Hub retention policies
Each Hub record type has a default retention window. Customers can shorten
or extend per-tenant within compliance bounds. governance_event records have
a fixed 7-year floor (regulatory).
Default retention by record type
Section titled “Default retention by record type”| Record type | Default | Min (customer override) | Max | Rationale |
|---|---|---|---|---|
output | 7 years | 1 year | 10 years | Aligned with SOC 2 + business-record retention |
decision | 7 years | 1 year | 10 years | Same — decisions are auditable artifacts |
governance_event | 7 years | 7 years (fixed) | 10 years | Regulatory floor — cannot be shortened |
artifact | 3 years | 90 days | 10 years | Artifacts are typically larger; lower default |
employee_profile | Indefinite until offboarding +30d | N/A | N/A | Drives RBAC + archetype mapping |
telemetry_event | 13 months | 6 months | 36 months | Operational data; balances trend analysis vs cost |
How retention is enforced
Section titled “How retention is enforced”- Nightly purge job in the Hub data plane runs at the tenant’s chosen maintenance window (default: 02:00 customer-region time)
- Records older than the retention window are soft-deleted (marked
is_purged=true, kept for 30 days as a recovery buffer) - After 30 days they are hard-deleted (rows removed, files erased from object storage)
- Each purge emits a
hub.record_purgedgovernance_event(idempotent — one per batch)
Customer override
Section titled “Customer override”In Command Center → Settings → Hub Retention, you can:
- Adjust the per-record-type retention (within Min/Max bounds)
- Pause purges (e.g., during a litigation hold)
- Schedule one-off purges (e.g., end-user GDPR right-to-erasure request)
- Restore soft-deleted records within the 30-day buffer window
Right to erasure (GDPR Article 17)
Section titled “Right to erasure (GDPR Article 17)”When an end user requests their data be erased:
- IT admin opens Command Center → Compliance → Right to Erasure → New request
- Enter the user’s
emailoruser_id - Claresia generates an impact report showing:
- All records the user is the actor for (
created_bymatches) - All records that mention the user in
output_body,input_params, etc. - Records that fall under exception (e.g.,
governance_eventlegal floor)
- All records the user is the actor for (
- IT admin reviews and approves
- Claresia executes the purge:
- Eligible records: hard-deleted within 24 hours
- Records under legal floor: redacted in place (PII scrubbed, hash recomputed,
governance_eventretained)
Legal hold
Section titled “Legal hold”If your legal team places a hold on a tenant or record set:
- IT admin opens Command Center → Compliance → Legal Hold → New hold
- Define scope (tenant-wide, by user, by date range, by skill)
- Hold is recorded as a
governance_eventof kindcompliance.legal_hold_added - Purge job skips any record matching the hold scope
- Hold can be released by IT admin (with Claresia CSM co-acknowledgment, recorded)
Holds override retention shortenings (you can’t legal-hold a record below the default and then shorten retention to delete it).
Backup retention separately
Section titled “Backup retention separately”Backup retention is independent of Hub record retention:
| Mode | Backup | Retention |
|---|---|---|
| A | Daily Aurora snapshot | 35 days |
| B | Daily Aurora snapshot + weekly cross-region | 90 days |
| C | Customer-controlled | Customer-defined |
Restoring from a backup does not undo a hard-delete — by design (otherwise GDPR right-to-erasure could be bypassed).
Customer audit query
Section titled “Customer audit query”To verify retention is being enforced as configured:
# Count records older than configured retention (should be 0)curl 'https://api.claresia.com/hub/v1/records/retention/audit' \ -H 'Authorization: Bearer $JWT' \ -G \ --data-urlencode 'tenant_id=dainese'Returns:
{ "tenant_id": "dainese", "audit_ts": "2026-05-03T03:00:00Z", "by_record_type": { "output": { "retention_days": 2555, "records_overdue": 0, "purge_last_run_ts": "2026-05-03T02:14:00Z" }, "decision": { "retention_days": 2555, "records_overdue": 0, "purge_last_run_ts": "2026-05-03T02:14:30Z" }, "governance_event": { "retention_days": 2555, "records_overdue": 0, "purge_last_run_ts": "2026-05-03T02:15:00Z" }, ... }}Any non-zero records_overdue indicates a purge job failure — check
status.claresia.com for the affected service.
Why 7 years for governance_event?
Section titled “Why 7 years for governance_event?”- SOC 2 considers it a financial-control evidence artifact; 7 years aligns with the SEC retention standard.
- GDPR Article 30 (records of processing activities) doesn’t fix a number but 7 years is the prevailing defensible interpretation.
- NIS2 requires 6 years for PHI access logs; 7 gives margin.
- EU AI Act Article 12 (logging obligation for high-risk AI systems) doesn’t fix a number either; 7 years aligns with audit defensibility.
If your jurisdiction requires longer (e.g., financial sector 10-year retention), extend per-tenant in Command Center settings.