Data retention & processing policy
Last updated: 2026-04-29
This policy describes how long ArcSentinel keeps each category of personal
data, on what legal basis, and how it is destroyed.
It supports the GDPR's storage-limitation principle (Art. 5(1)(e)), our
NIS2 obligations on traceability, and customer due-diligence reviews.
Retention table
| Data | Retention | Reason | Method of removal |
|---|---|---|---|
Account record (users) | Until you delete it | You decide when to leave | Hard DELETE, cascades to dependent rows |
Workspace records (targets, cases, scans, intel_entries) | Until you delete the parent record or your account | You own the data | Hard DELETE |
Sealed vault entries (vault_entries) | Until you delete the entry or your account | You own the data; we cannot read it anyway | Hard DELETE |
API keys (api_keys) | Until you revoke or until expires_at | Active session credentials | Hard DELETE on revoke; nightly job purges expired rows |
Activity log (activity_log) — operational events | 24 months from creation | Legitimate interest: incident investigation, NIS2 traceability | Nightly job removes rows where created_at < now() - interval '24 months' |
Activity log — auth failures (auth.login_failed, security.*) | 12 months | Sufficient for forensic correlation | Same nightly job, separate predicate |
Notifications (notifications) | 6 months after read_at, 12 months if unread | Reduce noise; not load-bearing | Nightly job |
| Backups | 30 days rolling | Disaster recovery; longer retention is unnecessary risk | Snapshot rotation; oldest snapshot is cryptographically destroyed |
| CDN / web logs | 14 days | Operational debugging only | Provider-managed rotation |
| Error reports (Sentry, optional) | 90 days | Bug triage | Sentry default; we never extend |
Deletion mechanism
When you delete your account:
- The
usersrow is hard-deleted. - PostgreSQL cascades the delete to every dependent table via the
foreign-key constraints in apps/web/src/lib/schema.sql.
- A
data.deletedaudit row is written without your user id; it is
anonymous evidence that the deletion happened.
- Backups containing the data are overwritten on the next 30-day
rotation; we do not selectively scrub backups, but the encryption keys
protecting them are destroyed when they age out.
Destruction of credentials
- Passphrase: only the bcrypt hash is stored; on delete the row vanishes.
- API key: only the Argon2id hash is stored; revocation removes the row.
- Vault entry: the ciphertext and IV are deleted. We never had the
decryption key.
Anonymisation
Where retention is necessary for legal compliance after account deletion
(e.g. a subpoena referencing an incident), we retain only:
- the
kindof the action, - a coarse timestamp,
- a hashed (salted SHA-256) IP fragment.
No identifying fields are retained.
Review cadence
This policy is reviewed at every minor release and at least once per
calendar year. The owner of this policy is ArcNode —
Subject access
To request a copy of everything we still hold under retention rules use
Settings → Security → Export data or write to
info@arcnode.dev. Statutory response window is
30 days.