Data Retention Policy

Data class	Target retention	Current enforcement (code-verified)
COA documents	3 years	Enforced — `do_not_purge` + object-lock `retain_until = +1095d`
Compliance audit log	Permanent (append-only)	Enforced — DB append-only trigger; never purged
Generic audit_events	per `AUDIT_LOG_RETENTION_DAYS`	Deleted by retention task past the window — narrower than 3yr; confirm policy
Raw PII (`pii_raw`)	90-day TTL	Enforced — nightly purge
Identity verification	provider ref + selfie retained	retained; no TTL
Financial records	7 years (IRS/1099)	Not separately enforced — gap

¶ Data Retention Policy