BizFirst Observe
Compliance Retention
Regulatory requirements impose minimum log retention periods and specific data handling rules. BizFirstGO deployments in financial, healthcare, and enterprise contexts must align observability retention with applicable regulations — primarily GDPR, SOX, HIPAA, and PCI-DSS.
Regulatory Retention Requirements
| Regulation | Minimum Retention | Scope | BizFirstGO Impact |
|---|---|---|---|
| SOX (Sarbanes-Oxley) | 7 years | Financial records, audit trails | Workflow execution logs for financial processes must be retained 7 years |
| GDPR | Not specified (data minimization applies) | EU personal data | Logs containing EU user data must be deletable on request; don't keep longer than necessary |
| HIPAA | 6 years | Protected health information (PHI) | Any workflow touching PHI — audit logs retained 6 years minimum |
| PCI-DSS | 1 year (3 months hot) | Payment card data environments | Cardholder data environment logs retained 1 year; 3 months immediately accessible |
Recommended Retention Configuration by Tenant Type
# loki-runtime-config.yaml — per-tenant compliance retention
overrides:
# SOX-regulated financial workflow tenant
"tenant-financial":
retention_period: 61320h # 7 years = 61,320 hours
# Use S3 lifecycle: hot (Standard) 30 days, then Glacier for remainder
# HIPAA healthcare workflow tenant
"tenant-healthcare":
retention_period: 52560h # 6 years = 52,560 hours
# PCI-DSS payment processing tenant
"tenant-payments":
retention_period: 8760h # 1 year = 8,760 hours
# 3 months in Standard, rest in Standard-IA per PCI-DSS requirement
# Standard SaaS tenant (no specific regulation)
"tenant-standard":
retention_period: 2160h # 90 daysGDPR: Deleting Specific User Data
When a user submits a GDPR "right to erasure" (right to be forgotten) request, any logs containing their personal data must be deleted. Loki provides a delete API for this purpose:
# Loki Delete API — remove log lines containing PII for a specific user
# Must have retention_enabled: true and the Loki delete API enabled
# Step 1: Identify the log streams and time range containing the user's data
# Example: find all logs referencing user ID "user-abc123"
{job="processengine"} |= "userId=user-abc123"
# Step 2: Create a delete request
curl -g -X POST \
"http://localhost:3100/loki/api/v1/delete" \
--data-urlencode 'query={job="processengine"} |= "userId=user-abc123"' \
--data-urlencode 'start=2024-01-01T00:00:00Z' \
--data-urlencode 'end=2025-01-01T00:00:00Z' \
-H "X-Scope-OrgID: tenant-id"
# Step 3: Check deletion status
curl -g "http://localhost:3100/loki/api/v1/delete" \
-H "X-Scope-OrgID: tenant-id"
# Step 4: Document the deletion request and completion for GDPR audit trail
Loki Delete API Requires Configuration
The Loki delete API is not enabled by default. Add allow_deletes: true under compactor in loki-config.yaml. Also, the delete request is processed asynchronously — it may take hours to complete, depending on how many log chunks need to be rewritten. Do not assume immediate deletion.
Compliance Audit Trail for Observability Changes
# Document all retention policy changes for compliance auditors:
# Maintain a retention-policy-log.md in your infrastructure repository
# Example audit entry:
## 2025-01-15 — SOX Retention Update
# Changed: tenant-financial retention_period from 30d to 7y
# Reason: New SOX audit requirement confirmed by legal
# Approved by: [Name], Platform Engineering Lead
# Reviewed by: [Name], Compliance Officer
# Effective: Immediately (new policy applies to all new log chunks)