Data Retention Policy
Data Retention Policy
Status: Active Policy Version: 1.1
Executive Summary
This document establishes data retention requirements for the KYRA AI MDR platform to ensure:
- Compliance with regional data protection laws (GDPR, CCPA, SOX, PCI-DSS)
- Legal defensibility through immutable audit trails and evidence preservation
- Operational efficiency through automated lifecycle management
- Cost optimization via tiered storage and intelligent purging
Data Classification & Retention Matrix
Primary Data Classes
| Data Class | Description | Business Justification | Base Retention |
|---|---|---|---|
| Event Data | Raw security events, logs, telemetry | SOC investigation, forensics | 90 days (configurable: 30-365) |
| Alert Data | Processed alerts, investigations, triage results | Threat hunting, pattern analysis | 365 days (configurable: 180-1095) |
| Incident Data | Cases, response activities, executive reports | Compliance audit, lessons learned | 6 years |
| Audit Logs | Platform access, configuration changes | Regulatory compliance, breach investigation | 7 years (immutable) |
| Billing Data | Usage metrics, invoicing records | Financial audit, revenue assurance | 7 years |
| Analytics Data | Performance metrics, AI training data | Platform optimization, threat intel | Variable (see below) |
Analytics Data Retention
| Data Type | Retention | Business Need |
|---|---|---|
| Alert metrics | 2 years | Threat landscape trending |
| AI agent performance | 1 year | AI agent optimization |
| Ingestion throughput | 1 year | Infrastructure planning |
| Tenant daily summaries | 3 years | Financial reporting, SLA compliance |
Tenant-Configurable Overrides
Tenants may extend (but not shorten) base retention periods within these limits:
| Data Class | Min Retention | Max Retention |
|---|---|---|
| Event Data | 30 days | 365 days |
| Alert Data | 180 days | 3 years |
| Incident Data | 3 years | 7 years |
Note: Audit logs and billing data retention periods are non-configurable for compliance reasons.
Legal Hold Framework
Legal Hold Precedence
Legal holds ALWAYS override standard retention policies. Data under legal hold:
- Cannot be purged regardless of configured retention period
- Must be preserved in original format with integrity verification
- Requires explicit legal counsel approval to release
Legal Hold Triggers
Automatic legal holds are initiated for:
- Regulatory subpoenas (SEC, FTC, DOJ, international equivalents)
- Litigation discovery requests from tenant legal counsel
- Security incidents classified as SEV1 (active compromise)
- Data breach notifications requiring regulatory reporting
Cross-Border Legal Hold Considerations
For EU tenants under GDPR:
- Legal holds may conflict with “right to erasure” (Art. 17)
- Platform maintains lawful basis documentation for each hold
- Data subjects are notified when erasure is delayed due to legal proceedings
For US tenants under state privacy laws:
- California CCPA: Legal holds exempt from deletion requests (1798.145(a)(1))
- Virginia VCDPA: Similar litigation exemption applies
Automated Purge & Verification
Retention Enforcement
The platform automatically enforces retention policies on a daily schedule:
- Evaluates all tenant data against configured retention periods
- Respects legal hold protections before any purge operation
- Generates cryptographic purge verification records
Legal Hold Protection
Before any purge operation, the system verifies:
- No active legal holds exist on affected records
- Records are not under extended retention by tenant configuration
- Double-verification against the legal hold inventory
Purge Verification & Audit Proof
Every purge operation generates cryptographic evidence:
- Cryptographic proof: HMAC-based verification of purged record identifiers
- Audit record: Immutable log of records evaluated, purged, and protected
- Verification capability: Compliance auditors can independently verify purge completeness
Data Residency & Sovereignty
Regional Data Pinning
Data residency is tenant-configurable based on regulatory requirements:
| Region | Data Types | Compliance Driver |
|---|---|---|
| EU | All tenant data | GDPR Art. 44-49 |
| US | All tenant data | SOX, HIPAA, FedRAMP |
| APAC | All tenant data | Regional banking, PDPA |
| Global | Analytics only | Latency optimization |
Cross-Border Transfer Controls
Principle: Customer data remains in designated region unless explicitly authorized.
Permitted Cross-Border Transfers
- Platform diagnostics (anonymized telemetry only)
- Legal compliance (subpoena, mutual legal assistance)
- Customer-initiated export (hunt query results, threat reports)
Data Localization Compliance
EU (GDPR) Requirements
- Primary storage: Must be within EU/EEA
- Backups: Encrypted backups may be stored in US with appropriate safeguards
- Analytics: Aggregated/anonymized analytics may be processed globally
- Legal basis: Article 6(1)(f) legitimate interest for security operations
US Requirements
- Federal customers: FedRAMP boundary (US-only storage and processing)
- Financial services: SOX compliance requires US or equivalent jurisdiction
- Healthcare: HIPAA permits US storage with proper BAAs
GDPR Right to Erasure
Data Subject Request Processing
When a data subject exercises their right to erasure:
- Data subject identity is validated
- Active legal holds are checked for conflicts
- All personal data records are identified across the platform
- Records are pseudonymized (preserving analytics value) or fully deleted
- Erasure completion is logged and the data subject is notified
Pseudonymization vs. Deletion
| Scenario | Action | Rationale |
|---|---|---|
| Analytics records | Pseudonymization | Preserves threat intelligence patterns |
| Audit logs | Pseudonymization | Maintains compliance trail integrity |
| Raw event data | Full deletion | No analytical value after pseudonymization |
| Legal hold data | Delayed deletion | Regulatory/litigation requirements |
Tiered Storage
Data is automatically moved through storage tiers to optimize costs:
| Tier | Access Pattern | Use Case |
|---|---|---|
| Hot | Frequent access | Active investigations, recent alerts |
| Warm | Infrequent access | Historical alerts (30+ days) |
| Cold | Rare access | Archived events (90+ days) |
| Frozen | Deep archive | Long-term compliance retention (365+ days) |
Backup Retention
| Data Type | Backup Frequency | Retention Period |
|---|---|---|
| Production database | Continuous | 30 days |
| Daily snapshots | 24 hours | 90 days |
| Weekly snapshots | 7 days | 1 year |
| Monthly snapshots | 30 days | 7 years |
Cross-Region Backup Compliance
- EU tenant data backups are encrypted with EU-managed keys
- US backup storage requires adequacy decision or Standard Contractual Clauses
- Backup restoration triggers cross-border transfer logging
Retention Policy Monitoring
Key Metrics Tracked
- Data age distribution by tenant and data type
- Purge operation success rate (target: 99.9%)
- Legal hold count and average duration
- Storage cost optimization savings via tiering
- GDPR request processing time (target: <30 days)
- Cross-border transfer audit trail
Automated Alerts
- Purge operation failures trigger immediate security team notification
- Records exceeding retention limits trigger compliance team alerts
- Legal holds exceeding 3 years trigger legal counsel review
Policy Owner: Chief Information Security Officer (CISO) Review Frequency: Annual or upon regulatory changes