On This Page
- Personnel policy
- Risk assessment policy
- Information classification policy
- Third party vendor review policy
- Incident disclosure and notification policy
- Incident response policy
- Incident response process
- BCP/DR policy
- Access control policy
- Password policy
- Change management policy
- Testing policy
- Patch management policy
Data retention and deletion policy
Tailscale must retain certain kinds of data for a minimum amount of time, to comply with legal requirements. At the same time, Tailscale wants to avoid retaining any identifiable data for longer than is necessary, in case of a breach.
This policy applies to all data assets handled by Tailscale, including data from customers, potential customers, third parties, and employees.
Tailscale should review the data it retains as part of reviewing its data register quarterly.
Data should be retained for a set period of time, depending on the type of data:
|Corporate||Charter and bylaws||Indefinite|
|Policies and procedures||Indefinite|
|Financial||Accounts payable/ receivable||7 years|
|Sales records||7 years|
|Expense records||7 years|
|Payroll records||7 years|
|Inventions||Patents and patent applications||Indefinite|
|Copyright and copyright applications||Indefinite|
|Trademark and trademark applications||Indefinite|
|Payment and billing information||7 years*|
|Usage logging and analytics||5 years*|
|Support communications||5 years*|
*In response to a customer request and in compliance with legal requirements, Tailscale may also delete customer data prior to the end of the retention period.
Where not specified, customer data should be retained no longer than is needed to provide the service, and anonymized or deleted afterwards.
Data may be destroyed by overwriting on disk, deleting a cloud resource, encrypting and destroying the key, resetting a device, and/or physical destruction.