Data Retention

TrustGate enforces data retention policies to comply with AML regulations and GDPR storage limitation principles. Retention periods are determined by applicant status and are enforced at the platform level.

Regulatory Requirements

Different regulations impose different retention requirements:

Regulation	Requirement	Typical Period
AML (US BSA)	Customer records	5 years after relationship ends
AML (EU AMLD)	Customer records	5 years after relationship ends
GDPR	Personal data	Minimum necessary
SOX	Financial records	7 years
MiFID II	Client records	5-7 years

Data Minimization

GDPR requires that personal data is not kept longer than necessary. TrustGate balances:

• Regulatory minimums -- Must retain for AML/KYC compliance
• GDPR storage limitation -- Article 5(1)(e) requires deletion when no longer needed
• Legal hold overrides -- Court orders and investigations take precedence

Retention Policies

Retention periods are defined by applicant status and enforced by the platform. These policies are not configurable via API -- they are set at the platform level to ensure regulatory compliance.

Applicant Status	Retention Period	Rationale
approved	5 years	Standard KYC retention
rejected	5 years	AML requirement for rejected applicants
flagged	7 years	Extended retention for confirmed screening hits
pending	90 days	Incomplete applications
in_progress	90 days	Stuck applications
review	6 months	Applications awaiting review
withdrawn	30 days	User-cancelled applications

Retention is calculated from the applicant's updated_at timestamp. If an applicant has no explicit retention expiry set, the platform calculates it from the last update date plus the retention period for that status.

The default retention period for any unrecognized status is 5 years.

GDPR Articles Referenced

Article	Scope
5(1)(e)	Storage limitation principle
17	Right to erasure (right to be forgotten)
17(3)(b)	Exception: legal claims
17(3)(e)	Exception: legal obligations (AML requirements)

Data Categories

Personal Information

Category	Retention	Notes
Name, DOB, address	Follows applicant status	AML requirement for approved/rejected
Email, phone	Follows applicant status	Contact for reviews
Nationality	Follows applicant status	Risk assessment

Documents

Category	Retention	Notes
Document images	Follows applicant status	Evidence of verification
Extracted data	Follows applicant status	Verification record
Document metadata	Follows applicant status	Audit trail

Biometrics

Category	Retention	Notes
Selfie images	30 days	Delete after verification
Face embeddings	30 days	Not needed long-term
Liveness data	7 days	Immediate verification only

Verification Results

Category	Retention	Notes
Verification status	Follows applicant status	Compliance record
Check results	Follows applicant status	Decision basis
Risk scores	Follows applicant status	Risk assessment record

Screening Data

Category	Retention	Notes
Screening results	Follows applicant status	AML compliance
Hit records	Follows applicant status	Investigation evidence
Resolution notes	Follows applicant status	Decision documentation

Retention Expiry Detection

The retention service provides two query functions for identifying applicants based on their retention status:

• Expired applicants -- Records that have exceeded their retention period and are eligible for deletion (excluding those under legal hold)
• Expiring soon -- Records approaching their retention expiry within a configurable warning window (default: 30 days)

note

These functions are implemented in the retention service but are not yet wired to scheduled background tasks. Automated retention cleanup is planned for a future release. Currently, data deletion is performed via the GDPR delete endpoint on a per-applicant basis.

How Auto-Deletion Will Work

+----------------------------------------------------------+
|              RETENTION POLICY CHECK                       |
|         Runs on a scheduled interval                      |
+----------------------------+-----------------------------+
                             |
                             v
+----------------------------------------------------------+
|           IDENTIFY EXPIRED RECORDS                        |
|    Records past retention period with no legal hold       |
+----------------------------+-----------------------------+
                             |
                             v
+----------------------------------------------------------+
|              NOTIFY BEFORE DELETION                       |
|    Alert compliance team of upcoming deletions            |
+----------------------------+-----------------------------+
                             |
                             v
+----------------------------------------------------------+
|              EXECUTE DELETION                             |
|    Permanently remove data, create audit log              |
+----------------------------------------------------------+

GDPR Deletion (Right to Erasure)

TrustGate provides a GDPR Article 17 deletion endpoint that permanently and irreversibly deletes an applicant and all associated data.

