Skip to content

Data retention

Retention questions in SOC 2 and privacy reviews usually span three stores with different purposes: workflow run data on your workspace file store, operational telemetry in HyperDX, and the immutable security audit ledger (ImmuDB). Fontana separates these so you can apply the right retention policy to each plane.

StoreWhat it holdsTypical retention postureCompliance role
Workflow file storeUploads, Arrow run datasets, lineage and port audit sidecars, exportsPersists on encrypted workspace PVC until you delete runs or reclaim space through your operational proceduresCalculation provenance; not the WORM platform ledger
HyperDX (operational)Pod logs, browser errors, dashboards, mirrored audit searchShorter TTL configurable per environment; optimised for search and incident responseSearch plane only; not the authoritative compliance record
ImmuDB (WORM audit)Append-only security audit events per workspaceLonger retention targets on production-class hosts; sized for diligence and investigationSystem of record for platform security audit

Workflow run data follows the Core Fontana data principles: durable on encrypted workspace storage, immutable processor outputs, explicit edit overlays. Retention of historical runs is an operational choice within your workspace boundary:

  • Run directories, lineage sidecars, and port audit items live alongside datasets on the workflow engine file store
  • Deleting or archiving runs removes that workflow provenance evidence; it does not delete WORM platform audit entries that already recorded privileged activity

Lineage and port audit items answer how a value was computed. They are stored on the workflow file store, not in ImmuDB. See Data lineage and Compliance evidence.

Your deployment team configures HyperDX during install and upgrade: OTLP credentials, bundled dashboards, and retention TTL appropriate to the environment. Production-class hosts use longer retention than integration or local boxes where applicable.

Operational logs support availability and incident response (TSC Availability). They are not a substitute for WORM audit evidence in a compliance review.

The immutable ledger retains platform security events (identity, cluster, and application admin paths documented in Immutable audit trail). Integrity scans and read-only auditor access support evidence that records were not altered after append.

Contact Fontana under NDA for environment-specific retention targets and diligence pack detail.

When you export workflow data or call external LLM and connector APIs, retention and subprocessors follow your configuration and provider contracts:

Fontana does not operate a shared production LLM pool for your workspace; inference uses credentials and gateways you approve.