Effective Date: March 28, 2026  |  Version 1.0

Data Retention Policy

This policy defines the requirements for retaining, archiving, and disposing of data processed by Verilexa, ensuring compliance with SOC 2, HIPAA (45 CFR 164.530(j)), and applicable legal obligations.

1. Data Classification

ClassificationDescriptionExamples
Case DataAttorney-client privileged materialDocuments, evidence, AI analysis, timelines
PHIHealth-related data within case filesMedical records, toxicology, mental health evaluations
PIIData identifying natural personsNames, emails, phone numbers, SSNs
Audit LogsSystem activity recordsAccess logs, agent audit trails, security events
Account DataUser account informationEmail, preferences, onboarding status
Billing DataFinancial transaction recordsSubscriptions, usage metrics
Operational DataSystem performance dataHealth metrics, error logs, queue status

2. Retention Schedule

Data TypeActive RetentionArchiveTotal
Active Case DataDuration of caseN/AUntil user deletion
Closed Case Data90 days post-closure6 years6 years + 90 days
PHI within CasesSame as case data6 years (HIPAA min)6 years + 90 days
Audit Logs90 days (hot)6 years (cold)6 years + 90 days
Account DataDuration of account30 days post-deletionLifetime + 30 days
Billing RecordsDuration of subscription7 years (tax)7 years
Session DataSession lifetimeNoneAuto-expires
Operational Logs30 daysNone30 days
AI Job QueueUntil completion7 daysCompletion + 7 days

3. Legal Compliance

Litigation Hold

When subject to litigation, investigation, or regulatory inquiry, a litigation hold overrides standard retention periods. Data under hold must not be deleted, modified, or archived until the hold is released by legal counsel.

HIPAA Requirements

Records related to HIPAA policies and PHI access logs are retained for a minimum of 6 years from creation or the date last in effect, whichever is later.

State Bar Requirements

Records related to North Carolina Bar Advisory compliance are retained per applicable bar rules.

4. Secure Disposal

  • Case data deletion is performed atomically, removing all associated records (documents, contacts, timelines, evidence chains, intelligence) in a single database transaction.
  • All foreign key relationships use cascade deletion to prevent orphaned records.
  • Audit logs of deletion actions are retained per the audit log retention schedule.
  • PII is automatically redacted from audit logs at write-time.
  • Quarterly audits verify that expired data has been properly disposed.

5. User-Initiated Deletion

  • Users may delete individual cases at any time through the platform.
  • Users may request full account deletion, cascading to all associated data.
  • Account deletion requests are processed within 30 days.
  • A confirmation record of the deletion request is retained for 90 days.

6. Backup Retention

  • Daily database backups managed by our infrastructure provider.
  • Backups retained per provider plan defaults (7-30 days).
  • Expired backups are automatically purged.
  • Backup restoration tested quarterly.

7. Exceptions

Exceptions must be approved in writing by the Security Officer with documented justification, duration, and compensating controls.

8. Review Schedule

This policy is reviewed annually or upon changes to regulatory requirements or business operations.