Where possible all data should be stored on encrypted drives. This helps against attacks during the "data at rest" phase, like data stored on an USB drive. It also prevents people from rebooting any of our servers without our knowledge.
To counter data loss, backups need to be created for important assets and data. As a backup is another copy of the data, the same rules apply to storage. Where possible, it needs to be encrypted. Backups should not be stored longer than needed.
The rule regarding data retention is simple: as short as possible. We only backup what is really needed and are especially careful not to store customer data too long. For example, audit data is usually easy to be recreated.