Data Retention & Deletion
How long ReplayCI keeps your data, how it's cleaned up, and how to delete everything.
Retention periods
Run artifacts
Artifacts are retained based on their type:
| Artifact type | Default retention | Purpose |
|---|---|---|
RAW_REDACTED | 30 days | SecurityGate-scanned run outputs |
NORMALIZED | 90 days | Normalized comparison data |
BUNDLE | 30 days | Exported replay bundles |
Expired artifacts are cleaned up by scheduled TTL enforcement. Retention periods are configurable per-tenant via TenantPolicy.
Authentication tokens
Tokens are cleaned up daily by a scheduled job:
| Token type | Retention after expiry |
|---|---|
| Refresh tokens (expired/revoked) | 30 days |
| Password reset tokens (expired/used) | 7 days |
| Email verification tokens (expired/used) | 7 days |
Active, unexpired tokens are never deleted by cleanup jobs.
Token lifetimes
| Token | Active lifetime |
|---|---|
| Access token (session cookie) | 15 minutes |
| Refresh token | 7 days |
| Password reset token | 1 hour (single-use) |
| Email verification token | 24 hours (single-use) |
Automated cleanup
Three scheduled jobs maintain data hygiene:
1. Token cleanup (daily)
Deletes expired and consumed authentication tokens (refresh tokens, password reset tokens, email verification tokens). No manual intervention required.
2. Database backup (daily)
Full PostgreSQL dump with compression and integrity checksums for verification.
3. Orphan reconciliation (weekly)
Scans the filesystem for blob files that aren't tracked in the database. This catches artifacts that were written to disk but whose database transaction failed (crash recovery). Orphans are logged by default and can be removed after review.
Tenant deletion
When a tenant is offboarded, all associated data is removed in a single atomic transaction:
What gets deleted
| Category | Scope |
|---|---|
| Run data | All runs, step results, evaluation outcomes, and validation results |
| Baselines & drift | Baselines, baseline runs, drift check results |
| Shadow | Shadow comparisons and step data |
| CI | CI gate results |
| Auth | All tokens, API keys, and user accounts |
| Config | Tenant configuration and policies |
| Artifacts | All encrypted filesystem blobs under the tenant's namespace |
Deletion guarantees
- Atomic — if any model deletion fails, the entire transaction rolls back
- FK-ordered — child records are deleted before parents to satisfy foreign key constraints
- Auditable — the deletion process generates a signed report with counts per category, timestamps, and integrity hash
- Filesystem cleanup — all encrypted blobs under the tenant's namespace are removed after the database transaction succeeds
Your controls
API key revocation
You can revoke API keys immediately from the Settings page. Revoked keys are rejected on the next request — there is no grace period.
Data export
Use replayci export-bundle to export run data as a portable replay bundle before deletion.
Account deletion
Contact [email protected] to request full tenant deletion. The process uses the audited deletion script and produces a signed report confirming removal.
What we don't keep
- Provider API keys —
REPLAYCI_PROVIDER_KEYis used locally by the CLI and never sent to the ReplayCI API - Raw LLM responses — only SecurityGate-scanned, redacted artifacts are persisted
- Plaintext secrets — any detected tokens/keys are redacted before storage
- Password plaintext — passwords are hashed with scrypt (never reversible)
- Session tokens — stored as SHA-256 hashes in the database; raw tokens only exist in cookies