Data retention policies control how long SecureAI stores chat history, uploaded documents, and audit logs. Configuring these policies helps your organization meet compliance requirements and manage storage costs.
Prerequisites
Before you begin, ensure you have:
- Admin access to your SecureAI instance.
- An understanding of your organization's data retention requirements (industry regulations, internal policies, or customer contracts).
- Knowledge of which data categories your organization needs to retain and for how long.
Data Categories
SecureAI manages retention for three categories of data:
| Category | What It Includes | Default Retention |
|---|---|---|
| Chat history | User conversations, AI responses, conversation metadata | 90 days |
| Uploaded documents | PDFs, images, spreadsheets, and other files uploaded for analysis | 180 days |
| Audit logs | Admin actions, login events, permission changes, API access records | 365 days |
Important: Reducing retention periods deletes data permanently once the policy takes effect. This action cannot be undone.
Step 1: Access Retention Settings
- Log in to SecureAI as an administrator.
- Navigate to Admin Panel > Settings > Data & Privacy.
- Select the Retention Policies tab.
Step 2: Configure Chat History Retention
Chat history includes all user conversations and AI responses. Consider your compliance needs when setting this value.
- Under Chat History, select a retention period:
| Option | Description |
|---|---|
| 30 days | Minimum retention. Suitable for organizations with strict data minimization policies. |
| 90 days | Default. Balances usability (users can reference recent conversations) with data minimization. |
| 180 days | Extended retention for organizations that need longer access to conversation history. |
| 365 days | Maximum standard retention. Common for regulated industries. |
| Custom | Enter a specific number of days (minimum 7, maximum 730). |
| Indefinite | Chat history is retained until manually deleted. Not recommended for compliance-sensitive environments. |
- Optionally, enable User self-deletion to allow individual users to delete their own chat history before the retention period expires.
- Click Save.
Compliance note: Some automotive industry regulations require that customer interaction records be retained for a minimum period. Consult your compliance team before setting retention below your regulatory minimum.
Step 3: Configure Document Retention
Uploaded documents may contain sensitive data such as VIN records, parts catalogs, or customer information.
- Under Uploaded Documents, select a retention period:
| Option | Description |
|---|---|
| 30 days | Short retention for transient analysis. Documents are deleted 30 days after upload. |
| 90 days | Suitable for project-based work where documents are referenced briefly. |
| 180 days | Default. Covers most use cases where documents are referenced across multiple sessions. |
| 365 days | Extended retention for long-running projects or regulatory requirements. |
| Custom | Enter a specific number of days (minimum 7, maximum 730). |
- Choose a deletion scope:
| Scope | Behavior |
|---|---|
| File and embeddings | Deletes the uploaded file and all vector embeddings generated from it. This is the recommended default. |
| File only | Deletes the original file but retains vector embeddings for continued search functionality. |
- Click Save.
Note: When documents are deleted, any conversations that referenced those documents will still exist but the inline document previews and re-download links will no longer work.
Step 4: Configure Audit Log Retention
Audit logs are critical for security investigations and compliance audits. Consider retaining these for the longest period your organization requires.
- Under Audit Logs, select a retention period:
| Option | Description |
|---|---|
| 90 days | Minimum retention for audit logs. |
| 180 days | Suitable for organizations with moderate audit requirements. |
| 365 days | Default. Meets most compliance frameworks (SOC 2, ISO 27001). |
| 730 days | Extended retention for highly regulated industries. |
| Custom | Enter a specific number of days (minimum 90, maximum 2555). |
- Optionally, enable Audit log export to automatically export logs to an external system (SIEM, S3 bucket, or log aggregator) before deletion. See Exporting Audit Logs below.
- Click Save.
Important: Audit logs have a minimum retention of 90 days regardless of the configured value. This protects against accidental misconfiguration that could compromise incident investigation.
Step 5: Review and Apply
- After configuring all three categories, review the Policy Summary at the bottom of the page. It shows:
- Current retention period for each category.
- Estimated data affected if a retention period was shortened.
- Next scheduled cleanup run.
- Click Apply Retention Policies.
- A confirmation dialog will appear showing exactly what data will be affected. Type the confirmation phrase to proceed.
Warning: Shortened retention policies take effect at the next scheduled cleanup (runs daily at 02:00 UTC by default). Data older than the new retention period will be permanently deleted.
Exporting Audit Logs
To retain audit data beyond the configured retention period, set up automatic export:
- Navigate to Admin Panel > Settings > Data & Privacy > Retention Policies.
- Under Audit Logs, click Configure Export.
- Select an export destination:
| Destination | Configuration Required |
|---|---|
| S3-compatible storage | Bucket name, region, access key, secret key |
| SIEM integration | Endpoint URL, authentication token, format (JSON or CEF) |
| Webhook | Endpoint URL, authentication header |
- Set the export frequency (daily or weekly).
- Click Test Connection to verify the destination is reachable.
- Click Save.
Exported logs are sent before deletion occurs, ensuring no data is lost during the retention cleanup process.
Compliance Considerations
Automotive Aftermarket Regulations
If your organization handles customer vehicle data, parts information, or service records through SecureAI:
- Customer data retention: Some jurisdictions require customer interaction records to be retained for a minimum of 1-3 years. Set chat history and document retention accordingly.
- Right to erasure: Even with long retention periods, individual data subject requests (e.g., GDPR Article 17) may require earlier deletion. The User self-deletion feature can help fulfill these requests.
- Audit trail requirements: Many compliance frameworks require immutable audit trails. Use the audit log export feature to archive logs to a system with immutable storage.
Per-User Overrides
If different user groups have different compliance requirements (e.g., customer-facing roles vs. internal analysts):
- Navigate to Admin Panel > Settings > Data & Privacy > Retention Policies.
- Click Add Override.
- Select a user role or user group.
- Configure retention periods specific to that group.
- Click Save.
Per-user overrides take precedence over the global retention policy.
Verifying Your Configuration
After applying retention policies:
- Navigate to Admin Panel > Settings > Data & Privacy > Retention Policies.
- Check the Last Cleanup Run timestamp and Records Affected count.
- Review the Retention Policy Audit Log (under Audit Logs > Filter > Retention Policy Changes) to confirm your changes were recorded.
Troubleshooting
Data is not being deleted after the retention period
The cleanup process runs daily at 02:00 UTC. If data persists beyond the expected date:
- Verify the policy is set to Active (not Draft).
- Check that the cleanup scheduler is running in Admin Panel > System > Background Jobs.
- If using per-user overrides, confirm the override is not setting a longer retention period for the affected users.
"Insufficient permissions" when configuring retention
Only users with the Super Admin or Data Privacy Officer role can modify retention policies. Check your role assignment in Admin Panel > Users > Your Profile.
Exported audit logs are not arriving
- Verify the export destination credentials in Retention Policies > Audit Logs > Configure Export.
- Click Test Connection to diagnose connectivity issues.
- Check that the destination system is not rejecting payloads due to size limits or format mismatches.