BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key
SOC 2 HIPAA

Audit Log Retention Period

Effective: March 17, 2026 · DCF-441

1. Purpose

This document defines the retention periods for all audit logs generated across H33.ai's production infrastructure. Retention periods are designed to satisfy both HIPAA requirements (6-year minimum for records related to protected health information) and SOC 2 requirements (sufficient retention to support the audit period, typically 12 months).

Proper log retention ensures that H33.ai can support security investigations, regulatory inquiries, compliance audits, and legal proceedings with complete, unaltered records spanning the required timeframes.

2. Retention Periods

AWS CloudTrail1 year active (searchable in CloudTrail console and Athena). 7 years archived to S3 Glacier Deep Archive with automated lifecycle policy. Satisfies HIPAA 6-year requirement with 1-year buffer.
CloudWatch Logs90 days hot (immediately queryable). 1 year archived to S3 via automated export. Application logs from Auth1 (Elastic Beanstalk) and EC2 instances. Archived logs are searchable via Athena.
DataDog15 months per DataDog's standard retention for logs and metrics. APM traces retained for 15 days (hot) with aggregated metrics retained for 15 months. Custom dashboards and alert history retained for the duration of the account.
GitLab Audit LogsPer GitLab retention policy (platform-managed). H33 performs annual export of GitLab audit logs to S3 with 7-year retention, ensuring HIPAA compliance independent of GitLab's platform retention.
Auth1 Application Logs1 year active in CloudWatch Logs via Elastic Beanstalk. Authentication events (login, OTP, token issuance, failures) are structured JSON logs exported to S3 with 7-year archival retention for HIPAA.
Microsoft 365 Audit Logs1 year per Microsoft 365 E5/HIPAA security package. Unified audit log covers email, admin activities, and security events. Annual export to S3 for extended retention.
Drata Compliance LogsPlatform-managed, available for the duration of the audit engagement and account lifetime. Evidence snapshots archived annually to S3 for independent long-term retention.

3. Regulatory Requirements

HIPAA (45 CFR § 164.530(j))

HIPAA requires covered entities and business associates to retain documentation of policies, procedures, and audit logs related to protected health information (PHI) for a minimum of 6 years from the date of creation or the date when the policy was last in effect, whichever is later. H33.ai's 7-year archival retention for CloudTrail and Auth1 logs exceeds this requirement.

SOC 2 (Trust Services Criteria)

SOC 2 Type II audits typically cover a 12-month observation period. Audit logs must be retained for at least the full audit period to provide sufficient evidence for the auditor. H33.ai's minimum 1-year active retention across all log sources satisfies this requirement, with multi-year archival providing additional coverage for extended audit inquiries.

4. Storage and Encryption

  • Active storage: CloudWatch Logs (encrypted with AWS-managed keys), DataDog (encrypted at rest per DataDog SOC 2), GitLab (encrypted per GitLab SOC 2).
  • Archival storage: Amazon S3 with server-side encryption (AES-256 via SSE-S3). All archival buckets have versioning enabled to prevent silent overwrites.
  • Long-term archival: S3 Glacier Deep Archive for logs beyond the 1-year active window. Retrieval within 12 hours for standard requests, 48 hours for bulk requests.
  • MFA delete protection: Enabled on all archival S3 buckets. Object deletion requires MFA authentication from the root account.
  • Cross-region replication: CloudTrail archival buckets are replicated to a secondary AWS region (us-west-2) for disaster recovery.

5. Archival Process

Logs are archived through automated lifecycle policies with no manual intervention required:

  1. CloudTrail: Logs are delivered to S3 in real-time. S3 lifecycle policy transitions objects to Glacier after 365 days and to Glacier Deep Archive after 730 days.
  2. CloudWatch Logs: Automated export task runs daily, writing log data to the archival S3 bucket. CloudWatch retention policy deletes hot logs after 90 days.
  3. Auth1 logs: Structured JSON authentication events are streamed to CloudWatch and follow the same archival pipeline as other CloudWatch logs.
  4. Third-party logs: Annual manual export from GitLab, Microsoft 365, and Drata to S3 archival bucket, performed by the CISO during the annual compliance review.

6. Deletion Policy

  • Logs are only deleted after the full retention period has expired. No manual deletion of audit logs is permitted under any circumstances during the retention period.
  • S3 lifecycle policies automatically expire and delete objects after the defined retention period (7 years for HIPAA-relevant logs).
  • Deletion of log records before the retention period expires requires written approval from the CISO and legal counsel, with documentation of the business justification retained for 7 years.
  • In the event of a legal hold or ongoing investigation, relevant logs are placed on indefinite retention (S3 Object Lock with Legal Hold) until the hold is released.

7. Review Schedule

  • Annual: CISO reviews retention periods against current regulatory requirements (HIPAA, SOC 2, and any new obligations). Validates that lifecycle policies are functioning correctly and archival storage costs are within budget.
  • On regulatory change: Retention periods are reassessed whenever new regulatory requirements are identified that may affect log retention obligations.
  • On audit finding: Any audit finding related to log retention triggers an immediate review and remediation within 30 days.

Questions?

Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.

H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945