Retention Policy

Specification v2.0.3 — Effective Date: February 2026

This page describes general retention principles and artifact categories. Binding retention schedules, including specific retention periods for each artifact type, are defined in the applicable engagement agreement. In the absence of a specific retention schedule, data is retained for the minimum period required by applicable law or regulation.

Retention Categories

The system distinguishes between the following categories of data for retention purposes. Each category is subject to independent retention schedules as defined in the applicable engagement agreement:

  • Governance Events. Append-only procedural records capturing every state transition, authorization decision, and system operation. Governance events are the authoritative procedural history and are typically subject to the longest retention periods.
  • Sealed Artifacts. Frozen record manifests, closure certificates, and inclusion proofs that have been cryptographically sealed. Sealed artifacts are tamper-evident and are retained in their sealed form — they are not modified during the retention period.
  • Submitted Materials. Materials submitted to the system during engagement operations, tracked by cryptographic hash. Retention of submitted materials may be governed by legal hold requirements, court orders, or regulatory mandates independent of the engagement agreement.
  • Access and Session Logs. Authentication events, session records, and access denial logs. These records support security audit and incident response and are typically retained for shorter periods than governance events.
  • Engagement Configuration. Role assignments, engagement parameters, authority records, and posture settings. Configuration data is retained for at least the duration of the engagement and any applicable post-engagement retention period.

Configurable Retention

Retention periods are configurable per engagement to align with specific legal, regulatory, or institutional requirements. Configuration is performed at provisioning time by the platform operator in accordance with the applicable engagement agreement. Retention periods, once set, are enforced by the system and cannot be shortened without explicit authorization from the institutional participant.

Legal Holds

The system supports legal hold designations that suspend scheduled deletion for identified data. Legal holds may be imposed by court order, regulatory directive, or institutional instruction. While a legal hold is in effect, affected data is retained regardless of the configured retention period. Legal hold status is recorded as a governance event and is visible in the engagement audit trail.

Deletion

Upon expiration of the applicable retention period, and absent any legal hold, regulatory requirement, or court order requiring continued retention, data is deleted in accordance with the deletion procedures specified in the applicable engagement agreement and data processing addendum.

Deletion is a recorded operation. The system logs the deletion event, the categories of data deleted, the applicable retention schedule, and the authorization for deletion. Deletion events are themselves retained in the governance event log as part of the permanent procedural record.

Export Before Deletion

Authorized institutional participants may request data export during the retention period, subject to the terms and procedures specified in the applicable engagement agreement. The system supports export of governance events, sealed artifacts, and submitted materials in structured formats suitable for long-term archival or regulatory submission. Export requests are recorded as governance events.

Specification Version 2.0.3 — Effective Date: February 2026