Skip to content

Data Retention & GDPR Compliance

This guide covers configuring data retention policies for GDPR compliance.

Overview

AG2Trust provides configurable data retention to help you meet compliance requirements:

  • Agent audit logs: Configurable 30-365 days
  • Compliance audit logs: Fixed 7-year retention
  • Automatic cleanup: Daily job removes expired data
  • PII redaction: Automatic before storage

Data Types

Agent Audit Logs

Records of agent interactions:

Field Description PII Status
timestamp When event occurred No
agent_id Which agent No
event_type Type of event No
content Message content Redacted
tokens_used Token consumption No
model LLM model used No

Example (after PII redaction):

{
  "timestamp": "2025-01-15T10:30:00Z",
  "agent_id": "uuid",
  "event_type": "message",
  "content": "My email is [EMAIL] and phone is [PHONE_NUMBER]",
  "tokens_used": 150
}

Compliance Audit Logs

System events for compliance:

Field Description Retention
User logins Who logged in when 7 years
Permission changes Role modifications 7 years
Data access Who accessed what 7 years
Configuration changes Settings modifications 7 years

Configuring Retention

Via Dashboard

  1. Go to Settings > Data Retention
  2. Set your retention period (30-365 days)
  3. Click Save

Available Periods

Days Use Case
30 Minimum, high-turnover data
60 Short-term needs
90 Default, balanced
180 Extended debugging
365 Maximum retention

Compliance Logs Fixed

Compliance audit logs always retain for 7 years and cannot be changed.

How Cleanup Works

Daily Cleanup Job

A background job runs daily at 3 AM UTC:

  1. Identifies records older than retention period
  2. Deletes in batches (1000 records per batch)
  3. Logs results to application logs

Cleanup Scope

Log Type Retention Cleanup
Agent audit logs Configurable Daily
Compliance logs 7 years Not deleted
Application logs 90 days Daily

Monitoring Cleanup

View cleanup results in the admin panel:

SELECT *
FROM application_logs
WHERE service = 'retention_cleanup'
ORDER BY timestamp DESC;

GDPR Compliance

Data Subject Rights

AG2Trust supports GDPR data subject rights:

Right Implementation
Access Export your data via Settings
Erasure Delete organization removes all data
Portability Export in machine-readable JSON
Rectification Edit data via Dashboard

Exporting Your Data

  1. Go to Settings > Data Export
  2. Select data types to export
  3. Click Generate Export
  4. Download when ready

Export includes: - Agent configurations - Team structures - Audit logs (within retention) - User information

Data Deletion

To delete all organization data:

  1. Go to Settings > Organization
  2. Click Delete Organization
  3. Confirm by typing organization name
  4. All data is permanently deleted

Irreversible

Organization deletion cannot be undone. All data is permanently removed.

PII Redaction

Automatic Redaction

AG2Trust automatically redacts PII before storing audit logs:

PII Type Example Redacted As
Email john@example.com [EMAIL]
Phone +1-555-123-4567 [PHONE_NUMBER]
SSN 123-45-6789 [US_SSN]
Credit Card 4111-1111-1111-1111 [CREDIT_CARD]
IP Address 192.168.1.1 [IP_ADDRESS]

Redaction Process

Input:  "Contact me at john@example.com or 555-1234"
Analysis: Presidio NER detection
Output: "Contact me at [EMAIL] or [PHONE_NUMBER]"
Storage: Only redacted version stored

Original Data

Original Messages Not Stored

Original (un-redacted) messages are never stored in audit logs. Only agents see original content during processing.

Compliance Reports

Generating Reports

  1. Go to Compliance > Reports
  2. Select report type:
  3. Access Log: Who accessed what
  4. Change Log: Configuration changes
  5. Retention Summary: Data lifecycle
  6. Set date range
  7. Click Generate

Report Contents

Access Log: 

Date       User              Action          Resource
2025-01-15 admin@company.com viewed          agent:uuid-123
2025-01-15 dev@company.com   started         agent:uuid-456
2025-01-14 admin@company.com exported        audit_logs

Change Log: 

Date       User              Change
2025-01-15 admin@company.com role_changed: user@company.com member→admin
2025-01-14 admin@company.com retention_changed: 90→180 days

Best Practices

1. Set Appropriate Retention

Industry Recommended
General SaaS 90 days
Healthcare 180+ days
Finance 365 days
Testing/Dev 30 days

2. Regular Compliance Reviews

Monthly: - [ ] Review access logs - [ ] Check for unusual patterns - [ ] Verify retention settings - [ ] Export compliance report

3. Document Your Policies

Maintain records of: - Retention period decisions - Who approved settings - When settings changed - Compliance justification

4. Train Your Team

Ensure team members understand: - What data is logged - How PII is handled - How to handle data requests - Escalation procedures

Data Processing Details

Processing Locations

Data Type Location Encryption
User data Your region At rest + transit
Audit logs Your region At rest + transit
Agent messages Processed in memory Transit only

Third-Party Data Sharing

Party Data Shared Purpose
LLM Providers Message content Processing
None Audit logs -
None User data -

LLM Provider Data

Message content is sent to your configured LLM provider (OpenAI/Anthropic) for processing. Review their data policies.

Troubleshooting

Retention not applying

  1. Check setting was saved
  2. Wait for daily cleanup job
  3. Verify data age exceeds retention
  4. Check application logs for errors

Can't export data

  1. Verify you have Owner role
  2. Check export isn't already running
  3. Try smaller date range
  4. Contact support if persistent

PII appearing in logs

  1. Report to security@ag2trust.com
  2. Provide example (redact actual PII)
  3. We'll investigate and fix

Enterprise Features

Custom Retention Policies

Available on Enterprise

  • Per-team retention settings
  • Per-data-type retention
  • Legal hold capabilities
  • Advanced export options

Compliance Certifications

In progress

  • SOC 2 Type II
  • ISO 27001
  • HIPAA BAA

Next Steps