Retention Schedule
| Data Category | Retention Period | Storage | Deletion Method |
|---|---|---|---|
| AI Provider Prompts | 0 days (zero retention) | Never stored at provider | N/A — never persisted |
| Web Search Prompts | 0 days | Never stored | N/A — prompt text never logged |
| User Documents | Duration of account + 30 days (default — configurable) | S3 (per-org KMS) | Cryptographic deletion |
| AI Responses / Reports | Duration of account + 30 days (default — configurable) | Aurora (per-org partition) | Cascading delete + S3 purge |
| Knowledge Vault OPT-IN | Admin-configured (up to org policy max) | S3 Glacier (per-org KMS) | Admin-initiated or policy expiry |
| Audit Logs | 6 years (HIPAA ceiling) | Aurora (90d hot) → S3 WORM | Automatic expiry after 6 years |
| Account Metadata | Duration of account + 90 days | Aurora | Hard delete |
| Billing Records | 7 years (IRS requirement) | Stripe + Aurora | Automatic expiry |
| Session Tokens | 24 hours | Cognito | Automatic expiry |
Knowledge Vault — Long-Term Document Storage
By default, user documents are purged 30 days after account closure — the safest option for firms that treat data as liability. But for organizations that want their AI to get smarter over time, we offer the Knowledge Vault.
How It Works
Think of it as a climate-controlled storage unit for your firm's institutional knowledge. Documents move from hot storage to an encrypted cold archive (S3 Glacier), where they remain available for RAG indexing without sitting in active storage.
Admin-Controlled Retention
Organization admins set their own retention window: 30 days, 1 year, 5 years, or indefinite. The 30-day post-cancellation purge is the minimum floor, not a ceiling.
Smarter AI Over Time
Knowledge Packs improve with more context. A firm with 5 years of precedents in the vault has a fundamentally more valuable AI than one that started yesterday.
Same Encryption, Different Tier
Vault documents use the same per-org KMS encryption as active storage. Cryptographic deletion still works — destroy the key and all vault data becomes permanently unreadable.
Vault vs. Active Storage
| Feature | Active Storage | Knowledge Vault |
|---|---|---|
| Access Speed | Instant (milliseconds) | RAG-indexed (seconds for retrieval) |
| Encryption | S3 + KMS (per-org) | S3 Glacier + KMS (per-org) |
| RAG Availability | Full text + embeddings | Embeddings always live; source on-demand |
| Default Retention | Account + 30 days | Admin-configured |
| Pricing Tier | Included in all plans | Professional ($299) and above |
| Deletion | Automatic on account closure | Admin-initiated or policy-based expiry |
Account Deletion Process
Day 0 — Deletion Requested
Admin initiates account deletion from Settings. All active sessions are immediately terminated. A confirmation email is sent.
Day 1–7 — Grace Period
Account is suspended but data remains intact. Admin can cancel deletion during this window.
Day 7–30 — Data Purge
All user documents, AI responses, and account metadata are permanently deleted. S3 objects are cryptographically shredded (KMS key destroyed).
Day 30+ — Complete
Only audit logs remain (required by law for 6 years). All other data is irrecoverable.
Cryptographic Deletion
When we delete your data, we don't just remove database rows — we destroy the KMS encryption key that protects your organization's S3 bucket. Even if the encrypted bytes somehow persisted, they would be permanently unreadable. This exceeds NIST SP 800-88 "Purge" requirements.