...
Do you have the capability to recover data for a specific customer in the case of a failure or data loss?
We do have backups of our data and our backend services are spread across different regions, with a DNS loadbalancer in place.
Do you have a retention procedure?
We shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data.
...
Users are local administrators on their machines. Since we are a small IT company with only IT trained employees. We confirm that admin access is regularly reviewed.
...