Data Retention and Deletion Policy
Version: 1.0 Effective Date: 2026-02-16 Review Frequency: Annually1. Purpose
This policy defines how long Agentic Trust retains different types of data and the procedures for data deletion in compliance with:- SOC 2 Trust Service Criteria
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- Industry best practices
2. Scope
This policy applies to all data processed and stored by Agentic Trust, including:- Customer data (organizations and users)
- End user data (widget visitors)
- Conversation data (messages and sessions)
- Audit logs and system logs
- Backups and archives
3. Data Classification
3.1 Personal Identifiable Information (PII)
Definition: Information that can identify an individual Examples: Email addresses, names, IP addresses, user IDs linked to personal data Retention: As defined per data type below Special Handling: Subject to GDPR/CCPA rights (access, deletion, portability)3.2 Sensitive Data
Definition: Data requiring extra protection Examples: API keys, HMAC secrets, authentication tokens, conversation content Retention: As defined per data type below Special Handling: Encrypted at rest, access logged3.3 System Data
Definition: Operational and technical data Examples: Audit logs, error logs, metrics, performance data Retention: As defined per data type below Special Handling: Used for security monitoring and compliance4. Retention Schedules
4.1 Customer Account Data
| Data Type | Retention Period | Basis | Deletion Method |
|---|---|---|---|
| Organization account | Active + 90 days after deletion request | Contract obligation | Hard delete + anonymize references |
| User account | Active + 90 days after org deletion | Contract obligation | Hard delete |
| Product configuration | Active + 90 days after deletion | Business need | Hard delete |
| API keys (active) | Active until revoked | Security | Hash deleted from DB |
| API keys (revoked) | 90 days after revocation | Audit trail | Permanent delete |
- “Active” means while the account/subscription is active
- 90-day grace period allows for accidental deletion recovery
- After grace period, data is permanently deleted (not just soft-deleted)
4.2 End User Data
| Data Type | Retention Period | Basis | Deletion Method |
|---|---|---|---|
| End user profiles | Active + 2 years of inactivity | Business need | Hard delete |
| Conversation messages | 2 years from last message | Business need | Hard delete |
| Identity verification | Active + 1 year | Security | Hard delete |
| Session data | 30 days from last activity | Technical limitation | Auto-expire |
- End users can request deletion at any time via their organization
- Anonymization preserves analytics while removing PII
- Organizations can configure shorter retention (product setting)
4.3 System and Audit Logs
| Data Type | Retention Period | Basis | Deletion Method |
|---|---|---|---|
| Audit logs | 7 years | SOC 2 / Compliance | Archive then delete |
| Application logs (Sentry) | 90 days | Operational | Auto-delete by Sentry |
| Database query logs | 30 days | Operational | Auto-delete by Neon |
| Rate limit data (Redis) | 24 hours | Technical | Auto-expire |
| Agent debug logs | 30 days | Operational | Hard delete |
- Audit logs must be retained for SOC 2 compliance (minimum 1 year, we use 7 for added security)
- Logs are archived to cold storage after 1 year for cost optimization
- Application logs can be extended if under investigation
4.4 Knowledge Base Data
| Data Type | Retention Period | Basis | Deletion Method |
|---|---|---|---|
| Uploaded files | Active + 90 days after source deletion | Business need | Delete from blob storage |
| Vector embeddings | Active + 90 days after source deletion | Business need | Hard delete |
| Website snapshots | 90 days from last sync | Business need | Hard delete |
4.5 Backups
| Data Type | Retention Period | Basis | Deletion Method |
|---|---|---|---|
| Database backups (daily) | 30 days | Disaster recovery | Auto-delete |
| Database backups (weekly) | 90 days | Business continuity | Auto-delete |
| Database backups (monthly) | 1 year | Compliance | Archive then delete |
- Backups may contain deleted data during retention period
- Backup retention is separate from primary data retention
- User deletion requests apply to backups created after the request
5. Data Deletion Procedures
5.1 User-Requested Deletion (GDPR Article 17 “Right to be Forgotten”)
Process:-
Request Verification
- Verify identity of requestor
- Confirm authority to request deletion (org admin)
- Log deletion request in audit log
-
Scope Determination
- Identify all data associated with end user
- Check for legal retention obligations
- Determine if full deletion or anonymization
-
Deletion Execution
- Delete from primary database
- Delete from blob storage (files, images)
- Delete from caches (Redis)
