Data Retention Policy

I. Purpose

The purpose of this Data Retention Policy is to establish guidelines for the retention and disposal of data within Ondaro LLC and its affiliates (e.g., Ondaro do Brasil Consultoria Ltda., Ondaro Canada Consulting ULC, Cask Digital Services de Mexico, S. de R.L. de C.V. Mexico, among others), which hereinafter shall be collectively referred to in this policy as "Ondaro". This policy ensures that data is retained for appropriate periods to comply with legal, regulatory, and operational requirements.

II. Scope

This policy applies to all employees (including individuals engaged directly or through any employer of record), contractors, and third-party agents who handle, manage, or use data owned by or entrusted to Ondaro.

III. Legal Framework

This Data Retention Policy is designed to comply with applicable privacy and data protection laws, including:

  • Federal Trade Commission (FTC) Act
  • California Privacy Rights Act (CPRA)
  • General Data Protection Regulation (GDPR)
  • Sector-Specific Regulations

IV. Definitions

Term Definition
Confidential Information

Means any non-public information disclosed by the Company, whether orally, visually, electronically, or in writing, that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and the circumstances of disclosure. This includes, but is not limited to:

  • Technical Data: Source code, object code, algorithms, APIs, system architecture, product designs, prototypes, and technical specifications.
  • Business Information: Financial data, pricing strategies, marketing plans, customer lists, vendor details, and business forecasts.
  • Operational Information: Internal processes, security protocols, infrastructure details, and performance metrics.
  • Intellectual Property: Trade secrets, patents (pending or unpublished), and proprietary methodologies.
  • Personal Data: Employee, customer, or partner information protected under privacy laws.
  • Third-Party Information: Any confidential data received from partners, vendors, or clients under obligation of confidentiality.

Confidential Information does not include information that:

  • Is or becomes publicly available without breach of this policy or any contractual agreement.
  • Was lawfully known to the recipient prior to disclosure.
  • Is independently developed without use of the Company's confidential information.
  • Is rightfully obtained from a third party without restriction.
Data Any information that is stored electronically or in physical form.
Data Custodian Area or personnel responsible for the technical environment and security where data is stored, processed, and transmitted. The appointed Data Custodian is the Director of IT and Security.
Data Owner The person or entity responsible for the overall data governance of a dataset, typically a senior leader within the organization.
Data User Any individual who interacts with data for analysis, reporting, or operational purposes.
Internal Information

Any non-public data, documents, or knowledge created, collected, or maintained by the Company for its internal operations, decision-making, or compliance purposes. This includes, but is not limited to:

  • Operational Data: Internal policies, procedures, workflows, and process documentation.
  • Corporate Records: Organizational charts, meeting minutes, internal reports, and performance metrics.
  • Employee Information: Non-public HR data, internal communications, and training materials.
  • System and Infrastructure Details: Internal network configurations, access credentials, and security protocols.
  • Strategic Information: Business plans, internal forecasts, and project roadmaps not intended for external disclosure.
Personal Information Any data that identifies, relates to, describes, or can reasonably be linked to an individual, either directly or indirectly. This includes information that can be used alone or in combination with other data to identify a person.
Public Information

Data or content that is lawfully made available to the general public without restrictions on access or use. This includes information published by government agencies, organizations, or individuals intended for public consumption.

Public information does not include personal, confidential, or proprietary data unless explicitly disclosed for public use under applicable laws or regulations.
Records

Type of information created, received, or transmitted in the transaction of Ondaro's business, regardless of physical format that provides a record of business transaction, evidence of Ondaro's rights or obligations, protects Ondaro's legal interests or ensures operational continuity.

Examples of where the various types of information are located could include appointment books and calendars, audio and video recordings, computer programs, contracts, electronic files, emails, voicemail records, financial invoices and receipts, among others.
Records Officer Appointed individual who implements and oversees this Data Retention Policy. The appointed Records Officer is the Director of IT and Security.
Restricted Information Data that is highly sensitive and critical to the organization's operations, security, or compliance obligations. Unauthorized disclosure, alteration, or destruction of this information could result in significant financial loss, legal liability, reputational damage, or regulatory penalties.
Retention Period Length of time that specific categories of data must be stored and maintained before being securely deleted, anonymized, or archived as set in this policy.

V. Roles and Responsibilities

Role Responsibility
Data Owner
  • Determine appropriate retention periods for data based on legal, regulatory, and operational requirements.
  • Ensure compliance with this policy within their respective areas.
  • Approve data destruction requests.
Data User
  • Adhere to data retention guidelines and policies.
  • Report any discrepancies or issues related to data retention to data owners or custodians.
Data Custodian
  • Implement and maintain technical safeguards to ensure data is retained according to policy.
  • Manage data backup and recovery procedures.
  • Execute data destruction processes as authorized by Data owners.
  • Perform backups of critical systems and information assets at least once per week, with increased frequency for high-risk or mission-critical systems.
  • Ensure all backups are encrypted in transit and at rest.
  • Store backups in secure off-site or cloud-based environments with geographic redundancy.
  • Restrict access to backup data to authorized IT and Compliance personnel.
  • Conduct periodic testing of backup restoration capabilities at least twice per year to verify data integrity and disaster recovery readiness.
  • Apply the same retention and destruction requirements to backup records as primary records.
Records Officer
  • Develop procedures to implement Ondaro's Data Retention Policy.
  • Provide training in records management procedures and practices, including the use of appropriate forms.
  • Implement systems to meet program requirements for completeness, legibility, reproducibility, retrievability, distribution, control, security, storage, and disposition of records, regardless of format or media type.
  • Coordinate and/or assist staff in the surveying of records.
  • Ensure that essential, archival, and permanent records are identified, properly maintained, protected, and accessible for the length of time cited in an applicable retention schedule.
People Department
  • Provide training for all employees on data retention policies and procedures.
  • Promote awareness of the importance of data retention and secure destruction practices.
  • Collaborate with in-house counsel, external legal advisors, or certified public accountants during policy reviews.

