Record Retention & Compliance

Large enterprises & organizations operating in regulated industries require a different approach to data protection and record keeping. That is why we built Wickr Enterprise.


Data Retention Compliance

Configure transparent data retention for compliance and regulatory purposes down to each team or employee using Wickr’s Compliance API, enterprises can use external tools like Elasticsearch for archival and search.

For highly regulated industries and organizations, Wickr Enterprise administrators can leverage the record keeping compliance capability to enable integration with your archiving solution. For example, financial or government institutions can ensure transparency, auditability and accountability in accordance with all applicable statutory record retention requirements (i.e: HIPAA, FINRA, FOIA, FRA). Similarly, for traditional enterprises, when a litigation hold is issued for specific users on a legal team, admin can enforce a preservation policy for a specific period of time and a group of staff, transparent to all participants.

As retention is enabled through customers’ 3rd party archiving solutions, it is crucial that customers take proactive steps to protect the retained communications as they leave the Wickr enterprise network. Wickr Enterprise is by design deployed and operated by the customer’s own security/IT teams.


Protecting your organization’s business communications through Wickr Pro can make your collaboration easy and compliant with GDPR.

GDPR requires that organizations put in place sufficient data protection measures to ensure that: 1) data is securely processed, 2) no unauthorized party can access it, and 3) only necessary data is collected for a finite period of time.

Inside Wickr

With Wickr, you are in full control of all valuable information shared through the service. End-to-end encryption applied to any data streams including messages, files, and calls, guarantees that Wickr never has access to your information, serving de facto as a secure black box for your business content. Your conversations and files do not touch Wickr servers unencrypted and aren’t stored server-side. Finally, user verification is built into the platform to enable your teams to validate that they only share information with vetted trusted parties inside or outside your company.

Under GDPR, every organization is required to timely report a security breach to the data protection authorities and immediately notify all affected parties. However, Article 33 provides an exception to this rule. Notice is not required if you have “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption.”

Inside Wickr

Wickr’s multilayered end-to-end encryption provides the highest level of protection for your business communications, rendering it inaccessible to anyone beyond authorized parties. Using Wickr for internal and external communications or as a secure and ephemeral transport layer for data transmission enables your organization to invoke an exception to notifying users of a breach of encrypted information shared on the platform.

GDPR places great value in limiting the amount of personal data collected and stored. It requires that organizations process and collect only necessary data and only for as long as needed for the purposes of processing it. Article 13(2)(a) also requires organizations to inform data subjects how long their personal information will be stored.

Inside Wickr

Your business communications transmitted via Wickr are ephemeral by default to ensure that your content is not accessible beyond its useful life and is deleted when no longer needed. Wickr enables your organization to set the rules for data minimization on your network for internal and external communications. The same data minimization controls are in place when Wickr’s ‘ephemerality as a service’ is used to provide a secure transport layer for private data transmission for support tickers, payment processing, or device-to-device communications.

What is GDPR?
The General Data Protection Regulation, or GDPR, presents a sweeping set of regulations defining how businesses process and protect the data of EU consumers. The policy upgrade is mainly driven by the urgency to modernize the protections to fit today’s global interconnected realities and to provide safeguards to the EU consumers served by foreign businesses, often regulated by weaker privacy laws.


Why does GDPR matter to my business?
Under GDPR, any organization processing the personal and sensitive data of EU citizens is responsible for ensuring much higher standards for safeguarding the information, regardless of the business’ location.

Starting May 2018, businesses that are found in non-compliance with GDPR will face steep penalties, including fines of up to 4% of global revenue.

Even if your organization may not be directly covered by GDPR, your customers or partners may be, which makes it important for your organization to boost your GDPR readiness in time for May 2018.

In addition, demonstrating a higher commitment to user privacy and transparency is always a good business practice which helps to build trust among your customers.


What’s changing under GDPR?
In its 99 articles, GDPR promotes significantly higher information security standards, namely encryption, access control and data minimization. It also empowers consumers to have control and easier access to their data, a comprehensive penalties regime, and a clear responsibility for organizations to obtain user consent before collecting information about them.

Specifically, under GDPR, businesses are encouraged to adopt the data protection by design and by default approach to managing personal and sensitive information, which includes:

  • End-to-end security throughout data’s lifecycle to ensure all personal information is securely processed and destroyed when no longer needed
  • Data encryption as an appropriate technical measure to ensure that, by default, personal data is not accessible to unauthorized persons
  • Data minimization to ensure that, by default, only necessary personal data is processed or collected and only for the necessary period of time
  • Accountability and transparency in processing personal and sensitive data: under GDPR, businesses must clearly describe data collection, processing, and security measures taken to protect consumer data


Breach notifications requirement under GDPR applies to any business: companies have to report data breaches within 72 hours to both data regulators and affected consumers unless encryption was applied to breached data, rendering it effectively unintelligible to any person who is not authorized to access it.


Preparing for GDPR compliance
While many US and international companies have started on the path to getting ready for GDPR, many still remain in the assessment phase of identifying the risks and data security gaps. A large number of businesses see information security enhancement as a top priority in getting to the GDPR compliance.

According to the GDPR Preparedness Pulse Survey by PWC, “77% of companies plan to allocate $1 million or more on GDPR readiness and compliance efforts, with 68% saying they will invest between $1—$10 million and 9% expecting to spend over $10 million to address GDPR obligations.”