PKCS Certificate Enrollment Intune

We've been struggling with a question of IT security that we must have described correctly in our IS documentation (see below for detailed information), but no public documentation is goes into detail regarding that and after opening a support request, we've eventually been asked to post this question here. 

 

As we understand, the flow of the PKCS Certificate Enrollment for iOS, Android or Windows, is as follows (please correct if something's wrong):

1. A device contacts Intune for a certificate.
2. Intune will forward the request to Intune Certificate Connector
3. The connector server creates the public + private key and sends it to the CA.
4. Certificate Connector sends the signed certificate back to Intune.
5. Intune forwards the certificate to the device.

By that logic Intune must hold the Certificate and Private key for a certain period of time. We need to know how long exactly Intune holds on to the user's certificate, especially the private key. Will the key be deleted from Intune's datastore after the client confirms the reception of the certificate? Or does Intune hold on to the keys? If so, how long and under which circumstances are they deleted? 

 

Could anyone provide us with this information, which is critical from an IT security perspective?