Data retention
Retention questions in SOC 2 and privacy reviews usually span three stores with different purposes: workflow run data on your workspace file store, operational telemetry in HyperDX, and the immutable security audit ledger (ImmuDB). Fontana separates these so you can apply the right retention policy to each plane.
Retention by store
Section titled “Retention by store”| Store | What it holds | Typical retention posture | Compliance role |
|---|---|---|---|
| Workflow file store | Uploads, Arrow run datasets, lineage and port audit sidecars, exports | Persists on encrypted workspace PVC until you delete runs or reclaim space through your operational procedures | Calculation provenance; not the WORM platform ledger |
| HyperDX (operational) | Pod logs, browser errors, dashboards, mirrored audit search | Shorter TTL configurable per environment; optimised for search and incident response | Search plane only; not the authoritative compliance record |
| ImmuDB (WORM audit) | Append-only security audit events per workspace | Longer retention targets on production-class hosts; sized for diligence and investigation | System of record for platform security audit |
Workflow data and lineage
Section titled “Workflow data and lineage”Workflow run data follows the Core Fontana data principles: durable on encrypted workspace storage, immutable processor outputs, explicit edit overlays. Retention of historical runs is an operational choice within your workspace boundary:
- Run directories, lineage sidecars, and port audit items live alongside datasets on the workflow engine file store
- Deleting or archiving runs removes that workflow provenance evidence; it does not delete WORM platform audit entries that already recorded privileged activity
Lineage and port audit items answer how a value was computed. They are stored on the workflow file store, not in ImmuDB. See Data lineage and Compliance evidence.
Operational logs (HyperDX)
Section titled “Operational logs (HyperDX)”Your deployment team configures HyperDX during install and upgrade: OTLP credentials, bundled dashboards, and retention TTL appropriate to the environment. Production-class hosts use longer retention than integration or local boxes where applicable.
Operational logs support availability and incident response (TSC Availability). They are not a substitute for WORM audit evidence in a compliance review.
WORM security audit (ImmuDB)
Section titled “WORM security audit (ImmuDB)”The immutable ledger retains platform security events (identity, cluster, and application admin paths documented in Immutable audit trail). Integrity scans and read-only auditor access support evidence that records were not altered after append.
Contact Fontana under NDA for environment-specific retention targets and diligence pack detail.
Egress and external processors
Section titled “Egress and external processors”When you export workflow data or call external LLM and connector APIs, retention and subprocessors follow your configuration and provider contracts:
- Egress - where workflow outputs leave the workspace
- BYOK and Zero Data Retention - model routing under your keys and gateway policies
- DPA and subprocessor lists in the Security and governance diligence pack
Fontana does not operate a shared production LLM pool for your workspace; inference uses credentials and gateways you approve.
Related documentation
Section titled “Related documentation”- Compliance evidence - lineage vs immutable audit trail
- Operational telemetry - HyperDX, Gatus, and the otel collector
- Deployment environments - which hosts are in SOC 2 scope
- SOC 2 control summary - Privacy and Availability TSC rows