Data retention & deletion policy

What we store

• Structured findings — the rows you see in the portal (check ID, severity, resource ARN, status, notes). Kept until you delete your account.
• Raw scan outputs — Prowler's OCSF JSON dumps in secure S3. Kept 90 days post-scan, then auto-deleted.
• Activity logs — audit trail of portal actions. Kept until account deletion.
• API tokens — SHA-256 hashes only; the raw token is never stored. Revoked tokens stay in the audit log.

What we don't store

• Your cloud credentials as plaintext — we store encrypted AWS role ARNs, Azure client secrets, etc. Scan-time credentials are ephemeral.
• Payment details beyond the last 4 digits and expiration — the full PAN lives with our payment processor.
• The contents of your cloud resources (object contents, database rows, etc.) — we only see security metadata.

Deleting your account

From the portal, visit Settings → Account and click I want to delete my account. You'll type your organisation name to confirm, and then every record belonging to your account — scans, findings, notes, attestations, tokens, policies — is removed in a single transaction. You'll be logged out and any API tokens will immediately stop working.

Retention of raw scan outputs in object storage runs on a 90-day timer regardless of whether you delete your account early — the auto-expiry lifecycle still applies.

Administrative deletions

If you can't access the portal (e.g. you've lost all portal user credentials), email ethan@crestlinesecurity.com from the address on your account. We'll verify identity and run the delete manually. Expect 2 business days.

GDPR / subject-access requests

For EU / UK customers: under GDPR Art. 15 (right of access) and Art. 17 (right to erasure), you can request a copy of your data or a deletion via the email above. We respond within 30 days.