Getty Images
Compare SaaS data retention policies from 5 major providers
How long is your SaaS platform keeping your data? Learn how these five popular vendors handle data retention.
Software as a service has become a way of life for many organizations, but it has not always been clear whether customer data is being fully protected from accidental deletion, incorrect modifications or similar scenarios.
Reviewing a SaaS provider's data retention policy is critical to making sure data is secure and accounted for. Data retention policies define the length of time that data is retained before it is permanently deleted from the system. These policies can help organizations better manage large amounts of data by deleting unnecessary files. They also help businesses comply with data retention requirements and avoid legal trouble for mishandling sensitive data.
SaaS retention policies can vary significantly between vendors and even between products from the same vendor. That is why it is critical for users to understand the different policies for different cloud-based services and products. Once data has been removed from a vendor's system, it is gone forever, unless the organization consistently makes its own backups of that SaaS data. So, choose a provider and policy carefully.
This article will discuss five major vendors that provide SaaS options: Dropbox, Google, Microsoft, Salesforce and Slack. Learn more about their data retention policies here.
Dropbox
Dropbox provides a collaborative environment for storing, syncing and sharing files. The service saves deleted files and previous file versions for a set number of days, depending on the level of service. For personal plans -- Basic, Plus and Family -- Dropbox retains the files and their versions for 30 days. For Dropbox Professional and Business, that number is 180 days, and 365 for Enterprise and Advanced users.
Dropbox Business customers can opt for the Extended Version History add-on or the Data Governance add-on, which gets them 10 years of version history. Dropbox Plus customers can use the Extended Version History add-on to get one year of version history.
Users can also permanently delete files that they own, in which case the service immediately purges the files from the Dropbox servers. In addition, Dropbox Business team administrators can permanently delete any team files, no matter who owns them. They can also limit the ability of team members to permanently delete files. Once files have been permanently deleted, they cannot be recovered.
The Data Governance add-on enables Business team administrators to create data retention and disposition policies to help meet compliance and regulatory requirements, as well as other business needs. Like the Extended Version History add-on, the Data Governance feature increases version history to 10 years.
Google offers many SaaS products, and understanding the company's various retention policies can be daunting when compared with SaaS vendors such as Dropbox.
According to Google, the company retains "the data we collect for different periods of time depending on what it is, how we use it, and how you configure your settings." Users can delete the data they create or upload whenever they like, or they can set it up to be deleted automatically after a set period. When a user deletes data, Google launches a process that completely removes the data from its storage systems. This can take up to two months, although data can linger in the backup systems for up to six months.
SaaS retention policies vary significantly from one Google service to the next, and they can change over time. For example, Google Drive used to retain files that were moved to the trash until the user specifically deleted them or the account was closed. In October 2020, Google updated its retention policy so that Drive files moved to the trash are automatically deleted after 30 days. This is similar to how Gmail has long dealt with email messages. After 30 days in the trash, they're automatically deleted.
The retention policy is much different for Google Cloud Filestore, a fully managed file storage service. If an administrator deletes a Filestore instance, all data on that instance is deleted and cannot be recovered unless there is a backup in place. Google offers no 30-day grace period for Filestore data as it does for Google Drive and Gmail.
Microsoft
Microsoft offers a wide range of SaaS products whose retention policies can vary significantly and can be confusing to track. Different policies can exist even within a service. For example, Microsoft 365 defines two types of deletion scenarios: active and passive. Active deletion occurs when a user or administrator deletes data, and passive deletion occurs when the tenant subscription ends.
Microsoft retains customer content for 30 days after an active deletion and 180 days after a passive deletion. Plus, when a paid subscription is terminated, Microsoft retains customer data in a limited-function account for 90 days to enable the former subscriber to extract the data.
But this is not the entire story. Microsoft 365 customers can also request expedited subscription deprovisioning, in which case data is deleted three days after an administrator enters a Microsoft-provided lockout code. Additionally, customers can apply retention policies to specific Microsoft 365 services, such as Exchange Online, SharePoint Online, Microsoft Teams, OneDrive for Business and others. In this way, an organization can retain content forever or permanently delete content after a specific period.
Microsoft 365 is only one of many Microsoft cloud offerings, each with its own SaaS retention policies. For example, Azure Application Insights retains raw data points for up to 730 days, but customers can set the retention time to shorter durations.
Salesforce
Salesforce is a popular cloud-based software company that provides customer management services. Because it primarily deals with customer data, Salesforce's data retention policies emphasize meeting data privacy requirements. In documentation about data retention policies, Salesforce reminds users that customers in certain jurisdictions have the right to be forgotten. This means that if a customer requests it, the organization must delete, archive or de-identify that data within 30 days.
Salesforce users can customize their data retention policies to automate how customer information is stored, anonymized or deleted. For its own data retention policy, standard retention at Salesforce is 180 days, and deleted messages are stored in the recycle bin for 15 days before being permanently deleted.
Slack
Compared with Google and Microsoft offerings, a product like Slack -- an online communication and collaboration platform -- is much easier to understand regarding its SaaS retention policies. For paid plans, Slack retains all messages and files for the lifetime of a customer's workspace, unless the data is deleted directly by an end user or expires as a result of an applied retention policy. Slack removes all deleted and expired customer data from its production servers every night. The data is then permanently deleted from the Slack backup systems within 14 days. Once data has been fully deleted, it cannot be recovered, even if requested by law enforcement or a government agency.
Slack customers can configure retention policies that specify when to delete data. The retention settings apply to all messages and files, including those that have been pinned or saved. When applying retention policies, customers can retain their data along with tracking message edits and deletions, or they can retain their data without tracking edits and deletions. They can also specify that their data be automatically deleted after a number of days. In addition, administrators can grant team members the ability to override retention settings for individual conversations. Regardless of the settings, however, all message and file deletions are permanent.
Robert Sheldon is a freelance technology writer. He has written numerous books, articles and training materials on a wide range of topics, including big data, generative AI, 5D memory crystals, the dark web and the 11th dimension.
