johan
/
inou
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
inou/docs/soc2/data-retention-policy.md

5.2 KiB
Raw Blame History

Data Retention Policy

Version: 1.0 Effective: January 2026 Owner: Johan Jongsma Review: Annually

1. Purpose

Define how long inou retains user data and the procedures for data deletion.

2. Scope

All data stored in inou systems:

  • User accounts (dossiers)
  • Medical data (imaging, labs, genome, documents, vitals)
  • Access logs
  • Authentication tokens

3. Retention Periods

User Data

Data Type Retention Period Rationale
Active user data Indefinite while account active User controls their data
Deleted user data Immediately purged User right to deletion

System Data

Data Type Retention Period Rationale
HTTP access logs 90 days Security investigation window
Audit logs 7 years Regulatory compliance (HIPAA)
Error logs 90 days Debugging and monitoring

Authentication Data

Data Type Retention Period Rationale
Session tokens 30 days or until logout Session lifetime
API tokens Until expiry (4 hours) + 24 hours Cleanup buffer
Verification codes 10 minutes Security
OAuth authorization codes 10 minutes OAuth specification
Refresh tokens 30 days or until revoked OAuth specification

Backup Data

Data Type Retention Period Rationale
Local ZFS snapshots 30 days Recovery window
Off-site backups 90 days Extended recovery option

4. User-Initiated Deletion

Account Deletion

When a user deletes their account:

Immediate actions:

  • Mark dossier as deleted
  • Revoke all active sessions and tokens
  • Remove from search and listing

Within 24 hours:

  • Purge all entries (imaging, labs, genome, documents)
  • Remove access grants (given and received)
  • Remove from active database

Retained for compliance:

  • Audit log entries (7 years, anonymized)

Individual Entry Deletion

When a user deletes a specific entry:

  • Entry removed from database immediately
  • Removed from local backups per snapshot rotation (30 days)
  • Removed from off-site backups per retention schedule (90 days)

Right to Erasure (GDPR Article 17)

Users may request complete erasure:

  1. User submits request via security@inou.com
  2. Identity verified
  3. Deletion executed within 30 days
  4. Confirmation sent to user
  5. Request logged for compliance

5. Automated Retention Enforcement

Daily Cleanup Jobs

-- Remove expired auth tokens
DELETE FROM oauth_tokens WHERE expires_at < datetime('now', '-24 hours');
DELETE FROM auth_codes WHERE expires_at < datetime('now', '-24 hours');
DELETE FROM refresh_tokens WHERE expires_at < datetime('now', '-24 hours');

-- Remove expired sessions
DELETE FROM sessions WHERE expires_at < datetime('now');

-- Remove old rate limit entries
DELETE FROM rate_limits WHERE created_at < datetime('now', '-24 hours');

Log Rotation

# Rotate logs older than 90 days
find /tank/inou/*.log -mtime +90 -delete

Backup Rotation

  • ZFS snapshots: Automatic rotation, 30-day retention
  • Off-site (Google Drive): 90-day retention, older backups removed

6. Legal Holds

When litigation or investigation requires data preservation:

  1. Identify scope - Which users/data affected
  2. Suspend deletion - Exclude from automated purges
  3. Document hold - Record reason, scope, authorizer, date
  4. Release hold - When legal matter resolved, resume normal retention

Current legal holds: None

7. Data Export

Users may export their data at any time:

  • Full export available via portal
  • Formats: JSON (structured data), original files (DICOM, PDFs, images)
  • Export includes all user-uploaded data and derived analysis

8. Backup Data Handling

Deleted data may persist in backups until rotation completes:

Backup Type Maximum Persistence After Deletion
ZFS snapshots 30 days
Off-site backups 90 days

Users are informed that complete purge from all backups occurs within 90 days of deletion request.

9. Third-Party Data

Proton (SMTP)

  • Verification codes only (6-digit numbers)
  • No health data transmitted
  • Subject to Proton's retention policies

Google Drive (Backups)

  • Encrypted data only; Google cannot read contents
  • Retention controlled by inou (90 days)
  • Deleted per inou's backup rotation schedule

10. Compliance Mapping

Regulation Requirement Implementation
GDPR Art. 17 Right to erasure Immediate deletion on request
GDPR Art. 5(1)(e) Storage limitation Defined retention periods
HIPAA 6-year record retention 7-year audit log retention
CCPA Deletion rights Same as GDPR implementation

11. Verification

Monthly Review

  • Verify cleanup jobs running
  • Check for orphaned data
  • Review pending deletion requests
  • Confirm backup rotation operating

Annual Review

  • Review retention periods for regulatory changes
  • Update policy as needed
  • Verify compliance with stated periods

Document end