Vault Retention Policy

Xybern Redact logs every anonymization request to an immutable audit vault. By default, records are kept indefinitely. The retention policy lets you configure automatic deletion of records older than a set window, satisfying GDPR Article 5(1)(e) (storage limitation) and internal data minimisation requirements.

---

Why it matters

Under GDPR, personal data must not be kept longer than necessary for the purpose it was collected. Even though Redact never stores document content, only cryptographic hashes and metadata, audit records contain timestamps, entity counts, and model identifiers that may constitute personal data processing records. A retention policy demonstrates to auditors and enterprise customers that you have a defined data lifecycle.

---

Configuring retention

In your Redact workspace, go to Vault → scroll to the Retention Policy card.

1. Toggle Auto-purge on
2. Select a retention window:

Window	Typical use case
30 days	Short-term compliance, high-volume workloads
60 days	General purpose
90 days	Default, covers most quarterly audit cycles
180 days	Semi-annual reviews
1 year	Annual compliance audits

1. The setting saves immediately

A background job runs every 24 hours and deletes vault records older than the configured window for all workspaces with retention enabled.

---

Manual purge

Click Purge now to delete records immediately without waiting for the daily run. A confirmation prompt appears before anything is deleted.

Use this when:

• Responding to a GDPR erasure request (Article 17)
• Clearing test or staging data
• Performing an emergency data minimisation

---

What gets deleted

Only rows in the vault audit log. Each row contains:

• UTC timestamp of the request
• SHA-256 hashes of the original and anonymized content
• Entity count and type breakdown
• Model identifier and doc class
• API key ID (not the key itself)
• Chain hash and HMAC signature

What is not deleted: API keys, anonymization policies, entity maps, or Merkle roots.

What was never stored: document content, anonymized text, or any original PII. Redact only stores hashes. Deleting vault records removes the audit trail metadata, there is no document data to erase.

---

Retention and chain integrity

Purging records does not break the chain hash for surviving records. Each chain hash is computed and stored at write time. Purging removes older rows from the log; the chain linking remaining records stays valid.

Merkle roots are also unaffected, a sealed root references records by ID. If those records are later purged, the root hash remains as a commitment to the batch, but the individual records can no longer be retrieved or proved.

---

API reference

Get retention settings

GET /api/redact/{workspace_id}/retention

Response:

{
  "ok": true,
  "retention": {
    "enabled": true,
    "retention_days": 90,
    "last_purge_at": "2026-05-23T03:00:00Z",
    "purged_total": 142
  }
}

---

Update retention settings

PUT /api/redact/{workspace_id}/retention

Request body:

{ "enabled": true, "retention_days": 90 }

Valid values for retention_days: 30, 60, 90, 180, 365.

---

Trigger immediate purge

POST /api/redact/{workspace_id}/retention/purge

Response:

{ "ok": true, "purged": 38 }

Returns 400 if retention is not enabled for the workspace.

---

Related

• Vault & Audit Trail, full vault record structure, chain hashing, HMAC signing
• Cryptographic Integrity, Merkle tree sealing and inclusion proofs
• API Keys, scoping keys to doc classes