User Data Removal Process
Overview
This page documents the process of requested data removal of individual users from customers' tenants.
This process redacts Personal Identifiable Information (PII) stored within Aptem’s application database and removes documents from the file storage for removed users that exceed the retention period.
This process supports compliance with both customers and GDPR commitments.
Customers need to manually request this process to begin via the support desk.
Process Summary
High-level Process Summary:
-
Customers request data removal via a Zendesk ticket
-
Aptem ensures all required information is documented
-
Aptem removes the requested data from the customer's tenant
-
Customers receive communication that data has been removed
Detailed Process Summary:
-
The customer requests the process to begin by raising a support ticket via Zendesk.
-
As the data processor, Aptem will act on the instructions of the data controller (the customer), and data will be removed on request only. This ensures manual oversight, so no data is removed too early.
-
This process applies to all user types within Aptem.
-
Details required by Aptem to process a user removal request:
-
User’s first name
-
User’s last name
-
User’s email address
-
Request type
-
Options include: Data addition, Data Update or Data Removal
-
-
Written approval from authorised customer representative
-
-
-
Aptem reviews the request ensuring all information required has been shared.
-
Aptem works on the request, not extending over 1 month for simple requests or 3 months for complex requests as per standard SLAs.
-
This timeline will be paused when the information provided to Aptem is incomplete, for the time that is required to get the appropriate details from the customer.
-
-
-
Aptem begins the process of removing the requested data.
-
When Aptem initiates the data removal this ensures the requested users and their data is removed from the system view. This data cannot therefore be accessed through Aptem’s user interface, OData or APIs by the customer, this includes all documents associated with this user.
-
Data remains in this state for a 30-day retention period allowing customers to request to revert any users who were requested by mistake. This allows for a short period of data recoverability, should a request have been made in error.
-
This can be requested via support through the same ticket already tracking these changes.
-
-
-
Customers are informed that the requested data has been removed via the resolved support ticket.