Skip to Content
Security & TrustData Retention

Data Retention

Data retention defines how long information is kept in Nairo and how deletion is handled.

This page describes Nairo’s current position on retention. It is intended for customer administrators, legal, security and compliance stakeholders reviewing Nairo’s data lifecycle.

For contractual retention, deletion and termination commitments, refer to the applicable agreement and data processing terms with Nairo.

Current state

Nairo does not currently provide a self-serve customer admin UI for configuring data retention policies.

Retention of data stored in Nairo is governed by:

  • Platform-level retention practices managed by Nairo
  • Contractual terms in the customer agreement
  • Applicable legal and regulatory requirements
  • Any agreed onboarding, pilot or termination process

If your organisation has specific retention requirements, discuss them with Nairo before uploading sensitive or regulated materials.

What data may be retained

Depending on the surfaces used, Nairo may retain several categories of workspace data.

Data typeExamples
Uploaded filesDocuments uploaded to Library, Projects or supported product surfaces
Document metadataFile name, status, storage references, processing state and workspace associations
Derived document dataExtracted text, structured values, chunks, embeddings or review outputs where created
Assistant conversationsConversation history and messages where conversation history is supported
Project materialsUploaded Project files, Project context and outputs where supported
Insight Table reviewsReviews, columns, cell outputs and execution results
Library recordsFolders, document references and sharing records
Expert configurationExpert instructions, selected materials or settings where supported
Action dataAction inputs, run outputs or deliverables where supported
Operational recordsProcessing events, sharing events, audit-style records and logs where created

Not every workspace uses every data type. Retention depends on the product surfaces enabled, the customer’s use case and the implementation scope.

Uploaded files and derived data

Uploaded documents may generate derived data during processing.

Derived data may include extracted text, structured fields, chunks, embeddings, review cell values or other intermediate outputs used for retrieval, analysis and AI-assisted review.

Deleting or removing a source document may not always be equivalent to immediately removing every related operational record, log, backup or derived record unless the deletion process explicitly covers those items.

Customer-specific deletion requirements should be confirmed with Nairo.

Application deletion

Users may be able to delete certain workspace objects through the application UI where deletion is supported.

This may include items such as documents, folders, Projects, reviews or other workspace records depending on the product surface and configuration.

Deletion behaviour is handled at platform level and may vary by object type.

For contractual deletion requests, including deletion after contract termination, customers should contact Nairo and follow the agreed data deletion process.

Backups and operational records

Retention and deletion of backups, operational logs, processing records and audit-style events may follow separate platform processes.

These records may be retained for security, operational, debugging, compliance or service integrity purposes, subject to the applicable agreement and data processing terms.

Customers should not assume that deleting an item from the UI immediately removes all related backups, logs or operational records.

Contract termination

Upon contract termination, deletion or return of customer data should follow the agreed contractual process.

The customer and Nairo should confirm:

  • Which data types are in scope
  • Whether data should be deleted, exported or returned
  • Whether derived data is included
  • Whether logs or operational records are excluded or retained for a defined period
  • The expected deletion timeline
  • Any legal, regulatory or dispute-related retention requirements

Capabilities not available today

The following are not available as self-serve capabilities in the current application UI:

  • Configurable retention periods
  • Automated deletion schedules
  • Legal hold management
  • Customer-managed retention rules by document type
  • Self-serve data residency configuration
  • Self-serve export and purge workflows for every data type

These requirements should be handled through contractual terms, onboarding decisions and agreed operational processes.

Organisational responsibility

Customer organisations should define their own retention approach before using Nairo for production workflows.

This should include:

  • Which document types may be uploaded
  • Which AI-assisted outputs must be retained
  • Which outputs must be copied to a system of record
  • Which users may delete workspace materials
  • How long review outputs should be kept
  • How deletion requests should be approved internally
  • What should happen when a pilot or contract ends

Nairo should not be treated as the customer’s official records management system unless this has been agreed explicitly.

Getting started

Review your contractual data processing terms with Nairo and document which Nairo data types fall under your organisation’s retention schedule.

Before a pilot, decide which materials can be uploaded, which outputs must be exported to systems of record and what should happen to workspace data when the pilot ends.