API Details

Data Retention

Verifa provides configurable data retention policies to help you meet regulatory requirements for GDPR, CCPA, and other privacy frameworks.

Organization retention settings

Each organization can configure:

SettingDescription
data_retention_daysDays after session completion before full data deletion.
sensitive_data_retention_daysDays before PII and documents become inaccessible via API (see Data Access).
auto_redact_on_retention_expiryAutomatically delete PII and documents when retention expires.

Two-pass retention

Verifa uses a two-pass retention model:

  1. Sensitive data window — After sensitive_data_retention_days, PII fields and document images are no longer accessible through the API. The underlying data still exists for compliance purposes.

  2. Full retention expiry — After data_retention_days, all data (including encrypted PII and stored documents) is permanently deleted. A session.retention-expired webhook event is fired.

This two-pass approach allows you to maintain audit records (session status, verification outcome) while restricting PII access after a shorter window.

Manual redaction

Single session

Delete all PII and document images for a specific session:

$curl -X DELETE https://api.withverifa.com/api/v1/sessions/session_abc123/data \
>  -H "X-API-Key: vk_live_your_key_here"
1{
2  "status": "deleted",
3  "session_id": "session_abc123",
4  "documents_removed": 3,
5  "message": "Session data permanently redacted."
6}

Bulk redaction

Redact up to 100 sessions in a single request:

$curl -X POST https://api.withverifa.com/api/v1/sessions/bulk-redact \
>  -H "X-API-Key: vk_live_your_key_here" \
>  -H "Content-Type: application/json" \
>  -d '{
>    "session_ids": ["session_abc123", "session_def456", "session_ghi789"]
>  }'
1{
2  "total": 3,
3  "results": [
4    {"session_id": "session_abc123", "status": "deleted", "documents_removed": 3},
5    {"session_id": "session_def456", "status": "deleted", "documents_removed": 2},
6    {"session_id": "session_ghi789", "status": "already_redacted", "documents_removed": 0}
7  ]
8}

Redaction is irreversible. Once executed:

  • All encrypted PII fields are permanently zeroed.
  • All document images are deleted from object storage.
  • The session’s retention_status is set to redacted.
  • A session.redacted webhook event is fired.

GDPR compliance

Verifa supports GDPR right-to-deletion (Article 17) through session redaction:

  • Data subject request — When a user requests deletion, call DELETE /api/v1/sessions/\{session_id\}/data for their session(s).
  • Proof of deletion — The response includes documents_removed count and the session.redacted webhook provides an auditable record.
  • Retention limits — Configure data_retention_days to automatically delete data after a defined period.

CCPA compliance

For CCPA right-to-delete requests:

  • Use the bulk redaction endpoint to process multiple sessions at once.
  • The session.redacted webhook provides timestamps for your deletion log.
  • Sessions that have already been redacted return already_redacted status without error.

Audit trail

Redaction actions are recorded in the audit log with:

  • Timestamp of the redaction
  • Admin or API key that initiated the request
  • Number of documents removed
  • IP address of the requestor
  • Data Access — PII filtering, signed URLs, and sensitive data windows
  • Webhooks Guidesession.redacted and session.retention-expired events
  • Identities — GDPR deletion across identity records