Data Retention
Veriproof automatically enforces data retention periods for all session payloads, attachments, and portal metadata. Blockchain commitment anchors are permanent and are never subject to retention deletion.
How Retention Works
Each application has a retention_days setting that controls how long its session data is kept. When a session exceeds the retention period, the platform’s RetentionEnforcementWorker — a scheduled Azure Function that runs daily at 03:00 UTC — deletes:
- Session payload blobs from object storage
- Session database rows and associated metadata
- Worker attestation index records
The timer is serverless and zero-operator: it runs on a schedule, applies the current retention settings, and emits an audit event for each batch of deletions.
What Is Retained Permanently
| Artifact | Retained permanently? | Notes |
|---|---|---|
| Blockchain commitment anchors | ✅ Yes | Anchored to Solana — immutable by design |
| Session payload blobs | ❌ No | Deleted after retention_days |
| Session DB rows | ❌ No | Cascade-deleted with session |
| Worker attestation records | ❌ No | Deleted with session |
| Customer audit logs | ❌ No | Fixed 90-day retention |
| Evidence packages (when exported) | Depends | Exported files in customer storage are yours |
After a session is deleted by the retention policy, its commitment hash on the blockchain can still be independently verified using the Public Verification API. The hash and its anchor timestamp are permanent even though the session payload is gone.
Retention Periods by Plan
Per-application retention is bounded by the limits of your subscription plan:
| Plan | Default retention | Maximum retention |
|---|---|---|
| Builder | 7 days | 7 days |
| Team | 90 days | 90 days |
| Enterprise | 90 days | 365 days |
Enterprise customers can configure retention up to 365 days per application. Contact your account manager to enable a custom retention period.
Per-Application Retention Settings
Each application can have an independent retention period within your plan’s limits. To view or change it:
- Open the application in the Customer Portal.
- Navigate to Application → Settings → Data.
- Adjust the Retention period slider.
- Save the changes.
Changes take effect at the next run of the RetentionEnforcementWorker (within 24 hours).
Reducing the retention period to a shorter value will cause the next scheduled run to delete sessions that are older than the new limit but were previously within the old limit. This cannot be undone.
Audit Log Retention
Customer-visible audit log entries are retained for 90 days regardless of application retention settings. This is a fixed platform setting and cannot be changed via the portal.
Staff audit logs (platform operator actions) are retained for 7 years to meet compliance requirements.
Legal Hold
A data subject under an active legal hold is excluded from all automated retention deletions, regardless of how old the sessions are. The RetentionEnforcementWorker checks each session’s data subject association before any deletion:
- If the data subject has
legal_hold_until >= today, the session is skipped. - Once the hold expires, the session becomes eligible for deletion at the next scheduler run.
See GDPR Erasure for instructions on placing and releasing legal holds.
Interaction with GDPR Erasure
GDPR cryptographic erasure is distinct from data retention deletion:
| Mechanism | Trigger | What happens |
|---|---|---|
| Retention | Age-based (timer) | Session data deleted, audit event emitted |
| GDPR erasure | Explicit request | Data subject encryption salt destroyed; all payloads become cryptographically unreadable; erasure certificate issued |
The two mechanisms are independent but complementary. A session eligible for both will be processed by whichever fires first.
Enterprise Hybrid Retention
In EnterpriseHybrid deployment mode, session payloads are stored in the customer’s own Azure Storage account. The Veriproof platform deploys a Bicep-defined lifecycle policy to that account, which enforces retention using Azure Blob Lifecycle Management rules instead of the centralized timer function.
See the Enterprise Deployment guide for details on configuring hybrid retention policies.