ControlLayer

Preview-safe governance

Retention and AI privacy controls

Review persisted retention policy metadata, export/delete request posture, AI prompt/output privacy controls, and manual destructive gates without live deletion or provider calls.

Audit-event retention is blocked from deletion and must stay explicit in tenant deletion previews.

Preview only

Tenant

tenant-preview-north-estate

Preview session for Elsa Morrison

Mode

tenant-retention-privacy-preview

No persistent settings write or destructive tenant action.

Next review

Recertify AI prompt/output retention before enabling production provider storage.

Human review remains required before production deletion work.

4/8

retention lanes have an owner, legal basis, export coverage, and deletion method

export, subject-delete, and tenant-delete reviews remain human approved only

prompt/output retention and provider privacy controls need owner recertification

blocked rows stay visible so previews never imply silent deletion is possible

Backup and restore readiness

Release-blocking ownership and rehearsal evidence

Production gate

Supabase backup cadence

CONTROL_BACKUP_PROVIDER + CONTROL_BACKUP_CADENCE · owner: Ops incident commander

needs review

Production must document Supabase backup cadence and retention before V1 release; preview uses non-secret release-gate signals only.

Cadence / objectiveDaily backup plus PITR-compatible production evidence

Next reviewBefore V1 production launch

Backup retention window

CONTROL_BACKUP_RETENTION_DAYS · owner: Database owner

needs review

Release gate checks that a positive retention-day value is documented without querying Supabase or printing connection details.

Cadence / objectiveAt least seven retained days; target 35 days for V1 launch

Next reviewBefore release candidate cut

Named restore owner

CONTROL_BACKUP_RESTORE_OWNER · owner: Tenant operations lead

blocked

Production release blocks when the restore owner is missing or a generic placeholder such as TBD, none, owner, or unassigned.

Cadence / objectiveOwner must be named for every production release gate

Next reviewEvery production release

Restore rehearsal evidence

CONTROL_BACKUP_RESTORE_REHEARSAL_STATUS + CONTROL_BACKUP_RESTORE_REHEARSAL_DATE · owner: Restore owner

blocked

Rehearsal must verify migration version, tenant isolation/RLS, document metadata, and operational rollback criteria.

Cadence / objectiveComplete isolated restore rehearsal before launch

Next reviewBefore production launch and after major schema changes

RPO/RTO and tenant-isolation restore check

CONTROL_BACKUP_RPO_HOURS + CONTROL_BACKUP_RTO_HOURS + CONTROL_BACKUP_RESTORE_TENANT_ISOLATION_VALIDATED · owner: Security owner

blocked

Release gate requires documented RPO/RTO objectives and a true tenant-isolation validation flag from the restore rehearsal.

Cadence / objectiveRPO/RTO at or below 24 hours for V1; tenant isolation validated in rehearsal

Next reviewEvery restore rehearsal

Restore rehearsal checklist

Confirm restore owner, incident channel, rehearsal tenant, and no-production-write boundary.

blocked

Owner: Ops incident commander. Evidence: Owner must be named in release-gate configuration and release checklist.

Risk if missing: No accountable operator can authorize or stop a restore rehearsal.

Restore into an isolated Supabase project or disposable database, never over production.

needs evidence

Owner: Database owner. Evidence: Rehearsal notes must record project/environment identifier without credentials.

Risk if missing: Production data may be overwritten or mixed with preview/test fixtures.

Verify migration manifest, schema version, RLS policies, and tenant-scoped indexes.

needs evidence

Owner: Platform owner. Evidence: Run migration validation and tenant-isolation smoke checks after restore.

Risk if missing: Restored data may boot against the wrong schema or bypass tenant isolation.

Verify document metadata and storage-object assumptions without issuing signed URLs.

needs evidence

Owner: Document controller. Evidence: Check private bucket names, metadata counts, and erased/held state counts only.

Risk if missing: Operators may assume objects were restored or erased when only metadata was checked.

