for each type of information archived, whether in physical storage media such as hard drives, mobile devices, portable drives or in database records or backup files. Physical information in paper form must be shredded using an authorized shredding device; waste must be periodically removed by approved personnel.

Information and Data Handling All emails containing PII must be encrypted All data classified as confidential must follow the Data Classification Policy PII must be in secure networks or using VPN when using an unsecured corporate network All confidential data is in an encrypted database All sensitive or confidential data is backed up according to the Data Backup Policy All sensitive or confidential data is processed according to the Data Processing Policy No PII is saved directly on employee workstations For hardcopy material, only the minimum PII may be used All passwords are saved to a secure password vault Software installations are prohibited or restricted to appropriate IT staff to install All employees, contractors, vendors, etc. handling sensitive or confidential data must abide by all Information Security and Privacy policies All personal data is reviewed by management annually to ascertain the data collection methods are appropriate and up to date If personal data is lost, employees or contractors must be reported to IT to contain the breach of personal data Information and Data Retention Retention is defined as the maintenance of information in a production or live environment which can be accessed by an authorized user in the ordinary course of business. The requirements for retention / backup will vary depending on many factors. It is the responsibility for the IT Department to write and implement an appropriate backup strategy for each system. It should indicate: The frequency of backups The type of backup created (full or incremental) The backup software / medium used The nature of logs kept An individual or group assigned to monitor success and failure of backups Information used in the development and testing of systems shall not be sensitive or production data. Depending on the nature of the data, an electronic log (generally part of the backup software) should be kept of every backup, including date, and time. By default, the retention period of information shall be an active use period of exactly three years from its creation unless an exception is obtained permitting a longer or shorter retention period. The business unit responsible for the information must request the exception. After the active use period of information is over in accordance with this policy and approved exceptions, information must be archived for a defined period. Once the defined archive period is over, the information must be destroyed. All data is encrypted. Encryption keys are rotated on a periodic basis to ensure destruction of all aging backup copies. Each business unit is responsible for the information it creates, uses, stores, processes and destroys, according to the requirements of this policy. The responsible business unit is the information owner. The organization’s legal counsel may issue a litigation hold to request that information relating to potential or actual litigation, arbitration, or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the legal counsel. Each employee and contractor affiliated with the company must return information in their possession or control to the organization upon separation and/or retirement. All company data or intellectual property developed or gained during the period of employment remains the property of the company and must not be retained beyond termination or reused for any other purpose. Refer to the Data Retention Policy for retention periods.

United States

Cloud hosted

Azure

no

yes

OpenAI. GPT-4 and variants like turbo, 32k, etc.

There are no "retention settings" when it comes to the models - we are not doing any fine tuning. We are retaining token usage for performance management and billing.

We exclusively use Azure's hosted OpenAI offerings. All LLM deployments are through managed Azure infrastructure.

We have LLM deployments located in the following Azure regions: East US, Norway East, South India, Canada East, UK South, Sweden Central, France Central, Switzerland North, Japan East, Australia East

When someone requests personal data is deleted, we add their request to a handling queue, and attend to it within a reasonable time frame. Proof of deletion is provided upon request. Deletion requests can be sent to gdpr@tribble.ai

no

2023-06-30

yes

no

no

help@tribble.ai

no

no

yes

Various services within our Azure infrastructure

no