Security and Data Retention Policy
1. Purpose of This Policy
The purpose of this Policy is to: Define the security measures used to protect Provider and Customer data Explain data lifecycle practices, including retention and deletion Ensure compliance with global privacy laws, including GDPR, KVKK, and PIPEDA Provide transparency to Providers and Customers regarding data protection Suitespace is committed to maintaining a secure and compliant environment.
2. Data Security Measures
2.1 Infrastructure Security
Suitespace is hosted on Amazon Web Services (AWS), which provides: ISO 27001, SOC 1, SOC 2, and SOC 3 certified data centers High availability architecture Network firewalls and intrusion detection systems Physical security controls with multi-layered protection
2.2 Encryption
All personal data is protected through: Encryption in transit using TLS 1.2 or higher Encryption at rest using AES-256
2.3 Access Controls
Internal access to personal data is strictly limited through: Role-based access control (RBAC) Multi-factor authentication (MFA) Logging and monitoring of access Principle of least privilege Only authorized personnel with a legitimate business need may access data.
2.4 Application Security
Suitespace implements best practices including: Regular vulnerability scanning Secure development lifecycle (SDLC) Penetration testing by third-party experts OWASP-aligned coding practices Automated threat detection mechanisms
2.5 Monitoring and Logging
Suitespace maintains: Security event logging Error and performance monitoring Audit trails for critical actions Automated alerts for suspicious activity
2.6 Backup and Disaster Recovery
Suitespace performs: Daily automated backups Geographically redundant storage Disaster recovery procedures with defined RTO/RPO targets
3. Incident Response
3.1 Breach Notification
In the event of a confirmed personal data breach, Suitespace will: Notify the affected Provider without undue delay Provide known details related to: Nature of the breach Categories of affected data Possible consequences Mitigation measures taken
3.2 Provider Responsibilities
Providers are responsible for notifying: Regulators (GDPR/KVKK) where required Affected Customers when applicable Suitespace will provide reasonable support to assist these obligations.
4. Data Retention Policy
Suitespace retains data only for as long as necessary for operational, legal, and contractual purposes. Retention periods:
4.1 Provider Account Data
Profile data, preferences, subscription information: Retained for the duration of the account Deleted 12 months after account closure
4.2 Customer Booking Data
Names, contact details, booking information, event participation: Retained 12 months after Provider account deletion Providers may request earlier deletion, subject to legal exceptions
4.3 Financial and Transaction Records
Stripe transaction logs, commission reports, billing records: Retained 5 years for accounting and legal compliance
4.4 Communication Logs
Emails, notifications, and system messages: Retained 12 to 24 months
4.5 Technical Logs
Security logs, error logs, system performance logs: Retained 6 to 12 months depending on system requirements
4.6 Backups
Backup copies containing personal data: Automatically overwritten on a rolling basis, typically within 30 days
5. Data Deletion and Export
5.1 Provider-initiated Deletion
Providers may request deletion of Customer data. Suitespace will: Delete data from active systems Queue deletion from backups after their automated expiration Confirm deletion when complete
5.2 Customer Requests
Suitespace assists Providers with data subject requests, including: Access Correction Deletion Export Final decisions and legal obligations belong to the Provider.
6. Sub-processors and Third-party Services
Suitespace uses trusted third-party service providers, including but not limited to: Amazon Web Services (hosting and storage) Stripe (payment processing) Email delivery providers Analytics providers (if enabled) All Sub-Processors are bound by confidentiality and security requirements equivalent to this Policy.
7. Cross-border Data Transfers
Suitespace data is primarily processed in: AWS us-east-1 (N. Virginia, USA) Transfers may occur to other countries as required by Sub-Processors. Suitespace implements appropriate safeguards such as: Encryption Access controls Contractual protections (including Standard Contractual Clauses where applicable)
8. Provider Security Obligations
Providers must: Use strong passwords and protect account credentials Enable two-factor authentication when available Maintain their own device and network security Inform Suitespace immediately if they suspect unauthorized access
9. Policy Updates
Suitespace may amend this Policy at any time to reflect: New security practices Changes in law Platform updates Sub-Processor changes Continued use of Suitespace constitutes acceptance of any changes.
Contact Information
For questions regarding this Policy or data protection: Suitespace Inc. support@suitespace.app privacy@suitespace.app
Last updated: January 15, 2026
newsletter.title
newsletter.description