Xerish SPC · Xerish Storehouse — Legal Documents

Document Retention Policy (v0.2 DRAFT)

Structural first-pass draft governing how Xerish SPC and Xerish Storehouse retain, store, and destroy records. For counsel review only.

Effective Date: DRAFT v0.2 — 2026-05-27 — NOT YET EFFECTIVE

Contents

Draft Notice
1. Purpose
2. Records Categories + Retention Periods
3. Storage + Backup
4. Destruction Procedures
5. Litigation Hold Override
6. Privacy Considerations
7. Effective Date + Version

Draft Notice

First-pass structural draft (v0.2) by Claude. Supersedes v0.1 placeholder. NOT effective. Markers: [CONFIRM], [TERM], [COUNSEL TO DRAFT].

1. Purpose

To ensure both entities retain records as required by law and operational policy, destroy records no longer needed in a controlled manner, and suspend destruction when a litigation or investigation hold applies.

2. Records Categories + Retention Periods

The following minimum retention periods apply (longer where required by law). [COUNSEL TO DRAFT] any category-specific federal or Washington state minimums that differ from the below.

Financial records (general ledger, bank statements, audited financials): [CONFIRM] 7 years.
Tax returns and IRS filings (Form 990, 990-T): Permanent.
Donor / Advisor giving records (contributions, tax acknowledgments): Permanent — DAF audit + donor substantiation.
Grant Recommendation and disbursement records: Permanent — DAF compliance.
Board minutes, charter docs, bylaws: Permanent.
Conflict-of-interest disclosures: [CONFIRM] 7 years after termination of Covered Person status.
Employment records: [CONFIRM] 7 years after end of employment.
Contracts and agreements: [CONFIRM] 7 years after expiration (longer if specified by contract).
IT logs (auth, security events, audit trails): [CONFIRM] 2 years active, then archive 5 years.
Application logs (general, non-security): [CONFIRM] 90 days active, 1 year archive.
Backups: [CONFIRM] 35 days rolling, plus monthly snapshot retained 1 year.
Privacy / data-subject requests: [CONFIRM] 3 years after fulfillment.
Whistleblower reports + investigations: [CONFIRM] 7 years after closure.

3. Storage + Backup

Electronic records are stored in the production database (Supabase, Postgres) with role-based access and row-level security. Backups are taken by the platform provider on the schedule noted above; offsite copies of critical records are retained in [CONFIRM] a separate AWS region or equivalent. Paper records are minimized; any retained originals are stored in [CONFIRM] the registered office.

4. Destruction Procedures

When the retention period expires and no hold is in place, records are destroyed using methods appropriate to the medium: secure deletion for electronic records; cross-cut shredding for paper. Destruction is logged in the records-management log with date, category, custodian, and method.

5. Litigation Hold Override

Upon notice of actual or reasonably anticipated litigation, government investigation, or audit, all routine destruction of potentially relevant records is immediately suspended for the affected categories. The general counsel or designated compliance officer issues the hold notice in writing and lifts it in writing when no longer needed. Failure to comply with a hold notice is a serious violation of this Policy.

6. Privacy Considerations

Retention beyond the minimum should be reviewed against data-minimization principles. Personal information no longer needed for the original purpose, and not required by law or contract to be retained, should be deleted, anonymized, or aggregated.

7. Effective Date + Version

Document Key: document_retention_policy. Version: v0.2 (first-pass draft for counsel review). Draft Date: 2026-05-27. Effective Date: [CONFIRM] — none; this draft is not yet effective.

Questions about this document? Contact us at legal@xerish.com or support@xerish.com. We will respond within 2 business days.