Data Retention and Secure Deletion Policy — Veloxis
Effective date: [to be set on first publication] Last revised: 2026-05-24 Data Fiduciary: VKG & Associates, Chartered Accountants Owner of this policy: CA Krishna Gujarathi
This policy specifies how long the Veloxis platform retains each class of data, the legal basis for each retention period, and the procedure for secure deletion at the end of the period.
It reconciles two competing regimes:
- The Standard on Auditing (SA) 230 issued by the Institute of Chartered Accountants of India requires audit working papers to be retained for a period not less than seven years from the date of the auditor's report, including all evidence relied upon during the audit.
- The Digital Personal Data Protection Act, 2023 ("DPDP Act") §8(7) requires erasure of personal data when the purpose for which it was processed is no longer being served.
Where these rules conflict, the Firm relies on §17(1)(c) of the DPDP Act (compliance with a law) and §17(1)(e) (rights and duties under any law) to retain audit working papers for the SA 230 period. The Firm then erases the data on the SA 230 expiry.
1. Retention table
| Data class | Retention | Basis | Storage |
|---|---|---|---|
| Engagement record and metadata (engagement type, period, status, assignee) | 7 years from date of auditor's report | SA 230 ¶A23 | Primary PostgreSQL |
| Trial balance, ledger master, daybook, registers, financial statements | 7 years from date of auditor's report | SA 230 ¶A23 | Primary PostgreSQL + R2 cold storage from year 2 |
| Working papers (notes, sub-items, audit trails, conclusions) | 7 years from date of auditor's report | SA 230 ¶A23 | Primary PostgreSQL |
| Generated reports (Audit Report, CARO, IFC, Form 3CD, FS workbook, MRL) | 7 years from date of auditor's report | SA 230 ¶A23; Companies Act §128(5) | R2 |
| Documents uploaded by clients (PDFs, Excels, images) | 7 years from date of auditor's report; OR until client withdraws consent | SA 230 + DPDP Act | R2 |
| Raw extracted text from PDFs / Excels (OCR + structured extract) | 30 days from extraction unless retained as part of working papers | Best practice: minimise raw text dwell-time | Local FS / DB; rolled off by rolloffOldExtractions cron |
| TokenMap (token → encrypted plaintext mapping) | 7 years from date of auditor's report on the parent engagement | SA 230 (needed to reverse-engineer historic AI output) | PostgreSQL (encrypted at rest) |
| TokenAllowlist (per-engagement do-not-mask rules) | 7 years from date of auditor's report on the parent engagement | Same | PostgreSQL |
| AIPrivacyLog and AICallSnapshot (audit trail of AI calls) | 90 days for the full bidirectional snapshot; 7 years for the metadata row | DPDP audit-trail + provider-side abuse-detection window | PostgreSQL |
| Login + session + 2FA records | 18 months from last activity | DPDP minimisation + IT Act §43A | PostgreSQL |
| Firm employee personal data (name, e-mail, role, hashed password) | Length of employment + 7 years | Income-tax Act §149 for TDS records; ICAI articleship register requirements | PostgreSQL |
| Application audit log (who did what, when) | 7 years from date of action | SA 230 + DPDP §8(4)(d) | PostgreSQL |
| Cloud backup snapshots of the database | 30 days rolling | Operational | R2 |
| All ICT system logs (Nginx access, application stdout, PM2, PostgreSQL, sidecar, cron, application telemetry) | 180 days rolling | CERT-In Directions 28-Apr-2022, §IV — service-provider ICT logs to be mandatorily enabled and maintained securely within Indian jurisdiction for a rolling period of 180 days | Local log files; rotated by logrotate; archived to local encrypted directory under /var/log/veloxis-archive/ after primary rotation |
2. Trigger points for the seven-year clock
- Statutory audit, tax audit, internal audit, interim audit — date of signing of the auditor's report. For tax audit, the date of upload of Form 3CD via the income-tax e-filing portal.
- ITR filing — date of filing acknowledgment.
- MRL letters — date of obtaining the management representation.
- Engagements signed off without a deliverable (e.g., engagement abandoned for fee reasons) — date of formal abandonment recorded in the engagement record.
The seven-year clock is recorded as retentionExpiryDate on each Engagement row when the engagement reaches SIGNED_OFF status. A periodic job ("retention sweep") runs monthly and deletes engagements whose retentionExpiryDate is in the past, in a single transaction per engagement.
3. Erasure on data-principal request
A data principal (a director, partner, employee, vendor, customer whose personal data is held in Veloxis) may request erasure under §12 of the DPDP Act.
The Firm will:
- Acknowledge the request within twenty-four hours.
- Determine whether the data is required to be retained under another law (chiefly SA 230). If yes, the Firm replies with the specific retention basis and the date of expected erasure.
- Where the data is not required to be retained, the Firm erases the data within thirty days and confirms the action in writing.
- Where the data principal disputes the determination, the matter is escalated to the Grievance Officer.
The Firm cannot erase personal data of a third party that the data principal is not (e.g., the data principal is a director of an audited company asking the Firm to delete the company's whole ledger). Such requests are routed to the audited company.
4. Secure deletion procedure
When the retention period expires:
- Primary database rows are deleted in a single transaction. Soft-delete (i.e., setting
deletedAt) is used as a 30-day buffer; the hard-delete sweep runs 30 days later andDELETEs the row physically. - R2 object storage — the corresponding object key is deleted via the S3-compatible API. The bucket lifecycle is configured to immediately purge versioned copies on permanent delete.
- TokenMap rows are deleted in the same transaction as the parent engagement. The HMAC dedup hash is overwritten with zero bytes before deletion to defeat any forensic recovery of the hash itself.
- Backups — backups taken before deletion are retained for the rolling 30-day backup window only. After 30 days the backup is replaced by a fresh snapshot that does not contain the deleted rows. There is no off-site long-term backup of personal data.
- Logs — log files that contain personal data are rotated and purged through
logrotateon the existing schedule. Manual purge is available for emergencies.
5. Voluntary machine-readable export
The DPDP Act, 2023 does not in itself confer a standalone right to data portability of the kind found in the EU GDPR. However, as a matter of practice, the Firm will provide a JSON export of personal data of a requesting data principal on reasonable request, where the request is consistent with the Firm's retention obligations under §1 above and does not include personal data of any other data principal. The format follows the JSON shape used by Veloxis internally for the relevant entity. The Firm reserves the right to redact data the disclosure of which would prejudice another data principal, a client engagement, or the Firm's professional obligations.
6. Cross-policy interactions
- Working papers — the Firm cannot delete working papers, including AI-related working papers, before the SA 230 expiry even if the underlying client requests it. The Firm explains this constraint at engagement onboarding.
- AI evidence — the tokenised JSON prompt + the AI response, in their de-tokenised form, are part of the audit working paper file and follow the SA 230 schedule.
- TokenMap — the token-to-plaintext map must outlive the AI call by enough time for the auditor to interpret the output later. The Firm aligns TokenMap retention with the parent engagement so historic working papers remain interpretable.
7. Review cadence
This policy is reviewed annually by the Managing Partner. The next review is due 2027-05-24. Any change in SA 230, the DPDP Act, the IT Act, the Companies Act, or the Income-tax Act that affects retention will trigger an out-of-cycle review.