johan
/
inou
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
inou/docs/soc2/data-retention-policy.md

211 lines
5.2 KiB
Markdown
Raw Blame History

# Data Retention Policy
**Version:** 1.0
**Effective:** January 2026
**Owner:** Johan Jongsma
**Review:** Annually
---
## 1. Purpose
Define how long inou retains user data and the procedures for data deletion.
---
## 2. Scope
All data stored in inou systems:
- User accounts (dossiers)
- Medical data (imaging, labs, genome, documents, vitals)
- Access logs
- Authentication tokens
---
## 3. Retention Periods
### User Data
| Data Type | Retention Period | Rationale |
|-----------|------------------|-----------|
| Active user data | Indefinite while account active | User controls their data |
| Deleted user data | Immediately purged | User right to deletion |
### System Data
| Data Type | Retention Period | Rationale |
|-----------|------------------|-----------|
| HTTP access logs | 90 days | Security investigation window |
| Audit logs | 7 years | Regulatory compliance (HIPAA) |
| Error logs | 90 days | Debugging and monitoring |
### Authentication Data
| Data Type | Retention Period | Rationale |
|-----------|------------------|-----------|
| Session tokens | 30 days or until logout | Session lifetime |
| API tokens | Until expiry (4 hours) + 24 hours | Cleanup buffer |
| Verification codes | 10 minutes | Security |
| OAuth authorization codes | 10 minutes | OAuth specification |
| Refresh tokens | 30 days or until revoked | OAuth specification |
### Backup Data
| Data Type | Retention Period | Rationale |
|-----------|------------------|-----------|
| Local ZFS snapshots | 30 days | Recovery window |
| Off-site backups | 90 days | Extended recovery option |
---
## 4. User-Initiated Deletion
### Account Deletion
When a user deletes their account:
**Immediate actions:**
- Mark dossier as deleted
- Revoke all active sessions and tokens
- Remove from search and listing
**Within 24 hours:**
- Purge all entries (imaging, labs, genome, documents)
- Remove access grants (given and received)
- Remove from active database
**Retained for compliance:**
- Audit log entries (7 years, anonymized)
### Individual Entry Deletion
When a user deletes a specific entry:
- Entry removed from database immediately
- Removed from local backups per snapshot rotation (30 days)
- Removed from off-site backups per retention schedule (90 days)
### Right to Erasure (GDPR Article 17)
Users may request complete erasure:
1. User submits request via security@inou.com
2. Identity verified
3. Deletion executed within 30 days
4. Confirmation sent to user
5. Request logged for compliance
---
## 5. Automated Retention Enforcement
### Daily Cleanup Jobs
```sql
-- Remove expired auth tokens
DELETE FROM oauth_tokens WHERE expires_at < datetime('now', '-24 hours');
DELETE FROM auth_codes WHERE expires_at < datetime('now', '-24 hours');
DELETE FROM refresh_tokens WHERE expires_at < datetime('now', '-24 hours');
-- Remove expired sessions
DELETE FROM sessions WHERE expires_at < datetime('now');
-- Remove old rate limit entries
DELETE FROM rate_limits WHERE created_at < datetime('now', '-24 hours');
```
### Log Rotation
```bash
# Rotate logs older than 90 days
find /tank/inou/*.log -mtime +90 -delete
```
### Backup Rotation
- ZFS snapshots: Automatic rotation, 30-day retention
- Off-site (Google Drive): 90-day retention, older backups removed
---
## 6. Legal Holds
When litigation or investigation requires data preservation:
1. **Identify scope** - Which users/data affected
2. **Suspend deletion** - Exclude from automated purges
3. **Document hold** - Record reason, scope, authorizer, date
4. **Release hold** - When legal matter resolved, resume normal retention
**Current legal holds:** None
---
## 7. Data Export
Users may export their data at any time:
- Full export available via portal
- Formats: JSON (structured data), original files (DICOM, PDFs, images)
- Export includes all user-uploaded data and derived analysis
---
## 8. Backup Data Handling
Deleted data may persist in backups until rotation completes:
| Backup Type | Maximum Persistence After Deletion |
|-------------|-----------------------------------|
| ZFS snapshots | 30 days |
| Off-site backups | 90 days |
Users are informed that complete purge from all backups occurs within 90 days of deletion request.
---
## 9. Third-Party Data
### Proton (SMTP)
- Verification codes only (6-digit numbers)
- No health data transmitted
- Subject to Proton's retention policies
### Google Drive (Backups)
- Encrypted data only; Google cannot read contents
- Retention controlled by inou (90 days)
- Deleted per inou's backup rotation schedule
---
## 10. Compliance Mapping
| Regulation | Requirement | Implementation |
|------------|-------------|----------------|
| GDPR Art. 17 | Right to erasure | Immediate deletion on request |
| GDPR Art. 5(1)(e) | Storage limitation | Defined retention periods |
| HIPAA | 6-year record retention | 7-year audit log retention |
| CCPA | Deletion rights | Same as GDPR implementation |
---
## 11. Verification
### Monthly Review
- [ ] Verify cleanup jobs running
- [ ] Check for orphaned data
- [ ] Review pending deletion requests
- [ ] Confirm backup rotation operating
### Annual Review
- [ ] Review retention periods for regulatory changes
- [ ] Update policy as needed
- [ ] Verify compliance with stated periods
---
*Document end*
Reference in New Issue View Git Blame Copy Permalink