AICM AtlasCSA AI Controls Matrix
DSP · Data Security and Privacy Lifecycle Management
DSP-16Cloud & AI Related

Data Retention and Deletion

Specification

Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations.

Threat coverage

Model manipulation
Data poisoning
Sensitive data disclosure
Model theft
Model/Service Failure
Insecure supply chain
Insecure apps/plugins
Denial of Service
Loss of governance

Architectural relevance

Physical infrastructure
Network
Compute
Storage
Application
Data

Lifecycle

Preparation

Data collection, Data storage

Development

Design, Guardrails

Evaluation

Evaluation, Validation/Red Teaming

Deployment

Orchestration, AI Services supply chain

Delivery

Operations, Maintenance, Continuous monitoring

Retirement

Archiving, Data deletion

Ownership / SSRM

PI

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Model

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Orchestrated

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Application

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Implementation guidelines

[Applicable to all service providers]
1. Establish and document data retention policy to specify retention, archiving, and data deletion requirements in accordance with legal, regulatory and business requirements, including contractual obligations. Review and update the policy periodically to keep it current.

2. Create agreements to specify data deletion, retention, and archiving requirements, ensuring compliance with applicable laws and regulations to subprocessors. Obtain a certificate of destruction if using a managed service provider.

3. Maintain audit logs, backups, and redundancy for disaster recovery in accordance with data retention policy. Set up a decommissioning process to destroy defective disks so data cannot be recovered.

4. Implement tools for secure data deletion, including NIST 800-88 compliant data wiping and secure disposal of records.

5. Establish a process to comply with requests to destroy customer data within agreed time periods and provide written certification of destruction.

8. Establish a process to delete customer data after service termination.

Auditing guidelines

1. Verify if infrastructure-level policies define roles and responsibilities for retention, archiving, and deletion of customer data and system telemetry.

2. Verify if data types (e.g., VM snapshots, training datasets, system logs), owners, and retention timeframes are documented and comply with SLAs and regulations.

3. Verify if infrastructure logs and tenant data are archived or deleted in line with the documented retention policy.

4. Verify if supplier and subprocessor agreements include data lifecycle terms aligned with customer and legal expectations.

5. Verify if customer or internal data is purged using secure, verifiable deletion practices at the infrastructure level.

6. Verify if deletion and archiving events are logged, monitored, and retained for audit purposes.

7. Verify if access to retained system and customer data is controlled and monitored to prevent leaks or breaches.

8. Verify if data retention policies are reviewed and updated in accordance with regulatory developments and technology lifecycle changes.

9. Verify if retention policies account for AI-specific data stored or processed through the infrastructure (e.g., model checkpoints).

10. Verify if AI platform services are configured to limit unnecessary retention of customer AI data.

11. Verify if de-identification tools are available or enforced for customer data used in AI processing pipelines.

12. Verify if AI-related customer data is protected by role-based access and encryption-at-rest/in-transit policies.

13. Verify if systems include automated workflows to delete expired AI data and workloads securely.

14. Verify if infrastructure monitoring systems provide visibility into compliance with AI-related data retention policies.

Standards mappings

ISO 42001No Gap
42001: A.2.3 Alignment with other organizational policies
42001: A.4.3 Data resources
42001: A.5.3 Documentation of AI system impact assessments
42001: A.6.2.8 AI system recording of event logs
42001: A.7.4 Quality of data for AI systems
42001: A.9.4 Intended use of the AI system
42001: 7.5.3 Control of documented information
27001: A.5.33 - Protection of records
27001: A.8.10 - Information deletion
27002: 5.33 (b) - Protection of records
Addendum

N/A

EU AI ActPartial Gap
Article 18
Article 19
Article 53
Addendum

Business-driven requirements and comprehensive archiving is not covered.

NIST AI 600-1Partial Gap
GV-1.1-001
GV-1.7-002
MP-4.1-005
Addendum

NIST AI 600-1 does not specifically speak to the DSP-16 topics of "archiving" or "deletion" of data, but it may be possible that an organization determines that "archiving" falls under "retention."

BSI AIC4No Gap
COM-01
PI-03
OPS-09
OPS-10
OPS-12
Addendum

N/A

AI-CAIQ questions (1)

DSP-16.1

Are data retention, archiving, and deletion managed per business requirements, applicable laws, and regulations?