Plan for retention and deletion requests
When legal, HR, or a customer asks *what you keep in Auxot and how to wind it down* — map **threads, jobs, events, and configs** to **real actions** (access off, keys revoked, and org membership removed) — honest about **audit history growth** and **backup overlap**, not a fantasy one-click erase.
Plus: three Admin-Agent passes — draft a DPIA-ready retention paragraph from live surfaces only, rehearse a simulated deletion request checklist without promising impossible UI, and narrate backup-vs-forgotten tension after [Back up and export your Auxot data](/tutorials/back-up-and-export-your-auxot-data).
| Audience | Admins · Developers · Executives |
|---|---|
| Time | ~12 min |
| Prerequisites | You know what **Audit Logs** actually stores ([View your audit logs](/tutorials/view-your-audit-logs)). Helpful: privacy-review framing ([Run a data privacy review before you ship](/tutorials/run-a-data-privacy-review-before-you-ship)), continuity runbooks ([Back up and export your Auxot data](/tutorials/back-up-and-export-your-auxot-data)). |
| You'll end up with | A short internal playbook — **categories of data**, **who can do what today**, **what still exists in backups**, and **escalations** — written plainly enough for security or counsel to correct. |
When a tutorial shows italic text in quotation marks, it usually mirrors a label or helper string inside Auxot. Product copy changes between releases — if something reads differently in your workspace, trust what you see on screen.
Callouts with a Worth knowing gold accent are meant as must-read context before you move on. Blockquotes that open with Tip are lighter, optional depth.
Why this matters
Deletion requests arrive as emotional urgency: “take them out of the system.” Ops clarity wins when you separate access (can they log in or trigger work?), live records (what rows still render in Audit Logs), and offline copies (snapshots, SIEM exports, and laptop screenshots nobody admits).
Auxot’s Audit Logs database rows don’t currently expire: old jobs, threads, and events stay queryable (View your audit logs: Retention and export). Cancelling a running job stops work: it doesn’t rewrite history. That’s not a moral verdict; it’s the shape of the product today. Your job is to say so in internal docs and customer-facing materials before someone assumes the opposite.
Self-hosted teams own Postgres backups: “deleted” today can still live in yesterday’s snapshot until rotation ages out (Deployment, Security). Hosted deployments still need a named vendor process for destructive requests: this lesson doesn’t replace contracts or support tickets.
Nothing forgets itself because Privacy wished it: you assign owners, you document limits, you escalate what only infrastructure can do.
Quick start
- Inventory categories — conversations (Threads), execution receipts (Jobs), configuration/system (Events), plus Settings artifacts (agents, context files, and credentials references): each gets one sentence on who sees it and how it’s removed or rotated.
- Separate access from erasure — removing someone from the org or team, revoking API keys, and disabling integrations stops new harm fast — often before any deep datastore work (Rotate credentials without surprising your agents, Manage your Credentials).
- Align words to reality — paste your public privacy promises or DPIA stub; if they claim instant wholesale chat purge and the manual doesn’t, fix the document or escalate product — don’t wing it in email (Run a data privacy review before you ship).
- Plan exports before fights — if regulators expect audit trails, ingestion matters (Back up and export your Auxot data): deletion projects still argue about what must remain versus what must go.
- Name escalation — who opens the support / infra ticket when only database operators can complete technical deletion — and what evidence they need (user id, org id, and time window).
Done? One-page matrix: Request type → Immediate toggles → Remaining data → Backup caveat → Owner.
The agent can do that?
1. DPIA paragraph from manuals only
Chat → Admin Agent:
Draft a 120-word internal retention summary for Auxot — cite only Audit Logs behavior, encryption pattern for credentials, and that backups may lag deletion — no legal conclusions; bullets if tighter.
Why it’s non-obvious: Marketing sites go stale: forcing manual-aligned wording surfaces gaps before counsel reads fiction. You still verify every clause against your deployment.
2. Simulated request rehearsal
Simulated DSAR: employee leaving — list ordered actions inside Auxot UI vocabulary — revoke keys, org removal, and integrations — vs actions needing DBA/vendor — markdown checklist; flag unknowns explicitly.
Why it’s non-obvious: Panic deletes keys before noting which automations broke: checklist orders you still execute manually.
3. Backup contradiction narrative
Explain in plain English why Postgres backup from Tuesday conflicts with 'deleted Wednesday' customer story — audience: exec — no jargon wall — tie to [Back up and export your Auxot data](/tutorials/back-up-and-export-your-auxot-data) drill cadence.
Why it’s non-obvious: Leadership hears delete as absolute: short narrative prevents promising magic.
Go deeper
Context files and agents
Settings lets you delete context files and retire agents when policy demands: treat prose there like any other regulated doc (Add your first context file, Keep your context files honest and fresh).
Audit Logs scope
Org admins see org-wide rows; narrower roles see subsets: investigations fail when the wrong account hunts (View your audit logs).
When threads carry secrets
Train people not to paste secrets into chat: rotation heals keys; it doesn’t unread a leaked transcript: pair with tool-policy discipline (Define a tool policy).
Walkthrough
Step 1: Build the matrix template
Columns: Data category, Primary surface, Stop-the-line action, Residual state, Backup note, and Owner.
Step 2: Fill from Audit Logs vocabulary
Open Audit Logs once: confirm Jobs / Threads / Events language matches your matrix (View your audit logs).
Step 3: Dry-run access removal
Walk through membership / keys / integrations toggles on paper: no production clicks until stakeholders agree how widely each change reaches.
Step 4: Attach escalation contacts
Self-hosted → DBA / platform owner; hosted → vendor support path from your agreement: blank cells mean panic later.
Step 5: Review quarterly
Roster reviews catch stale policy (Run a quarterly review of your agents): retention promises belong in the same rhythm.
What’s next
- → View your audit logs. Canonical facts on retention, export, and tab meanings this playbook cites.
- → Back up and export your Auxot data. Backups are continuity and a deletion caveat.
- → Run a data privacy review before you ship. Structured questions before promises ship.
- → Rotate credentials without surprising your agents. Fast containment when secrets touched chat or logs.
- → Manage your Credentials. What encrypted storage means when someone leaves.
- → Red-team your agents against prompt injection. The access story you promise buyers should match how agents behave under pressure.
Reference
- Manual: Security, Configuration, API Reference
- Pages in Auxot: Audit Logs, Settings → Teams, Settings → Profile → API Keys, Settings → Agents, Settings → Context Files
- See also: Batch spreadsheet rows through a workflow, Red-team your agents against prompt injection, Run a quarterly review of your agents, Create a shared Team API Key, Harden your intake webhooks