Audit Log Retention Policies: How Long Should You Keep Data?
Why Do Retention Policies Matter for Audit Logs?
Audit log retention is one of those requirements that seems simple until you start implementing it. Keep logs too short and you fail compliance audits. Keep them too long and you waste money on storage, increase your data breach blast radius, and potentially violate data minimization requirements under GDPR. The right retention policy balances regulatory minimums, customer contracts, storage costs, and privacy obligations.
Most teams default to "keep everything forever" because it feels safe. It is not. Unlimited retention means unlimited liability — every stored record is a record that can be breached, subpoenaed, or flagged in a privacy audit. A well-designed retention policy is a risk management tool, not just a compliance checkbox.
What Are the Minimum Retention Periods by Compliance Framework?
| Framework | Minimum Retention | Notes |
|---|---|---|
| SOC 2 Type II | 12-15 months | Must cover the full observation window (typically 12 months) plus buffer for auditor review. No explicit maximum. |
| HIPAA | 6 years | 45 CFR 164.530(j) requires retention of documentation for 6 years from creation or last effective date. State laws may require longer. |
| GDPR | No fixed minimum | Retain only as long as necessary for the documented purpose. Must justify period with a legal basis. Pseudonymize after purpose expires. |
| ISO 27001 | Not specified | A.12.4.1 requires log retention "for an agreed period." Your ISMS policy defines the period; auditors verify you follow it. Common: 12-24 months. |
| PCI DSS v4.0 | 12 months | Requirement 10.7: retain audit trail history for at least 12 months, with at least 3 months immediately available for analysis. |
| SOX (Sarbanes-Oxley) | 7 years | Section 802 requires retention of audit work papers and financial records for 7 years. Applies to public companies and their service providers. |
| FedRAMP | 12 months online, 12 months offline | AU-11 requires 12 months of online retention (queryable) and 12 months of offline/archived retention. 24 months total. |
If you serve customers across multiple frameworks, your retention policy must satisfy the longest applicable requirement. A SaaS serving both healthcare (HIPAA: 6 years) and financial (SOX: 7 years) customers needs at least 7-year retention capability — though you should apply the longer period only to tenants that require it.
How Do You Implement Tiered Storage for Cost Efficiency?
Storing 7 years of audit data in a hot PostgreSQL database is expensive and unnecessary. Audit data follows a clear access pattern: recent events are queried frequently, older events are accessed rarely (usually only during audits or investigations). Tiered storage exploits this pattern:
Hot tier (0-90 days)
Primary database with full indexing and sub-second query performance. This is where your customer-facing audit viewer, SIEM streaming, and anomaly detection operate. Store in PostgreSQL, ClickHouse, or a similar OLAP-optimized store. Cost: highest per GB, but volume is limited to recent data.
Warm tier (90 days - 12 months)
Compressed storage with slower but still interactive query performance. Events are moved from hot to warm via a nightly archival job. Data is still queryable for compliance reviews and investigations, but response times are seconds rather than milliseconds. Options: partitioned PostgreSQL tables on cheaper storage, columnar formats (Parquet) on object storage with query engines like DuckDB or Athena.
Cold tier (1-7+ years)
Compressed, archived storage optimized for cost. Events are stored as immutable files (Parquet, compressed JSON) in object storage (S3, GCS, Azure Blob) with lifecycle rules transitioning to infrequent access or glacier tiers. Queries require data restoration (minutes to hours) but storage cost is pennies per GB per month.
What Does Tiered Storage Cost at Scale?
Example: a SaaS with 5,000 active users generating 100 audit events per user per day. That is 500,000 events/day or ~180 million events/year. Assuming 500 bytes per event:
| Tier | Data Volume | Storage Type | Monthly Cost |
|---|---|---|---|
| Hot (90 days) | ~22 GB | PostgreSQL (RDS/Aurora) | $15-30 |
| Warm (12 months) | ~85 GB (compressed) | S3 Standard + Athena | $3-5 |
| Cold (7 years) | ~400 GB (compressed) | S3 Glacier Deep Archive | $0.40 |
Total: under $40/month for 7 years of audit data for a substantial SaaS application. Compare this to keeping everything in a hot database: ~500 GB in PostgreSQL at $150-300/month — 4-8x more expensive with degrading query performance.
How Should Retention Vary Per Tenant?
Not all tenants need the same retention. A startup customer on your free plan may only need 90 days. An enterprise healthcare customer needs 6+ years. Implementing per-tenant retention requires:
- Retention configuration table — store hot, warm, and cold retention periods per tenant, with defaults based on the customer's plan tier
- Tenant-aware archival jobs — the nightly job that moves data between tiers must read each tenant's retention config and process accordingly
- Deletion verification — when data exits the cold tier, verify that no legal hold or active investigation blocks deletion before purging
- Audit the retention process — log retention actions (archival, deletion) as audit events themselves, creating a meta-audit trail
AuditKit supports per-tenant retention configuration through the dashboard. Default retention tiers align with plan levels: Free (90 days hot), Pro (12 months hot + 24 months warm), Business (12 months hot + 5 years cold), Enterprise (custom, up to 10 years with dedicated cold storage).
What Happens When You Need to Delete Audit Data?
Deletion of audit data should be automated and auditable. Manual deletion is error-prone and creates compliance risk — either someone deletes too much (losing evidence) or too little (violating data minimization).
Implement automated deletion with these safeguards:
- Legal hold check — before deleting any partition or tenant's data, check for active legal holds. Litigation preservation overrides retention policy.
- Dry run mode — run the deletion job in dry-run first, logging what would be deleted without actually deleting. Review before enabling live deletion.
- Deletion audit events — log every deletion action: what was deleted, how many events, which tenant, which retention policy triggered it.
- Tombstone records — optionally keep lightweight tombstone records noting that "N events for tenant X covering dates Y-Z were deleted per retention policy P." This satisfies auditors who ask "where did the data go?"
Key Takeaways
- Retention requirements range from 90 days (internal policy) to 7+ years (SOX, HIPAA) — know your customers' frameworks.
- "Keep everything forever" is not safe — it increases breach liability and may violate GDPR data minimization.
- Implement 3-tier storage (hot/warm/cold) to cut costs by 4-8x while maintaining compliance.
- Support per-tenant retention — a healthcare customer's 6-year requirement should not inflate costs for every tenant.
- Automate deletion with legal hold checks, dry runs, and deletion audit events.
- PCI DSS requires 3 months immediately available — ensure your hot tier covers this even if warm tier is the primary store.
Ready to ship audit logging?
AuditKit gives you tamper-evident audit trails and SOC 2 evidence collection in one platform. Start free.
Get Started FreeRelated Articles
Why Your B2B SaaS Needs Audit Logs Before SOC 2
Audit logs are a core SOC 2 requirement. Learn why building them early saves months of compliance work and builds enterprise trust.
Read moreHash Chaining Explained: How AuditKit Creates Tamper-Proof Logs
Learn how SHA-256 hash chaining makes audit logs tamper-proof. A technical deep dive into cryptographic integrity for audit trails.
Read moreAudit Logging Best Practices for Multi-Tenant SaaS
A practical guide to designing audit logs for multi-tenant SaaS applications. Covers schema design, tenant isolation, retention, and compliance.
Read more