# Policies

# Retention and Data Policy

This outlines the retention and data policy for the data hosted on the infrastructure. This policy defines the guidelines for the retention of data, including its storage, access, and eventual deletion. It is applicable to all users, administrators, and stakeholders who interact with the Event Bus (referred to as bus).

# Definition of the hosted data

It needs to be noted that the bus infrastructure only store:

  • Failed events (messages that fail to be delivered to their destinations).
  • This is currently capped at 1 million events per node.
  • Last 200 events that moved within nodes

# Data Retention Period

All data hosted on the bus is to be retained for a period of 14 days, starting from the date of its creation. After the 14-day retention period, the data is subject to deletion, unless specified otherwise in this policy or required by legal or regulatory obligations.

# Data Storage and Security

Data stored in the bus infrastructure is to be maintained in a secure and controlled environment to ensure its confidentiality, integrity, and availability. Adequate security measures, including encryption, access controls, and regular security assessments, need to be implemented to protect the stored data from unauthorised access, breaches, or loss. The current infrastructure is hosted on AWS in the Ireland data centre and follows all security protocols recommended by AWS when it comes to data encryption and access.

# Access to Data

Access to the data hosted on the bus infrastructure is limited to authorised personnel who require access for legitimate business purposes. Access controls and authentication mechanisms are enforced to ensure that only authorised individuals can access and interact with the data. The users service is used for authentication and authorization on all internal services. AWS Cognito with Federated Identities is used for all public facing user interfaces. In case of access to any of the UIs, a bus administrator must assign a specific permission to the newly created user. Any update in terms of permissions is executed by super admins only.

# Data Deletion

At the end of the 14-day retention period, all data hosted on the bus infrastructure is automatically deleted. Data deletion is performed in a secure manner to prevent data leakage or unauthorised recovery.

If specific legal or regulatory requirements necessitate a longer retention period for certain types of data, the retention period will be extended accordingly. In such cases, the legal and regulatory obligations will take precedence over this policy.

# Data Backup and Disaster Recovery

Regular data backups are performed to ensure data recoverability in the event of data loss due to system errors, or other unforeseen circumstances. Backup data are retained for a longer period, as deemed necessary for disaster recovery purposes.

# Data Disposal

Deleted data is securely disposed of to prevent any potential misuse or unauthorised recovery. This process is taken care of by our data provider AWS.

# Policy Review and Updates

This retention and data policy for the bus infrastructure will be reviewed periodically to ensure its effectiveness and relevance. Updates to the policy may be made to reflect changes in technology, business requirements, or legal regulations.

# AWS data storage services in use

Below is a description of the data storage services used by the bus on AWS as well as their security policies.

# DynamoDB

Security Policies

  • Data access restricted based on IAM policies
  • Fine-grained access control using IAM roles

Encryption
At rest: Server-Side Encryption using AWS KMS

Backups
Automated backups with PIT recovery

Authorization

  • IAM roles and policies
  • Fine-grained access control using IAM

Authentication
IAM roles and policies using IAM roles and policies

# RDS

Security Policies

  • Network security using Security Groups
  • Database authentication using IAM roles

Encryption
At rest: Server-Side Encryption using AWS KMS

Backups
Automated backups with PIT recovery

Authorization

  • IAM roles and policies
  • Fine-grained access control using IAM

Authentication
IAM roles and policies using IAM roles and policies

# Amazon MQ

Security Policies

  • Network isolation using VPC
  • Authentication and authorization using IAM roles

Encryption
In-transit encryption using SSL/TLS

Backups
Automated backups

Authorization

  • IAM roles and policies
  • Fine-grained access control using IAM

Authentication
IAM roles and policies using IAM roles and policies

# SQS

Security Policies

  • Data access restricted based on IAM policies
  • Extract account level restrictions on reads and writes for queues
  • Fine-grained access control using IAM roles

Encryption

  • At rest: Server-Side Encryption using AWS KMS
  • In-transit encryption using SSL/TLS

Backups
Data not backed up

Authorization

  • IAM roles and policies
  • Fine-grained access control using IAM

Authentication
IAM roles and policies using IAM roles and policies

# Timestream

Security Policies

  • Data access restricted based on IAM policies
  • Fine-grained access control using IAM roles

Encryption
At rest: Server-Side Encryption using AWS KMS

Backups
Automated backups with PIT recovery

Authorization

  • IAM roles and policies
  • Fine-grained access control using IAM

Authentication
IAM roles and policies using IAM roles and policies

# Contact Information

For questions, concerns, or inquiries related to this policy or data retention, please contact Rodrigue Ngoy (rodriguen@ringier.co.za).

By adhering to this retention and data policy, we aim to maintain the security, integrity, and compliance of the data hosted on the bus infrastructure while aligning with business needs and regulatory requirements.