Compliance & Data Retention

Last updated: February 6, 2026
Admin Tools

Compliance & Data Retention

Regulatory Compliance

Standards Supported:

  • SOC 2 Type II: Audit trail retention for security monitoring
  • GDPR: User action tracking for data access requests
  • CCPA: California consumer privacy compliance
  • HIPAA: Healthcare data access logging (if applicable)

Data Retention Policy

Database Storage:

  • Retention: 90 days minimum (regulatory requirement)
  • Location: `AuditLog` table (PostgreSQL)
  • Backup: Daily incremental + weekly full backups
  • Encryption: At rest (AES-256) + in transit (TLS 1.3)

Log Files:

  • Retention: 30 days (disk space management)
  • Location: `/var/log/sampo/*.log`
  • Rotation: Daily rotation with gzip compression
  • Cleanup: Automated cron job (daily at 2 AM UTC)

Grafana/Loki:

  • Retention: 180 days (long-term analysis)
  • Location: Loki data directory
  • Access: Admin dashboard (http://localhost:3004)

Immutability Guarantees

No Modifications: Audit events cannot be edited or deleted after creation.

Database Constraints: ```sql CREATE TABLE "AuditLog" ( "id" UUID PRIMARY KEY DEFAULT gen_random_uuid(), "createdAt" TIMESTAMP NOT NULL DEFAULT NOW(), "event" VARCHAR(255) NOT NULL, "userId" UUID, "context" JSONB NOT NULL, -- No UPDATE or DELETE triggers allowed ); ```

Archival: After 90 days, events move to cold storage (S3 or equivalent)

Access Control

Who Can View:

  • Super Admin: Full access (all deployments)
  • Admin: Deployment-scoped access
  • Member/Customer/Guest: No access (permission denied)

RBAC Enforcement:

  • Permission: `analytics:read`
  • Validated via `RBACPageGuard` component
  • API endpoint: `/api/v1/admin/audit-trail` (JWT + RBAC)

Was this article helpful?

Your feedback helps us improve our support content.

Still need assistance?

Our support team is ready to help you with more complex issues.

Contact Support