Data retention policy

What we keep. How long. Why.

Sign's retention policy threads FATF Travel Rule's 7-year receipt requirement through a privacy-preserving design: we store the receipt (so you can prove you verified), never the raw transaction bytes (so your customer's transaction contents stay with you). This page is the contractual reference — any customer asking for SOC 2 / ISO 27001 evidence of retention will see exactly this table.

What Sign stores, by field

data	retention	purpose	status
verification_id	7 years	audit correlation	keep
exchange_id	7 years	customer correlation	keep
status (match / mismatch)	7 years	outcome record	keep
risk_level	7 years	outcome record	keep
receipt timestamp	7 years	FATF Travel Rule	keep
Ed25519 signature + pubkey	7 years	tamper evidence	keep
raw transaction bytes (`raw_tx`)	NEVER stored long-term	decoded in-memory only	purge after response
decoded transaction fields (to, value, etc.)	90 days (debug)	verification rollups only	rolling delete
claimed intent (to, amount, description)	90 days (debug)	mismatch post-mortem	rolling delete
SHA-256 of raw_tx (audit log payload)	forever	provable tie without plaintext	hash only
application submitter IP	30 days	rate-limit abuse triage	rolling delete
application company / email	until rejected + 1 year OR until account closure	KYC + support	keep
web decoder inputs (/v1/decode, no auth)	NONE — logged only as ephemeral request line	access logs only	never stored

The key asymmetry: we keep enough to prove a verification happened (receipt fields + signature) but we don't keep enough to reconstruct what was verified (raw transaction). If our database is leaked or subpoena'd, an adversary gets a list of which exchanges verified what status on which date — not what was in the transactions themselves.

Why 7 years

FATF Travel Rule Recommendation 16 requires VASPs (virtual asset service providers) to retain sender + recipient + amount + timestamp for all transfers ≥ USD/EUR 1,000 for a minimum of 5 years. India's PMLA 2002 mandates 10 years. EU's AMLD5 mandates 5 years. US BSA mandates 5 years. 7 years is the practical intersection for customers with EU + US + India footprint. Customers on the Enterprise plan can opt for 10-year retention.

Right to erasure (GDPR Article 17 / DPDP Section 12)

A customer can request erasure of their application data (company, email, website, free-text use-case) on request. Erasure does NOT extend to the audit log entries tied to their verifications — those are required evidence under the same Travel Rule regime.

What gets erased:

Application form fields (company, email, website, use_case_details)
Submitter IP (if still within 30-day window)
Ephemeral decoded-tx rollups (if still within 90-day window)

What stays:

Receipt records — pseudonymous (exchange_id only, no PII)
Audit log entries — public, tamper-evident, retention required by regulation
SHA-256 hashes of raw_tx in audit log payloads — cryptographically bound, irreversible

Erasure request: email privacy@zoza.world from the email on the application. 30-day SLA.

Physical + access control

Postgres on Fly.io, managed volumes, AES-256 at rest.
Per-product admin tokens, rotated quarterly. Tokens never touch the browser — the zoza-admin backend proxies each admin call with the token attached server-side.
Production database access restricted to two engineers with 2FA. Any query against sign_applications or audit tables is logged.
Backups: daily snapshots, encrypted, 30-day rolling, off-region copy in Singapore.

Legal requests

See warrant canary. Any legal request that falls within the scope of the canary triggers a canary-freeze signal. Any non-gag-ordered request is reported in the quarterly transparency report. We challenge requests that appear overbroad.