Data Retention Policy

How long to keep data. The policy.

By class

A data retention policy is the rule set that says how long each class of data is kept. Without a policy, data accumulates forever; storage costs balloon; compliance risk grows; the team's ability to find what matters in the noise degrades. With a policy, retention becomes mechanical and cost and compliance both improve.

What retention by class looks like:

• Operational logs: 90 days.: Application logs, infrastructure logs, request logs that are useful for debugging recent issues. Beyond 90 days, the value drops sharply; the cost continues. The 90-day window covers normal incident response and short-term trend analysis.
• Audit logs: 1 year.: Authentication events, configuration changes, data access events. These are useful for security investigation and have longer relevance. The 1-year window covers most forensic windows and matches common compliance baselines.
• Compliance records: 7 years.: Financial records, SOX-relevant data, healthcare records subject to HIPAA, customer agreements. The 7-year window is the legal default for tax records and many compliance regimes. The cost is justified by the legal requirement.
• Customer PII: per regulation.: Customer personal data is retained per GDPR, CCPA, and other privacy regulations. The retention is bounded by the purpose for which the data was collected. Old data is deleted; the regulation requires it.
• Match to need.: Each data class has a retention period that matches its actual usefulness and legal requirement. Over-retention costs money and increases breach risk; under-retention loses data that the business needs. The policy is the deliberate choice for each class.

The classification by data class is the foundation. Without it, retention defaults to "keep everything forever" which is expensive and risky.

Delete

The retention policy is not a policy if deletion is not enforced. Auto-delete is the mechanism that turns the policy from documentation into actual behavior. Without auto-delete, the team intends to delete but never does.

• Auto-delete past retention.: Data past its retention period is deleted automatically. The mechanism is a scheduled job, a TTL on the storage, a lifecycle policy on the bucket. The team does not have to remember; the system enforces.
• Cost improved.: Storage costs drop significantly when old data actually gets deleted. The team that hoards 5 years of operational logs at full retention is paying for storage that has zero value past the first 90 days.
• Compliance improved.: Privacy regulations (GDPR, CCPA) require data deletion when the purpose is fulfilled. Auto-delete provides evidence that the requirement is met. The audit trail shows the deletions happened.
• Breach risk reduced.: The data that does not exist cannot be breached. Auto-delete reduces the blast radius of any future breach by limiting what is in the environment to what is currently needed.
• Verified, not assumed.: The team verifies that auto-delete is working: log the deletions, monitor the storage trends, audit randomly. A broken auto-delete that is never noticed undermines the entire policy.

Deletion turns retention from documentation into outcome. The policy without enforcement is theater.

Legal hold

The legal hold is the override that prevents deletion when litigation, regulatory investigation, or other legal process requires data preservation. The override is necessary; it must also be bounded so the rest of the policy continues to operate.

• Override for legal reasons.: When legal counsel requests a hold, the auto-delete is suspended for the affected data scope. The data is preserved; the deletion clock pauses; the data remains until the hold is released.
• Documented.: Every hold is documented: who requested it, what data is in scope, what matter prompted it, what the expected duration is. The documentation supports the legal process and prevents holds from accumulating without records.
• Don't delete during litigation.: Deleting data subject to a legal hold can produce spoliation sanctions, adverse inferences, or contempt findings. The cost is far higher than the storage cost of preserving the data. The hold is treated as absolute.
• Released when matter closes.: When the underlying legal matter is resolved, the hold is released. The data resumes its normal retention; if it is past retention, auto-delete runs. Holds do not become permanent retention.
• Audited periodically.: The list of active holds is reviewed periodically. Holds without active matters are released. Holds without documentation are remediated. The legal hold inventory does not become a graveyard of forgotten preservation.

Data retention policy is the discipline that keeps storage costs in check, compliance posture clean, and legal exposure bounded. Nova AI Ops integrates with logging and storage platforms, applies retention policies consistently, surfaces violations, and tracks legal holds against the affected data scope.