- Mark for deletion in recent backups (within 30 days)
-
Verification
- Confirm deletion completion
- Document deletion in audit log
- Notify requestor (within 30 days)
- Audit logs (for compliance)
- Aggregated analytics (anonymized)
- Data required by law or regulation
- Data involved in active legal proceedings
5.2 Automated Deletion (Scheduled Jobs)
Implementation:5.3 Account Deletion
When an organization deletes their account:-
Grace Period (90 days)
- Account marked as “pending deletion”
- Data retained but inaccessible
- Can be restored if requested
-
Hard Deletion (after 90 days)
- All products deleted
- All API keys revoked and deleted
- All end user data deleted (or anonymized)
- All conversations deleted
- All knowledge sources deleted
- All files deleted from blob storage
- Audit logs retained (anonymized org reference)
src/lib/data-retention/account-deletion.ts
6. Data Export (GDPR Article 15 “Right of Access”)
Organizations and end users can request a copy of their data. API Endpoint:POST /api/v1/export/user-data
Format: JSON or CSV
Contents:
- User profile data
- All conversations
- All feedback
- Identity verification records
- Audit log entries (user’s own actions)
src/app/api/v1/export/user-data/route.ts (to be created)
7. Legal Hold
If data is subject to litigation or investigation:-
Immediate suspension of deletion
- Tag affected data with legal hold flag
- Prevent automated cleanup jobs from deleting
- Notify retention job to skip held data
-
Documentation
- Log legal hold in audit log
- Document scope and reason
- Set review date
-
Release
- Requires legal approval
- Remove legal hold flag
- Resume normal retention schedule
8. Third-Party Data
Data processed by third-party services:| Service | Data Type | Retention | Control |
|---|---|---|---|
| WorkOS | Authentication data | Per WorkOS policy | Organization admin |
| Anthropic | LLM prompts/responses | Not retained by Anthropic | N/A |
| OpenAI | Embeddings | Not retained per API ToS | N/A |
| Neon | Database backups | 7 days (Neon default) | Automatic |
| Vercel | Logs, deployments | 30 days | Automatic |
| Upstash | Rate limit data | 24 hours | Automatic |
| Sentry | Error logs | 90 days | Configurable |
- Review third-party DPAs annually
- Ensure third parties comply with GDPR/CCPA
- Document data flows in data processing agreement
9. Monitoring and Compliance
9.1 Retention Metrics
Track and monitor:- Total data volume by type
- Data age distribution
- Deletion request volume
- Deletion completion rate
- Cleanup job success rate
9.2 Audits
Internal Audit: Quarterly- Review retention policy adherence
- Spot-check deletion completeness
- Verify automated jobs running correctly
- Auditor reviews retention policy
- Auditor verifies deletion procedures
- Auditor samples data to confirm retention
9.3 Policy Updates
This policy is reviewed annually and updated as needed when:- Regulations change (new laws, updates to GDPR/CCPA)
- Business needs change
- Audit findings require changes
- Technology changes enable better practices
10. Responsibilities
| Role | Responsibility |
|---|---|
| Engineering Team | Implement retention logic, automated jobs, deletion APIs |
| Security Team | Monitor compliance, conduct audits, update policy |
| Legal Team | Advise on regulatory requirements, approve legal holds |
| Support Team | Process deletion requests, verify identity |
| Data Protection Officer | Overall policy oversight, GDPR compliance |
11. User Rights
11.1 Right to Access (GDPR Article 15)
End users can request a copy of their data Response Time: 30 days Format: Machine-readable (JSON)11.2 Right to Deletion (GDPR Article 17)
End users can request deletion of their data Response Time: 30 days Exceptions: Legal obligations, audit logs11.3 Right to Rectification (GDPR Article 16)
End users can request correction of inaccurate data Response Time: 30 days Implementation: Via organization admin panel11.4 Right to Data Portability (GDPR Article 20)
End users can request data in portable format Response Time: 30 days Format: JSON11.5 Right to Restrict Processing (GDPR Article 18)
End users can request processing limitation Implementation: Account suspension without deletion12. Implementation Checklist
- Create automated retention cleanup jobs
- Create user data export API endpoint
- Create user data deletion API endpoint
- Add legal hold functionality to database schema
- Create admin dashboard for retention metrics
- Set up monthly cleanup job scheduler
- Test deletion completeness (all related records removed)
- Document API endpoints for data rights
- Train support team on handling requests
- Create user-facing privacy policy
- Create data processing agreements (DPA) for customers
Document Approval
| Role | Name | Date |
|---|---|---|
| DPO/Security Lead | [Name] | [Date] |
| Legal Counsel | [Name] | [Date] |
| CTO | [Name] | [Date] |