VI. Data Retention Schedule

The retention schedule is established based on the type of data and applicable legal, regulatory, and operational requirements as Annex A.

VII. Special Policies and Procedures

7.1. Data Destruction Procedure

Data that has reached the end of its retention period must be securely destroyed to prevent unauthorized access or disclosure. The destruction process must comply with the following process:

Step Description Detail
1 Data Custodian must identify data for destruction Review retention schedules to determine which electronic and physical data has reached the end of its retention period.
2 Request Authorization Submit a destruction request to the Data Owner for approval and ensure all data listed falls under the Data Owner's purview.
3 Obtain Approval Data Owner must approve the destruction request. Keep a copy of the approval for records.
4 Prepare for Destruction
  • Data Custodian verifies that all approvals are in place.
  • Select an approved destruction method: Shredding (for physical documents); Degaussing (for magnetic media); Certified data destruction services (for electronic data and hardware).
5 Execute Destruction
  • Perform destruction using the selected method.
  • Ensure the process is secure and irreversible.
6 Document Destruction
  • Complete the Certificate of Records Destruction Form.
  • Record details such as date, method used, and items destroyed.
  • Maintain destruction records for compliance and audit purposes.

7.2. Litigation Holds and Other Special Situations

Ondaro requires all employees to comply fully with the company's Records Retention Schedule and the procedures established under this policy. However, in certain circumstances, a general exception applies. If you believe or have been informed that specific records may be relevant to current or anticipated litigation, a government investigation, a regulatory audit, or any matter requiring preservation of evidence, you must immediately suspend any deletion, destruction, or alteration of those records. This obligation applies to both physical and electronic information, including emails.

This exception is referred to as a litigation hold or legal hold, and it overrides any previously established retention or destruction schedules. Once such a hold is in place, affected records must be preserved in their entirety and remain untouched until official notice is given by the Chief Legal Officer that the hold has been lifted.

Additionally, employees may be directed to suspend standard disposal or data migration procedures in other exceptional scenarios, such as corporate mergers or acquisitions, major internal restructurings, or when the company undergoes a transformation of its information technology systems.

Failure to comply with a litigation hold may result in serious consequences, including disciplinary measures and exposure to legal liabilities for both the company and the individual involved.

7.3. Backup and Disaster Recovery Policy

To safeguard essential records and support business continuity, Ondaro maintains a regular backup process for critical systems and information assets. Backups must be performed at least once per week, with increased frequency for systems deemed high-risk or mission-critical.

Backups must be encrypted both in transit and at rest and stored exclusively in secure cloud-based environments with geographic redundancy. Access to backup data is limited to authorized personnel in IT.

Periodic testing of backup restoration capabilities must be conducted at least twice per year to verify data integrity and ensure disaster recovery readiness.

Backup records are subject to the same retention and destruction requirements as primary records. Expired backups must be securely deleted in accordance with approved data sanitization protocols.

Certain legal or corporate documents that necessarily require the preservation of a physical copy — such as corporate bylaws, articles of incorporation, or formal resolutions issued by governance bodies — must be maintained, safeguarded, and preserved under the custody of the Chief Legal Officer.

7.4. Training and Awareness

The People's Team must provide mandatory training for all employees on data retention policies and procedures as part of onboarding and through periodic refresher sessions. This training should cover:

  • The organization's data retention schedule and legal obligations.
  • Proper handling, storage, and classification of records.
  • Secure destruction methods for physical and electronic records.
  • Consequences of non-compliance with data retention requirements.

The Records Officer must actively promote awareness of the importance of data retention and secure destruction practices through internal communications, guidance materials, and regular audits. Awareness campaigns should include reminders, best practices, and updates on policy changes to ensure ongoing compliance.

VIII. Policy Review

This Policy will be reviewed and updated annually from the approval date, or more frequently if appropriate. Any staff members who wish to make any comments about the Policy may forward their suggestions to the Records Officer.

IX. Policy Statement

Ondaro strictly prohibits the improper alteration, concealment, falsification, or destruction of any records, files, documents, samples, or other forms of information. Noncompliance carried out with the intent to impede or obstruct official or governmental proceedings constitutes a criminal offense.

This policy is part of a company-wide framework for reviewing, retaining, and disposing of records created or received by Ondaro during business operations.

Corporate information managed by Ondaro is critical for effective business operations, legal compliance, and workforce management.

Federal and state laws require Ondaro to retain certain records for specified periods. Accidental or intentional destruction of these records before the end of their legally mandated retention periods may expose Ondaro and its employees to serious consequences, including but not limited to:

  • Fines and regulatory penalties
  • Loss of legal rights or claims
  • Obstruction of justice charges
  • Allegations of evidence spoliation and related tort claims
  • Contempt of court charges
  • Litigation disadvantages or unfavorable judgments

Accordingly, Ondaro is obligated to preserve records that:

  • Serve as the organization's institutional memory.
  • Have enduring business value, such as evidence of contractual obligations, operational decisions, or legal rights.
  • Must be retained to satisfy legal, accounting, or other regulatory requirements.

X. Effective Date

This policy is effective as of April 1st, 2026 and will remain in effect until amended or revoked by senior management.

Version

Version Date Author Change/Comment
1.0 March 15, 2026 Ethics and Compliance Officer and Compliance Associate Issuance of Data Retention Policy and Data Retention Schedule