Audit-log retention
The audit log is the customer-facing record of every privileged action AxisSynapse takes on your behalf. Retention controls how long each category of audit lines stays before it's pruned. AxisSynapse defaults are designed to honor every jurisdiction floor out of the box — SOX § 802, HIPAA, EEOC § 1602.14, GDPR Art. 5(1)(e) — and the configurable surface lets you tighten further where regulation permits. The retention policy is the SOX/GDPR buyer's headline: it's where compliance is decided, not guessed.
TL;DR — Open Settings → Security → Audit-log retention. Confirm the four category windows (SECURITY / HR / FINANCE / GENERAL) match your legal department's guidance. The form refuses to set a window below the jurisdiction floor. A daily prune cron applies the policy; its completion is recorded in the audit log like any other action.
How retention is structured
Every audit line is tagged with a category that drives its retention window. The four categories cover the universe of recorded actions.
| Field | What it does | Accepted values / default |
|---|---|---|
| SECURITY | Authentication, MFA, SSO, SCIM, network policy, step-up, WebAuthn, attestation policy — anything that affects sign-in or session. | Default window: 7 years. Floor: 7 years (US), 5 years (EU/UK), 7 years (CA). Cannot go below floor. |
| HR | HCM lifecycle changes, year-end tax actions, equity grants, payroll transmits. | Default window: 7 years. Floor: 7 years (US — EEOC § 1602.14 + IRS), 6 years (EU). |
| FINANCE | Procurement approvals, fixed-assets disposals, inventory adjustments at cost. | Default window: 7 years. Floor: 7 years (US SOX § 802), 6 years (UK), 10 years (DE). |
| GENERAL | Profile updates, preferences, notifications, anything that doesn't fit the regulated buckets. | Default window: 3 years. Floor: 1 year (most jurisdictions). Tighten freely. |
Jurisdiction floors
The workspace's region (chosen at creation) determines which jurisdiction floor applies. The form shows the applicable floor next to each window so you can't accidentally set something below the minimum.
| Field | What it does | Accepted values / default |
|---|---|---|
| US | SOX § 802 + HIPAA § 164.316 + EEOC § 1602.14 + IRS retention guidance. | SECURITY 7y, HR 7y, FINANCE 7y, GENERAL 1y. |
| EU | GDPR Art. 5(1)(e) storage-limitation + national archival floors. | SECURITY 5y, HR 6y, FINANCE 6y, GENERAL 1y. |
| UK | Companies Act + ICO retention guidance. | SECURITY 6y, HR 6y, FINANCE 6y, GENERAL 1y. |
| Canada | PIPEDA + CRA tax-record retention. | SECURITY 7y, HR 7y, FINANCE 7y, GENERAL 1y. |
Set the policy
Open Settings → Security → Audit-log retention
The page shows your jurisdiction, the current windows, the active jurisdiction floors, and the next-prune timestamp.
Pick a window per category
Use the slider or type a year value. The slider clamps at the jurisdiction floor; below-floor input is rejected with a citation explaining which rule sets the minimum.
Toggle "Enabled"
Off (default): the platform keeps audit lines indefinitely. On: the daily prune cron starts applying the windows on its next run.
Click "Save"
A step-up prompt confirms the policy change. The new windows take effect on the next cron run; the daily prune respects holds (next section).
Holds: when retention fails closed
When a regulatory event places a hold on an account (an active litigation discovery request, an account-erasure request still in cooling-off, a regulatory investigation), the prune cron fails closed — it does not delete any line that touches the held subject, even when the retention window has elapsed.
Fail-closed is the safe default
The platform errs on the side of keeping evidence. If you need to force deletion despite a hold, the action requires step-up + 4-eyes
- 64-character rationale + 10-year audit retention on the override itself. See Account erasure for the holds-override flow.
The daily prune
Once the policy is enabled, AxisSynapse runs a daily prune that applies the windows in batches. Each run writes its own audit line.
| Field | What it does | Accepted values / default |
|---|---|---|
| Cadence | How often the prune runs. | Once per day. The exact time is platform-managed; pruned rows always reflect the policy as of that day's start. |
| Batching | How the prune handles very large categories. | Batched so a single category can't monopolize the run. A run-completion line records every category's count. |
| Failure mode | What happens if a category fails mid-prune. | The run-completion line records the partial result and the failure detail. The next run resumes. |
| Hold check | Per-row check against active holds. | Fails closed: any held row is skipped even if its window has elapsed. The prune line records the skip count. |
Every field, explained
| Field | What it does | Accepted values / default |
|---|---|---|
| Enabled | Whether the daily prune is active. | Off by default. Turn on after the legal team has signed off on the windows. |
| SECURITY window | Retention years for SECURITY audit lines. | Integer years ≥ jurisdiction floor. Default 7. |
| HR window | Retention years for HR audit lines. | Integer years ≥ jurisdiction floor. Default 7. |
| FINANCE window | Retention years for FINANCE audit lines. | Integer years ≥ jurisdiction floor. Default 7. |
| GENERAL window | Retention years for GENERAL audit lines. | Integer years ≥ jurisdiction floor. Default 3. |
| Workspace jurisdiction | Drives which floor matrix applies. | Read-only. Set at workspace creation; cannot be changed afterward. |
| Hold registry | List of currently active retention holds. | Read-only here; lifecycle is managed from /platform/account-erasure and the legal-discovery flow. |
What appears in the audit log
TENANT_AUDIT_RETENTION_POLICY_UPDATED— every policy change. Carries the before and after window values.AUDIT_PRUNE_RUN_COMPLETED— daily prune completion. Carries the per-category counts of pruned rows and held-skip rows.AUDIT_PRUNE_RUN_FAILED— partial-failure record. Pair with the nextAUDIT_PRUNE_RUN_COMPLETEDto confirm catch-up.
Common gotchas
- "I tried to set HR to 3 years and was refused." The jurisdiction floor for HR is 6-7 years across all supported regions. The floor is the floor; tighten elsewhere.
- "My prune didn't run last night." Confirm Enabled is on
(off by default). If on, look for
AUDIT_PRUNE_RUN_FAILEDin the audit log. - "I deleted a user but their audit lines are still here." That is intentional — account erasure removes the subject's personal data; the audit log records actions and is retained per the category windows. See Account erasure.
- "My legal team wants to override the prune for a litigation hold." Place a hold through the legal-discovery workflow — the prune fails closed on every row touching the held subject.
- "The audit-log size is growing fast and the prune isn't keeping up." Confirm the windows are correct; if so, ask your account team about increasing the per-run batch size for your workspace.
Troubleshooting
| Error code | What it means | Fix |
|---|---|---|
| RETENTION_BELOW_FLOOR | A window value was below the jurisdiction floor. | Increase the window to at least the floor. |
| RETENTION_INVALID_YEAR | A non-integer or out-of-range year was submitted. | Use integer years between the floor and the platform maximum. |
| RETENTION_HOLD_BLOCKED_PRUNE | The prune skipped rows due to active holds. | Expected. Review holds in the legal-discovery workflow once they're resolved. |
| RETENTION_PRUNE_PARTIAL | A prune run ended partial. | Look at the failure detail; the next run resumes. |
Related