Data Retention

Rack Gateway stores audit logs in PostgreSQL and can write WORM anchors to S3 for tamper-evident retention. The gateway does not automatically delete audit logs; retention policies are enforced by operators.

Retention Overview

Primary storage: PostgreSQL (audit.audit_event)
WORM anchors: Optional S3 Object Lock bucket

PostgreSQL Retention

Audit logs remain in PostgreSQL until you delete them. For compliance-sensitive environments, retain logs long enough to satisfy your audit requirements.

If you choose to prune logs manually, use the timestamp column in audit.audit_event and ensure you remain compliant with your policy.

S3 WORM Anchors

WORM anchors capture the chain head hash and metadata, not full log exports. Anchors are written periodically (default: hourly) to an Object Lock bucket.

Environment Configuration

# Enable anchors
AUDIT_ANCHOR_BUCKET=rack-gateway-audit-anchor-production
AUDIT_ANCHOR_CHAIN_ID=production
AUDIT_ANCHOR_RETENTION_DAYS=400

# Optional
AUDIT_ANCHOR_INTERVAL_MINUTES=60
AWS_REGION=us-east-1
AWS_ENDPOINT_URL_S3=http://minio:9000  # for MinIO

Anchor Workflow

Compute chain head
- Gateway reads the latest audit.audit_event hash
Write anchor payload
- JSON payload written to S3 with Object Lock retention
Verify externally
- Use the stored hash to validate the chain later

Terraform Example (S3 WORM)

resource "aws_s3_bucket" "audit_anchor" {
  bucket = "rack-gateway-audit-anchor-${var.environment}"
  versioning { enabled = true }
  object_lock_configuration { object_lock_enabled = "Enabled" }
}

resource "aws_s3_bucket_object_lock_configuration" "audit_anchor" {
  bucket = aws_s3_bucket.audit_anchor.id
  rule {
    default_retention {
      mode  = "COMPLIANCE"
      days  = 400
    }
  }
}