This policy describes how long Govalta retains different categories of data associated with your use of the platform. Retention periods are designed to support platform operation, regulatory compliance, and administrative continuity while minimizing retention of data beyond what is necessary.
For data deletion requests or questions about specific data categories, contact contact@govalta.com.
Retention Schedule
Account and User Data
Name, work email, role, last login
Active retention
Duration of active account
After termination
30 days after account deactivation, then deleted
Uploaded Evidence and Documents
Evidence files, extracted text, file metadata
Active retention
Duration of organizational access
After termination
60 days after organizational access terminates, then deleted
Validation Records
Action step validations, closure validations, gap assessments
Active retention
Duration of organizational access
After termination
60 days after organizational access terminates, then deleted
Audit and Change Logs
Issue change history, validation run logs, audit trail entries
Active retention
Duration of organizational access
After termination
60 days after organizational access terminates, then deleted
Session and Authentication Data
Session tokens, login timestamps, SSO assertions
Active retention
8-hour TTL (session expiry)
After termination
Not applicable — sessions expire automatically
Usage and Platform Logs
Request logs, API call metadata, error logs
Active retention
90 days (rolling)
After termination
Deleted on rolling basis; not linked to organizational termination
Notes
Backup retention: Data may persist in encrypted backups for up to 30 days beyond the deletion date specified above. Backups are overwritten on a rolling basis.
Legal hold: Where Govalta is required by applicable law or legal process to retain data beyond the periods stated above, Govalta will retain such data only for the period required and will inform the Controller where permitted to do so.
Early deletion: Organizations may request early deletion of their data at any time. See the Data Deletion Policy for instructions.
Sub-processor retention: Data held by Govalta's sub-processors (Vercel, Supabase, WorkOS) is subject to the retention and deletion policies of each sub-processor in addition to Govalta's instructions. See the Sub-processor Disclosure for links to each sub-processor's privacy policy.