Effective Date: March 28, 2026 | Version 1.0
Data Retention Policy
This policy defines the requirements for retaining, archiving, and disposing of data processed by Verilexa, ensuring compliance with SOC 2, HIPAA (45 CFR 164.530(j)), and applicable legal obligations.
1. Data Classification
| Classification | Description | Examples |
|---|---|---|
| Case Data | Attorney-client privileged material | Documents, evidence, AI analysis, timelines |
| PHI | Health-related data within case files | Medical records, toxicology, mental health evaluations |
| PII | Data identifying natural persons | Names, emails, phone numbers, SSNs |
| Audit Logs | System activity records | Access logs, agent audit trails, security events |
| Account Data | User account information | Email, preferences, onboarding status |
| Billing Data | Financial transaction records | Subscriptions, usage metrics |
| Operational Data | System performance data | Health metrics, error logs, queue status |
2. Retention Schedule
| Data Type | Active Retention | Archive | Total |
|---|---|---|---|
| Active Case Data | Duration of case | N/A | Until user deletion |
| Closed Case Data | 90 days post-closure | 6 years | 6 years + 90 days |
| PHI within Cases | Same as case data | 6 years (HIPAA min) | 6 years + 90 days |
| Audit Logs | 90 days (hot) | 6 years (cold) | 6 years + 90 days |
| Account Data | Duration of account | 30 days post-deletion | Lifetime + 30 days |
| Billing Records | Duration of subscription | 7 years (tax) | 7 years |
| Session Data | Session lifetime | None | Auto-expires |
| Operational Logs | 30 days | None | 30 days |
| AI Job Queue | Until completion | 7 days | Completion + 7 days |
3. Legal Compliance
Litigation Hold
When subject to litigation, investigation, or regulatory inquiry, a litigation hold overrides standard retention periods. Data under hold must not be deleted, modified, or archived until the hold is released by legal counsel.
HIPAA Requirements
Records related to HIPAA policies and PHI access logs are retained for a minimum of 6 years from creation or the date last in effect, whichever is later.
State Bar Requirements
Records related to North Carolina Bar Advisory compliance are retained per applicable bar rules.
4. Secure Disposal
- Case data deletion is performed atomically, removing all associated records (documents, contacts, timelines, evidence chains, intelligence) in a single database transaction.
- All foreign key relationships use cascade deletion to prevent orphaned records.
- Audit logs of deletion actions are retained per the audit log retention schedule.
- PII is automatically redacted from audit logs at write-time.
- Quarterly audits verify that expired data has been properly disposed.
5. User-Initiated Deletion
- Users may delete individual cases at any time through the platform.
- Users may request full account deletion, cascading to all associated data.
- Account deletion requests are processed within 30 days.
- A confirmation record of the deletion request is retained for 90 days.
6. Backup Retention
- Daily database backups managed by our infrastructure provider.
- Backups retained per provider plan defaults (7-30 days).
- Expired backups are automatically purged.
- Backup restoration tested quarterly.
7. Exceptions
Exceptions must be approved in writing by the Security Officer with documented justification, duration, and compensating controls.
8. Review Schedule
This policy is reviewed annually or upon changes to regulatory requirements or business operations.