Record measured RPO/RTO, failed steps, rollback decision, and next rehearsal date.

blocked

Owner: Restore owner. Evidence: Release checklist must include date, status, RPO/RTO, and tenant-isolation result.

Risk if missing: Production launch cannot prove recoverability before customer data is onboarded.

Retention policy matrix

Data categories, export coverage, and deletion posture

Category	Retention	Records	Coverage	Status
Active and recently ended contract metadata Contract operation and statutory record keeping · owner: Tenant admin	Term plus 7 years unless legal hold applies	184oldest 8 years	Included in tenant export pack	ready
Private document metadata and storage references Contract evidence and compliance evidence management · owner: Document controller	Term plus 7 years, storage erase after approved retention job	643oldest 6 years	Metadata only; signed URLs are never generated hereStorage deletion remains disabled in preview mode.	needs review
Immutable audit and verification events Security, auditability, and fraud prevention · owner: Audit owner	7 years minimum; deletion is restricted	4,812oldest 7 years	Exportable as redacted audit reportAudit events cannot be silently removed from a tenant deletion preview.	blocked
Spreadsheet and ZIP import staging rows Import troubleshooting and migration traceability · owner: Migration lead	90 days after commit or cancellation	89oldest 73 days	Summary rows included; rejected raw rows excluded	ready
Controlled export request records Data subject request and export-control audit trail · owner: Finance and audit owner	Request ledger for 2 years; generated files expire earlier	26oldest 14 months	Included in data-access report	ready
AI prompt/output review metadata Human verification and model-safety troubleshooting · owner: AI review owner	30 days for prompts; verified source spans retained as metadata	118oldest 42 days	Metadata only; raw prompts and outputs are excludedPrompt/output retention needs quarterly owner recertification.	needs review
Search index and redacted snippets Operational search over permitted records · owner: Search owner	Rebuild from approved metadata; remove when source record is removed	321oldest 11 months	Not exported; search index is derived dataLive search-provider deletion is deferred to production integration.	needs review
Support access windows and diagnostic summaries Security investigation and support accountability · owner: Support lead	1 year after support access window closes	17oldest 9 months	Included as access-window summary	ready

Document retention states

Explicit metadata, storage, and derived-index deletion states

State	Entry / exit	Owner	Production effect	Status
Active operational document active / storage: active Document metadata and private storage reference remain visible to authorized tenant users.	EntersA document is uploaded, scanned, linked, and not under deletion review.Exit criteriaContract expiry, tenant request, or owner review moves it to retained or deletion review.	Document controller	Normal read/update policies apply; no deletion job is implied.Export: Included in tenant export metadata; signed URLs are not generated from this view.	ready
Retained for statutory or operational window retained / storage: retained Document remains kept after active use because retention period has not expired.	EntersContract or compliance record ends but retention period still applies.Exit criteriaRetention window ends and no legal/audit hold is active.	Retention owner	Read-only posture preferred; destructive jobs stay disabled until review.Export: Metadata exportable; private file access still requires separate authorization.	ready
Retention or legal hold retention_hold / storage: held Deletion is blocked while legal, audit, compliance, or security hold reason exists.	EntersA human owner records a hold reason before any erase workflow.Exit criteriaHold owner clears the reason and records review evidence.	Audit ownerBlocks deletion preview	Deletion preview must show the blocker and future jobs must skip the document.Export: Redacted metadata can be reported; raw file access remains controlled.	blocked
Soft-deleted metadata soft_deleted / storage: retained User-facing record is hidden but metadata and storage object remain recoverable.	EntersAn authorized user archives/removes the document without final erase approval.Exit criteriaReview owner restores it or moves it to deletion review after cooling off.	Tenant admin	RLS still applies; storage erasure and search purge remain separate explicit steps.Export: Included as deleted metadata in tenant export when legally required.	needs review
Deletion review deletion_review / storage: retained Human reviewer confirms export coverage, hold status, and downstream purge plan.	EntersTenant deletion or subject deletion preview identifies eligible document records.Exit criteriaOwner approves or rejects the future destructive job with rationale.	Retention ownerBlocks deletion preview	Preview-only in this patch; no queue, storage delete, or provider call is made.Export: Export coverage is verified before any future erase step.	needs review
Storage erase pending storage_erase_pending / storage: erase_pending Metadata indicates the private object would need erasure in a future controlled job.	EntersDeletion review approves object erasure and no hold remains.Exit criteriaFuture production job records storage_erased_at and no signed URL is issued.	Storage ownerBlocks deletion preview	Not executable in preview; documents the future destructive boundary only.Export: Export records the erase request and object reference summary, not the file body.	blocked
Search purge pending search_purge_pending / storage: erased Storage erasure has been represented but derived search/index data still needs purge.	EntersFuture storage erasure completes before search provider/index purge evidence.Exit criteriaFuture search delete-by-tenant/source and rebuild evidence is recorded.	Search ownerBlocks deletion preview	Search deletion remains an explicit provider boundary, not an implicit side effect.Export: Derived index records are not exported; purge evidence is audit metadata only.	blocked
Erased with minimal metadata retained erased_metadata_retained / storage: erased Private object is represented as erased while minimal audit metadata remains.	EntersFuture storage and search purge evidence is complete.Exit criteriaAudit-retention window expires or regulator/human review requires extension.	Audit owner	Only minimal immutable deletion evidence remains visible to authorized reviewers.Export: Export includes deletion evidence, not document content or signed access.	ready

