For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
  • Getting Started
    • Introduction
    • How Verifa Works
    • Quickstart
    • Choosing an Integration Method
  • Use Cases
    • KYC Onboarding
    • Age Verification
    • AML Compliance
    • Fraud Prevention
    • Marketplace Trust & Safety
  • Core Concepts
    • Overview
    • Sessions
    • Verifications & Checks
    • Workflows
    • Identities
    • Cases
    • Screening & Reports
    • Lists
  • Integration Guides
    • Overview
    • JavaScript SDK
    • Web Capture Flow
    • API-Only Integration
    • Mobile SDK
    • Webhooks Guide
    • MCP Server
    • Migrating from Persona
  • API Details
    • Overview
    • Authentication
    • Pagination
    • Rate Limiting
    • Versioning
    • Errors
    • Webhooks
    • Idempotency
    • Key Inflection
    • Data Access
    • Data Retention
  • Tutorials
    • Creating Your First Verification Session
    • Creating a Workflow
    • Receiving Webhooks & Validating Signatures
    • Handling Webhook Events
    • Custom Document Types & AI Extraction
  • Best Practices
    • Testing
    • Preventing Duplicates
    • Fraud Signals
    • Changelog
  • API Reference
On this page
  • Organization retention settings
  • Verifa-owned retention
  • Two-pass retention
  • Manual redaction
  • Single session
  • Bulk redaction
  • GDPR compliance
  • CCPA compliance
  • Audit trail
  • Related
API Details

Data Retention

Was this page helpful?
Previous

Tutorial: Creating Your First Verification Session

Next
Built with

Verifa provides configurable data retention policies to help you meet regulatory requirements for GDPR, CCPA, and other privacy frameworks.

Organization retention settings

Each organization can configure:

SettingDescription
data_retention_daysDays after session completion before full data deletion.
sensitive_data_retention_daysDays before PII and documents become inaccessible via API (see Data Access).
auto_redact_on_retention_expiryAutomatically delete PII and documents when retention expires.

Verifa-owned retention

A small set of records have fixed retention windows managed by Verifa and not configurable per organization:

RecordRetention
support_requests365 days

Two-pass retention

Verifa uses a two-pass retention model:

  1. Sensitive data window — After sensitive_data_retention_days, PII fields and document images are no longer accessible through the API. The underlying data still exists for compliance purposes.

  2. Full retention expiry — After data_retention_days, all data (including encrypted PII and stored documents) is permanently deleted. A session.retention-expired webhook event is fired.

This two-pass approach allows you to maintain audit records (session status, verification outcome) while restricting PII access after a shorter window.

Manual redaction

Single session

Delete all PII and document images for a specific session:

$curl -X DELETE https://api.withverifa.com/api/v1/sessions/session_abc123/data \
>  -H "X-API-Key: vk_live_your_key_here"
1{
2  "status": "deleted",
3  "session_id": "session_abc123",
4  "documents_removed": 3,
5  "message": "Session data permanently redacted."
6}

Bulk redaction

Redact up to 100 sessions in a single request:

$curl -X POST https://api.withverifa.com/api/v1/sessions/bulk-redact \
>  -H "X-API-Key: vk_live_your_key_here" \
>  -H "Content-Type: application/json" \
>  -d '{
>    "session_ids": ["session_abc123", "session_def456", "session_ghi789"]
>  }'
1{
2  "total": 3,
3  "results": [
4    {"session_id": "session_abc123", "status": "deleted", "documents_removed": 3},
5    {"session_id": "session_def456", "status": "deleted", "documents_removed": 2},
6    {"session_id": "session_ghi789", "status": "already_redacted", "documents_removed": 0}
7  ]
8}

Redaction is irreversible. Once executed:

  • All encrypted PII fields are permanently zeroed.
  • All document images are deleted from object storage.
  • The session’s retention_status is set to redacted.
  • A session.redacted webhook event is fired.

GDPR compliance

Verifa supports GDPR right-to-deletion (Article 17) through session redaction:

  • Data subject request — When a user requests deletion, call DELETE /api/v1/sessions/\{session_id\}/data for their session(s).
  • Proof of deletion — The response includes documents_removed count and the session.redacted webhook provides an auditable record.
  • Retention limits — Configure data_retention_days to automatically delete data after a defined period.

CCPA compliance

For CCPA right-to-delete requests:

  • Use the bulk redaction endpoint to process multiple sessions at once.
  • The session.redacted webhook provides timestamps for your deletion log.
  • Sessions that have already been redacted return already_redacted status without error.

Audit trail

Redaction actions are recorded in the audit log with:

  • Timestamp of the redaction
  • Admin or API key that initiated the request
  • Number of documents removed
  • IP address of the requestor

Related

  • Data Access — PII filtering, signed URLs, and sensitive data windows
  • Webhooks Guide — session.redacted and session.retention-expired events
  • Identities — GDPR deletion across identity records