Delete an Applicant

DELETE /api/v1/applicants/{applicant_id}/gdpr-delete?confirmation=CONFIRM_DELETE&reason=data_subject_request

curl -X DELETE "https://api.bytrustgate.com/api/v1/applicants/{applicant_id}/gdpr-delete?confirmation=CONFIRM_DELETE&reason=data_subject_request" \
  -H "Authorization: Bearer YOUR_API_KEY"

Query parameters:

Parameter	Required	Description
confirmation	Yes	Must be exactly CONFIRM_DELETE
reason	Yes	Reason for deletion (e.g., data_subject_request, retention_cleanup)

Required permission: delete:applicants

Response

{
  "status": "deleted",
  "applicant_id": "550e8400-e29b-41d4-a716-446655440000",
  "deleted_at": "2026-02-04T14:30:00.000000",
  "deleted_data": [
    "documents (3)",
    "screening_checks (2)",
    "cases (1)",
    "applicant_record"
  ]
}

Deletion Safeguards

The GDPR delete endpoint enforces multiple safeguards before proceeding:

1. Confirmation string -- The confirmation query parameter must be exactly CONFIRM_DELETE. Any other value returns 400 Bad Request.

2. Legal hold check -- If the applicant is under legal hold, deletion is blocked with 409 Conflict. The legal hold must be removed first.

3. AML retention check -- Flagged and rejected applicants cannot be deleted until their AML retention period has elapsed:

   • Flagged: 5 years minimum (checked against retention_expires_at or updated_at)
   • Rejected: 5 years minimum (same check)

4. Tenant isolation -- The applicant must belong to the authenticated user's tenant.

Cascading Deletion

When an applicant is deleted, the following associated records are permanently removed:

Data Type	How Deleted
Documents	Explicitly deleted (including storage references)
Screening checks	Explicitly deleted (cascade deletes hits)
Cases	Explicitly deleted
Applicant record	Deleted last
Audit log	Created before deletion to preserve the record of the action

Error Responses

Status Code	Condition
400	Missing or incorrect confirmation string
404	Applicant not found (or not in your tenant)
409	Applicant under legal hold, or AML retention period not yet elapsed

Legal Holds

Legal holds prevent any deletion of an applicant's data, including GDPR erasure requests and automated retention cleanup. Use legal holds for pending litigation, regulatory investigations, or law enforcement requests.

Apply a Legal Hold

POST /api/v1/applicants/{applicant_id}/legal-hold

curl -X POST "https://api.bytrustgate.com/api/v1/applicants/{applicant_id}/legal-hold" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "reason": "litigation_hold"
  }'

Request body:

Field	Type	Required	Description
reason	string	Yes	Reason for the legal hold (1-500 characters)

Required permission: admin:applicants

Response:

{
  "status": "legal_hold_set",
  "legal_hold": true,
  "legal_hold_reason": "litigation_hold",
  "legal_hold_set_at": "2026-02-04T14:30:00.000000",
  "applicant_id": "550e8400-e29b-41d4-a716-446655440000"
}

Returns 400 if the applicant is already under legal hold.

Remove a Legal Hold

DELETE /api/v1/applicants/{applicant_id}/legal-hold

curl -X DELETE "https://api.bytrustgate.com/api/v1/applicants/{applicant_id}/legal-hold" \
  -H "Authorization: Bearer YOUR_API_KEY"

Required permission: admin:applicants

Response:

{
  "status": "legal_hold_removed",
  "legal_hold": false,
  "legal_hold_reason": null,
  "legal_hold_set_at": null,
  "applicant_id": "550e8400-e29b-41d4-a716-446655440000"
}

Returns 400 if the applicant is not under legal hold.

What Legal Hold Blocks

When an applicant is under legal hold:

• GDPR deletion requests return 409 Conflict
• The applicant is excluded from expired-record queries (future automated cleanup)
• Manual deletion is blocked

Audit Trail

All legal hold operations are recorded in the audit log:

• Hold applied: Records who set the hold, the reason, and when
• Hold removed: Records who removed the hold, the previous reason, and when

Best Practices

1. Respond to GDPR erasure requests promptly -- Article 17 requires action "without undue delay" (within one month). Use the GDPR delete endpoint after verifying the request is legitimate and no AML exception applies.

2. Apply legal holds proactively -- When you receive notice of litigation or an investigation, immediately apply legal holds to all relevant applicants before any automated or manual deletion can occur.

3. Document your retention rationale -- Use meaningful reason strings in deletion and legal hold requests. These are preserved in the audit log for compliance reviews.

4. Monitor AML retention boundaries -- Flagged and rejected applicants have mandatory 5-7 year retention periods. The platform enforces this, but your compliance team should be aware of when records become eligible for deletion.

5. Keep audit logs separate -- Audit logs of deletion actions are retained independently of the deleted applicant data, ensuring you can demonstrate compliance even after records are purged.

---

Next Steps

• Consent Management -- Manage consent records
• GDPR Compliance -- Privacy requirements
• Audit Logging -- Track data access