Comprehensive Data lifecycle
The data lifecycle explains how EventLinx manages information from the moment it is created until it is securely removed. This applies to platform data, cybersecurity documentation, system logs, and configuration files.
The main objective is to keep data secure, properly classified, retained only when necessary, and handled in line with privacy and compliance requirements such as PIPEDA.
1. What is a data lifecycle?
A data lifecycle is the controlled process that defines how data moves through different stages over time. It starts when data is created and continues through storage, usage, sharing, and eventual archiving or deletion.
Managing this lifecycle helps reduce security risks, improves privacy protection, and ensures data is not kept longer than it should be.
2. Data classification levels
Data within EventLinx is grouped based on sensitivity. Public data is safe for anyone to view, such as documentation or marketing material. Internal data is used for day-to-day operations and is not intended for public access.
Confidential data includes sensitive operational information like system logs and configuration details. Highly Confidential data is the most restricted category and includes credentials, encryption keys, and other security-critical information.
| Level | Meaning | Examples |
|---|---|---|
| Public | Open access information | Public documentation, marketing pages |
| Internal | Internal use only | Drafts, internal guides |
| Confidential | Restricted operational data | System logs, configs |
| Highly Confidential | Critical sensitive data | Credentials, keys, secrets |
3. Data lifecycle stages
Data lifecycle flow
Data begins in the Created stage when it is generated by users, systems, or documentation processes. It then moves into Storage, where it is securely saved with encryption and access controls.
When needed, data enters the In Use stage where it supports application features, monitoring, or operational tasks. After it is no longer actively required, it can be moved into Archival for compliance or historical reference. Finally, once retention requirements expire, it is moved to Destruction, where it is securely deleted or overwritten.
4. Data lifecycle activities
4.1 Creation and collection
Data is created through normal system operations such as user activity, documentation writing, deployments, and monitoring processes. During this stage, access is controlled using role-based permissions so only authorized users can contribute or modify data.
4.2 Storage
Once created, data is stored in secure environments such as repositories, cloud systems, and encrypted backups. These storage locations are protected using encryption at rest, access control policies, and versioning systems to prevent unauthorized changes or data loss.
4.3 Processing and use
Data is actively used to support EventLinx services, including application functionality, monitoring, reporting, and documentation publishing. During this stage, access is limited using least privilege principles, and important actions are recorded through logging and audit trails.
4.4 Sharing and transmission
When data needs to be shared, it is done through secure channels such as internal systems, APIs, or controlled documentation portals. All data transmission is protected using encrypted protocols like TLS and HTTPS to ensure confidentiality and integrity.
4.5 Retention
Different types of data are kept for different lengths of time depending on their purpose and sensitivity. Public documentation is retained while it remains valid, while operational logs are usually kept for a limited period such as one year. Backups are kept for short recovery windows, and sensitive credentials are rotated or removed when no longer needed.
| Data type | Retention |
|---|---|
| Public documentation | Kept while valid |
| Project records | Several years (business need) |
| Security logs | ~1 year |
| Backups | Short recovery window |
| Credentials/secrets | Until rotated or revoked |
Retention practices follow privacy principles such as PIPEDA and general security best practices.
4.6 Archiving
When data is no longer actively used but still required for reference or compliance, it is moved into archival storage. This may include cold storage systems or versioned records such as Git tags. Archived data is tightly controlled and not regularly accessed.
4.7 Destruction
Once data reaches the end of its retention period, it is securely destroyed. This includes secure deletion, overwriting storage, and removal from backup systems where applicable. For highly sensitive data, additional approval steps may be required before destruction.
5. Responsibilities
Different roles are responsible for managing the data lifecycle. Data Owners define how data should be classified and how long it should be kept. Data Custodians manage the technical storage, backups, and infrastructure. The Security Team ensures controls are properly implemented and maintained.
Project and documentation owners maintain accuracy and consistency, while management oversees compliance decisions and approves high-risk actions.
| Role | Responsibility |
|---|---|
| Data Owner | Defines classification and retention rules |
| Data Custodian | Manages storage and infrastructure |
| Security Team | Enforces security controls |
| Project/Documentation Owner | Maintains data accuracy |
| Management | Approves governance decisions |
6. Security controls
EventLinx applies both technical and administrative controls to protect data. Technical controls include encryption, access management, multi-factor authentication, and backup systems. Administrative controls include security policies, change management procedures, and staff security awareness training.
7. Monitoring and auditing
Data handling is continuously monitored through access logs, backup verification, version control tracking, and integrity checks. Audits are performed regularly and also after major system changes or security incidents to ensure compliance and detect issues early.
8. Compliance
The data lifecycle is designed to align with major security and privacy standards. This includes PIPEDA for personal data protection, ISO/IEC 27001 for information security management, NIST SP 800-53 for security controls, and PCI DSS where payment data is involved.
9. Documentation website scope
Data related to the documentation site follows the same lifecycle principles but is generally lower in sensitivity than production system data. The focus is mainly on maintaining content accuracy, availability, and version integrity while still applying access control, retention rules, and secure storage practices.