Retention
How long Openavail keeps your audit log, and what happens when it expires.
Retention by plan
| Plan | Audit log retention |
|---|---|
| Builder | 7 days |
| Team | 13 months |
| Governance | 7 years |
Retention is measured from the decision_timestamp of each row, not from when you subscribed to the plan.
What happens at expiry
Expired rows are soft-deleted: they are removed from the dashboard view and the GET /v1/decisions API, but the underlying data is held for an additional 30-day grace period. During the grace period you can contact support to recover specific rows.
After the grace period, rows are permanently deleted and cannot be recovered.
The decision_id remains valid as a reference even after deletion — if you have exported the row, the signature is still verifiable.
Extending retention
Upgrading your plan extends retention prospectively: new decisions follow the new plan's retention window. Existing decisions retain the window that applied when they were created.
To extend retention for historical data, export it before expiry using the JSONL export (Dashboard → Audit log → Export) or GET /v1/decisions.
Signature verification
Each audit row is signed with an ed25519 key. To verify a decision offline:
- Fetch the public key:
GET https://api.openavail.com/v1/audit/public-key - Construct the signing payload:
{decision_id}:{action}:{timestamp}:{calendar_owner}:{rule_fired} - Verify the
signaturefield in the audit row against the payload using the public key
# Example using openssl
echo -n "{decision_id}:{action}:…" | \
openssl dgst -sha256 -verify openavail-public.pem -signature sig.bin
The public key is rotated annually. Previous public keys remain published for the duration of the maximum retention window so old records remain verifiable.