Version 1.0 · March 2026 · Applies to all engagements
Key commitment: All client data is purged within 14 days of engagement completion. No client data is retained beyond this window without explicit written authorization.
Data We Access
Narrative Consulting accesses only the data necessary to complete the stated engagement objectives. Data access is scoped, documented, and limited to the minimum required for the work.
Data we may access during a typical identity governance engagement:
User directory exports (names, email addresses, department, role assignments)
Access review records and certification campaign history
Role and permission structures, group memberships
System-level logs related to access events (when in scope)
Data we do not access and never request:
Individual financial records, payroll data, or compensation information
Medical or health records
Customer PII beyond what is incidentally visible in system configurations
Source code repositories (unless explicitly in scope)
Encryption keys or master secrets not necessary for the engagement
When client data contains categories of data beyond the engagement scope, we flag this immediately and request explicit authorization before proceeding.
Data Storage
During an active engagement, client data is stored exclusively on encrypted, consultant-controlled devices and in client-provisioned systems. No client data is stored in personal cloud services, consumer storage platforms, or third-party services without explicit written client approval.
Data storage standards:
All local storage on devices with full-disk encryption enabled
Working documents stored in client-provisioned collaboration environments whenever possible
Temporary working files are clearly labeled and tracked in the engagement data inventory
No client data stored in personal email, Dropbox, Google Drive, or equivalent consumer services
Screenshots, exports, and downloads containing client data are stored in encrypted folders
All data containing PII is handled per applicable privacy regulations
Data Retention
Narrative Consulting maintains a strict 14-day maximum retention window for all client data following engagement completion. This is not a target — it is a maximum. Data is purged as soon as it is no longer needed, and all data is purged no later than 14 days after the engagement close date.
Retention schedule:
Active engagement: Data retained as needed for work product development
Engagement close: Retention window begins on the date final deliverables are accepted
Day 1–7: Review period — data retained for any post-delivery questions or corrections
Day 7–14: Final purge window — all client data securely deleted from all devices and systems
Day 14: Hard deadline — written purge confirmation provided to client
Engagement metadata (project name, dates, deliverable types) may be retained for business records but will not contain client data, PII, or system details.
Data in Transit
All client data transferred between systems is encrypted in transit using current industry standards. Unencrypted file transfer (FTP, unencrypted email attachments, HTTP) is never used for client data.
Data transit standards:
TLS 1.2 or higher required for all web-based transfers
File transfers use client-approved encrypted methods (SFTP, encrypted email, client-provisioned SharePoint, OneDrive for Business, etc.)
Large dataset transfers require client approval and use of a client-provisioned secure transfer mechanism
All data transferred is documented in the engagement data inventory
Backup & Recovery
Narrative Consulting is a solo consulting practice. Business continuity is managed through documentation and client-owned system design rather than consultant-side infrastructure redundancy.
Business continuity practices:
All deliverables are stored in client-owned systems, ensuring continuity regardless of consultant availability
Engagement documentation is maintained in client-accessible repositories throughout the engagement
In the event of a consultant health or availability emergency, a documented handoff procedure is available to the client on request
No client data is stored exclusively on consultant devices without a client-side copy
Breach Notification
In the event of a suspected or confirmed breach of client data, Narrative Consulting will notify the client within 2 hours of discovery during business hours, or first thing the following business morning if discovered outside business hours. We do not wait for confirmation before notifying — suspected breaches trigger the same notification process as confirmed ones.
Breach notification process:
Immediate notification to the client's designated security contact via phone and email
Written preliminary assessment provided within 4 hours of notification
Incident documentation initiated immediately — timeline, data involved, containment steps
Containment recommendations provided within 24 hours
Full written incident report delivered within 72 hours
Post-incident review offered at no additional cost
Questions about this policy should be directed to security@accessnarrative.com.