Export and deletion queue

Human-review-only request previews

No live deletion

Operations manager access report

export requested by Elsa Morrison

preview ready

Affected records184

Formatzip

Cooling offNot active

Ready for human review; no signed URL is generated in preview.

Archived supplier contact cleanup

delete subject requested by Compliance reviewer

awaiting review

Affected records32

Formatjson

Cooling offNot active

Needs owner approval because linked audit events remain immutable.

Tenant deletion cooling-off preview

tenant deletion requested by Tenant owner

cooling off

Affected records6,210

Formatnone

Cooling off2026-05-28T17:00:00.000Z

Preview only: no tenant deletion, storage delete, or queue dispatch occurs.

AI privacy controls

Prompt/output retention and human-verification gates

Prompt and output retention window

needs review

Prompt retention: 30 days in preview metadata only
Output retention: 30 days until verified source spans replace raw output
Review gate: Required before contract metadata becomes trusted.

Owner must recertify prompt/output retention before production AI storage.

No silent external AI sends

enabled

Prompt retention: No raw prompt leaves preview fixtures
Output retention: Provider output is not persisted by this control center
Review gate: Human review remains mandatory for critical fields.

Safe default is enabled and visible to reviewers.

No legal advice boundary

enabled

Prompt retention: Legal drafting prompts are out of scope
Output retention: Assistant answers remain operational and review-gated
Review gate: Legal-sensitive outputs must be escalated to a human reviewer.

UI copy must not imply legal advice or autonomous decisions.

Subprocessor and privacy review

Future provider coverage without live provider calls

AI provider placeholder

OCR and extraction review in future production mode

needs review

Data categories: document metadata, verified source spans. Next review: 2026-05-31.

Preview mode performs no provider call and stores no provider response.

Supabase Storage placeholder

Private document storage and tenant-scoped object lifecycle

needs review

Data categories: private document references, export artifact metadata. Next review: 2026-06-15.

No storage delete or signed URL is issued from this route.

Email provider placeholder

Future export/deletion certificate notifications

documented

Data categories: recipient identifiers, audit summary. Next review: 2026-06-15.

This feature never sends emails or external messages.

Manual destructive gate

Record review without deleting data

This production settings surface persists review metadata only. It never approves tenant deletion, queues a worker, deletes Supabase Storage, purges search, sends email, or calls a provider.

No destructive action