Per the General Data Protection Regulation (GDPR), CyberVadis has defined retention periods for personal data, which you can find in our information notice:

As a rating agency, our duty is to maintain the traceability of actions related to our clients' accounts (e.g., uploading documents to the CyberVadis platform, submitting the questionnaire, accepting clients' requests to share cybersecurity performance results, etc.). We refer to Article 17.3. (e) of the GDPR.