> ## Documentation Index
> Fetch the complete documentation index at: https://docs.didit.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Data retention

> Configure how long Didit stores verification data, delete sessions on demand, and implement privacy-first KYC with EU residency, GDPR, and DPA support.

## Role and processing location

| Aspect                 | Detail                                                                                                                               |
| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| **Processor role**     | Didit acts as a **data processor**; you remain the data controller.                                                                  |
| **Processing region**  | EU by default. Enterprise accounts can enable **in-country processing** (local data residency) subject to availability and contract. |
| **Regulatory posture** | Designed to support **GDPR** and local data-protection regimes. Configure retention below to meet your obligations.                  |

<Note>
  Need a DPA, TOMs, or other compliance attestations? Contact your Didit representative.
</Note>

***

## Retention controls

Configure retention in **Business Console → App Settings → Data**.

<Steps>
  <Step title="Open retention settings">
    Go to **Business Console → App Settings → Data**.
  </Step>

  <Step title="Choose a retention policy">
    Select a window from **1 month** to **10 years**, or leave as **unlimited** (default).
  </Step>

  <Step title="Save">
    Click **Save** to apply the policy to all future and existing sessions.
  </Step>
</Steps>

The policy applies to verification inputs/outputs, derived results, and operational metadata stored by Didit.

<Frame>
  <img src="https://mintcdn.com/didit-0f962782/z6T2GHM4Zh-iSj-K/images/data-retention-settings.png?fit=max&auto=format&n=z6T2GHM4Zh-iSj-K&q=85&s=e2ca6a8e32ed8ec5a2cd910d3cdbaefc" alt="Data retention settings in the Business Console" width="1427" height="843" data-path="images/data-retention-settings.png" />
</Frame>

***

## Manual deletion

Delete individual sessions from the Console when you need one-off removals.

1. Navigate to **Dashboard → Verifications**.
2. Search or filter for the target session.
3. Click the **Delete** button (top-right) and confirm.

<Frame>
  <img src="https://mintcdn.com/didit-0f962782/z6T2GHM4Zh-iSj-K/images/data-retention-delete-session.png?fit=max&auto=format&n=z6T2GHM4Zh-iSj-K&q=85&s=ff1947059d7d9d60643b7568e189e3a6" alt="Delete a verification session from the Console" width="1429" height="560" data-path="images/data-retention-delete-session.png" />
</Frame>

***

## Programmatic deletion

Delete a session via the API at any time by calling the [Delete Session](/sessions-api/delete-session) endpoint.

```bash theme={null}
curl --request DELETE \
  --url https://verification.didit.me/v3/session/{session_id}/ \
  --header 'x-api-key: YOUR_API_KEY'
```

| Response         | Meaning                                          |
| ---------------- | ------------------------------------------------ |
| `204 No Content` | Session deleted successfully.                    |
| `404 Not Found`  | Session already deleted or unknown `session_id`. |

***

## Process-and-purge pattern

For maximum data minimization, process verification data through Didit and purge it immediately after receiving results via webhooks.

<Steps>
  <Step title="Create a session">
    Your backend calls the [Create Session](/sessions-api/create-session) API.
  </Step>

  <Step title="Didit runs checks">
    Identity, liveness, AML, and any other configured checks execute automatically.
  </Step>

  <Step title="Receive webhook">
    Didit sends a [webhook](/integration/webhooks) with `status`, `session_id`, `vendor_data`, and full verification data.
  </Step>

  <Step title="Persist only what you need">
    Store the minimum fields required for your records (e.g., `status`, `vendor_data`).
  </Step>

  <Step title="Delete from Didit">
    Call the [Delete Session](/sessions-api/delete-session) API for that `session_id` to remove all data from Didit.
  </Step>
</Steps>

***

## Security and assurance

<CardGroup cols={2}>
  <Card title="ISO/IEC 27001" icon="shield-check">
    ISMS in place. Certificate and excerpts available on request.
  </Card>

  <Card title="Penetration testing" icon="bug">
    Periodic third-party penetration tests with tracked remediation.
  </Card>

  <Card title="No known breaches" icon="lock">
    No security breaches reported to date.
  </Card>

  <Card title="Internal security team" icon="user-shield">
    Dedicated cybersecurity team with least-privilege access and strict environment separation.
  </Card>
</CardGroup>

<Info>
  All API activity is recorded in **Audit Logs** for security, compliance, and troubleshooting. Logs are retained for **365 days** and then auto-deleted.
</Info>

***

## Privacy-minimized storage

We are adding features that let you **retain only selected data fields** — for example, keep `status` and `vendor_data` while auto-purging heavier artifacts like images and documents. This gives stricter control for teams operating under data-minimization principles.

<Tip>
  Want early access to artifact-level retention rules? Contact your Didit representative.
</Tip>

***

## FAQ

<AccordionGroup>
  <Accordion title="Can I set different retention per environment?">
    Yes. You can configure different retention policies for each application you have in Didit.
  </Accordion>

  <Accordion title="Can I export data before deletion?">
    Yes. Export session data via the Console or API, then call the Delete Session endpoint.
  </Accordion>

  <Accordion title="Where can I see who accessed what?">
    Use **Audit Logs** in the Console. Filter by user, endpoint, or date range. Logs are retained for **365 days**.
  </Accordion>
</AccordionGroup>

***

## Implementation checklist

<Steps>
  <Step title="Configure retention">
    Set your retention policy in **Console → App Settings → Data**.
  </Step>

  <Step title="Subscribe to webhooks">
    Set up [webhooks](/integration/webhooks) and verify signatures.
  </Step>

  <Step title="Persist minimal fields">
    Store only the fields your business requires.
  </Step>

  <Step title="Implement programmatic deletion">
    Call the [Delete Session](/sessions-api/delete-session) API if you use the process-and-purge pattern.
  </Step>

  <Step title="Confirm processing region">
    Verify your processing region (EU by default, or in-country for enterprise).
  </Step>

  <Step title="Separate environments">
    Use separate Sandbox and Live API keys with independent retention policies. Rotate keys regularly.
  </Step>
</Steps>
