Operations

Data retention

v0.1 lock. The Memory-only contract on this page is law for every tier and is enforced at the platform layer by IADTX_DATA_RETENTION=none. No per-page change to operate this section until a labelled commit.

IADTX never persists raw buyer uploads. Memory-only is law.

The law

IADTX_DATA_RETENTION=none is the default and the only supported value at v0.1. The session store holds the uploaded data in memory for sixty minutes from upload time. After the session expires, the data is removed from memory. No copy is written to disk, no copy is written to the Postgres backend, no copy is written to logs.

What is stored

Two pieces of data persist beyond the session. The monthly usage counter lives in the usage_monthly table in Postgres. The audit log for downloads records a signed log line with the timestamp, the tier, and the report hash. Neither contains buyer data. Both are required for tier enforcement and for the signed audit trail on the validation PDF.

IP egress posture

The engine runs in the same process as the FastAPI app. No outbound network call is made from the engine to a third-party service during diagnosis. The Playwright Chromium singleton renders PDFs in-process. The sanctions feed refresh is the only outbound call from the platform; it runs on a separate cron worker and does not touch the diagnosis path.

What this means for compliance

Memory-only handling reduces the surface area for personal data under GDPR Article 5 and the data-protection-by-design clauses in EU AI Act Article 9. It does not by itself constitute compliance with either framework. The buyer remains the data controller for the upload.

Where you see this in the product

The privacy page at iadtx.com/privacy states the same retention posture in commercial language. The validation PDF masthead carries the signed report hash that anchors the audit log line referenced above.