Data retention

Encrypted nightly snapshots of every tenant database are retained for 30 days, rolling. Snapshots older than 30 days are permanently deleted. Backups are stored in the same region as the primary database.

Application audit logs (who did what, when, from where) are retained for 7 years to satisfy accounting and tax-authority record-keeping requirements (FBR, GST, VAT). Audit logs cannot be deleted by tenant administrators.

On a verified erasure request from a tenant administrator, all personal data for the named customer is deleted within 30 days. Financial documents that name the customer (invoices, credit notes) are retained per accounting law and the customer's name on those records is replaced with a pseudonymous reference.

Product analytics events are pseudonymous at collection. After 365 days, any remaining identifiers are stripped and the events are aggregated to anonymous counters. Raw analytics events older than 365 days are not retained.

When a tenant cancels, primary data is retained for 90 days to allow restoration, then permanently deleted from production and from backups within the next 30 days. Audit logs and statutory financial records are retained per the windows above.

Erasure requests, retention questions, and DPA copies: [email protected].