Gap: Data Retention Automation

Status: 🔴 Not Started Priority: Moderate (Pre-White-Label) Estimated Effort: 2 days

What's Missing

Automated data retention implementation including:

• Retention job implementation (mentioned but not detailed)
• Audit log archival to S3 (mentioned but not implemented)
• Archival data retrieval process
• Expired appointment anonymization
• Expired form anonymization
• Old backup deletion
• Retention policy configuration per organization
• Compliance reporting (proof of retention policy enforcement)

Why Important

1. HIPAA requires 6-year retention then deletion
2. GDPR requires data minimization
3. Storage costs increase over time
4. Manual deletion is error-prone

Current State

• Retention policy documented (6 years)
• No automation implemented
• Archival mentioned but not detailed

Recommended Location

docs/compliance/data-retention-automation.md

Also code:

• internal/jobs/retention.go (implementation)