Skip to content
Gestalt

Data retention and deletion

Status: customer boundary doc. Required topic data_retention_and_deletion from contracts/production-admission.v0.json customer_boundary_lane.required_doc_topics.

Default retention

Section titled “Default retention”

Gestalt persists the durable records produced by the membrane for the duration of the pilot’s timeframe named in the signed pilot admission record (see contracts/production-admission.v0.json pilot_admission_lane.signed_record_required_fields).

Outside that timeframe, the membrane refuses to admit further operations and the pilot admission record becomes inactive. The durable records produced before timeframe end remain part of the record graph that the pilot’s proof bundles cite.

What is retained

Section titled “What is retained”

The membrane records, with the maturity labels declared in contracts/production-admission.v0.json operation_maturity:

  • Hashes and references for tenant, company, package, connector, vertical, jurisdiction, timeframe.
  • Evidence references and receipts emitted by membrane operations.
  • Refusals, with their stable refusal codes.
  • Proof bundle manifests with audit kernel commitments.

These are the records that make a proof bundle verifiable independently. They do not contain raw plaintext business data.

What is not retained

Section titled “What is not retained”

Because the membrane never accepted them, none of the following are retained:

  • Raw register payloads and raw legal names.
  • Raw passkey credential IDs, private key material, or biometric template material.
  • Raw connector payloads or credential secrets.
  • Raw incident payloads.

There is no “delete the raw thing” operation for this class of data because the raw thing was refused at the membrane and never persisted.

Deletion semantics

Section titled “Deletion semantics”

Deletion operates on the durable references the membrane holds:

  • A passkey may be revoked via humanAuth.passkeyRevoke (staging-durable). The credential ID hash and public verification material are marked revoked; subsequent verification refuses.
  • A standing claim may be revoked via standing.revoke. Mandates may be revoked via mandate.revoke.
  • A connector consent may be revoked via evidence.connector.revoke. Subsequent ingestion against the revoked consent refuses.
  • Authority package activation may be revoked via authority.package.revoke. Active resolution against the revoked package fails closed.
  • A pilot admission record may be revoked via the pilot admission lane’s revocation path (pilot_admission_lane.revocation_supported: true in the contract).

Revocation is durable; it survives a runtime restart.

What cannot be retroactively mutated

Section titled “What cannot be retroactively mutated”

A proof bundle’s commitment (audit kernel root, signature graph) is part of the record’s authenticity. Once a proof bundle has been emitted and cited externally, the contents it commits to cannot be retroactively rewritten. A subject access or erasure request can revoke or mark records, but the historical commitment that an event occurred is preserved by design. This is the property a regulator relies on; it is also the property a pilot customer relies on for non-repudiation.

A pilot customer’s data processing agreement should reflect this: revocation is supported and durable, but a sealed proof bundle is not amendable.

See also

Section titled “See also”