Data Retention Policy

Why data retention matters

Retention is not just about storage — it underpins:

• operational visibility and troubleshooting

• reconciliation and dispute resolution

• audit and compliance requirements

• accountability across document flows

Poor retention practices lead to gaps in visibility, while excessive retention increases risk. XEDI aims to strike the right balance.

How data is retained

Purpose-led retention

Data is retained to support defined operational and governance needs, such as document tracking, retries, validation and reporting.

Data is not retained or reused beyond its intended purpose.

Logical separation

Customer data is logically separated within the platform. Documents, partner configurations and operational metadata are scoped to each account.

Lifecycle awareness

Documents and related data pass through clear processing stages, with retention aligned to those stages rather than indefinite storage.

Types of data retained

Document data

Examples include orders, despatch notices, invoices and acknowledgements.

• Retained to support visibility, reconciliation and partner queries

• Supports reprocessing, retries and audit trails

Operational metadata

Examples include processing timestamps, statuses, error events and retries.

• Retained to provide traceability and system insight

• Used to diagnose issues and demonstrate processing history

Configuration data

Examples include partner settings, mappings and routing rules.

• Retained while actively used

• Updated or removed as configurations change

User and access data

Examples include user accounts, roles and access activity.

• Retained to support access control and accountability

• Limited to what is necessary for platform operation and security

Retention duration

Retention periods can vary depending on:

• document type and volume

• operational and audit requirements

• contractual or regulatory obligations

• customer-specific configurations

Where applicable, retention can be aligned with business needs rather than fixed, one-size-fits-all periods.

Data removal and disposal

When data is no longer required:

• it is removed or anonymised using controlled processes

• access is no longer available within the platform

• disposal is performed to prevent recovery

This helps reduce unnecessary exposure while maintaining system integrity.

Customer responsibilities

Customers remain responsible for:

• understanding their own legal and regulatory retention obligations

• determining how long data must be retained for their business

• exporting data where longer-term storage is required

• requesting configuration changes where supported

XEDI provides the technical foundation for retention and traceability, but does not define customer compliance obligations.

Retention and compliance

Data retention supports common compliance expectations, including:

• audit readiness

• traceable processing

• controlled access to historical data

• accountability for actions and changes

Retention practices are designed to support regulated and enterprise environments without adding operational friction.

Frequently asked questions

How long are documents retained?
Retention depends on document type, operational requirements and configuration. Data is retained to support processing, auditing and support needs.

Can we export data before it is removed?
Yes. Where required, data can be exported for internal storage, reporting or compliance purposes.

Is data shared between customers?
No. Data is logically separated and scoped to each customer account.

What happens when data is deleted?
Data is removed or anonymised using controlled processes and is no longer accessible within the platform.