ADR-003: Ephemeral-First Storage with Opt-In Retention
| Attribute | Value |
|---|---|
| Status | Accepted |
| Date | March 2026 |
Context
CYC Assess collects sensitive client environment data. The storage model determines the privacy guarantee, the product's competitive positioning, and the commercial capabilities available for Tier 2 and Tier 3 services.
Decision
Default to 48-hour TTL ephemeral storage. Offer opt-in 90-day retained storage as a client-controlled choice at onboarding.
Options Considered
| Option | Privacy | Commercial | Complexity |
|---|---|---|---|
| Always ephemeral (no retention) | Maximum | Cannot support Tier 2/3 | Low |
| Always retained | Weakest | Full Tier 2/3 support | Medium |
| Ephemeral default + opt-in retention (chosen) | Strong default | Tier 2/3 opt-in | Medium |
Rationale
The ephemeral-first default is a trust differentiator. Enterprise security teams in regulated industries are highly sensitive to third-party data retention. "We delete your data within 48 hours of report delivery, architecturally enforced" is a stronger statement than any policy-based promise.
The opt-in retained tier enables commercial expansion without compromising the default privacy position. Clients who want consultation services or drift detection self-select into retention explicitly.
TTL enforcement via store-native mechanism (not application logic) is critical — it cannot be accidentally bypassed by a code change, making the privacy guarantee architectural rather than procedural.
Consequences
- Two-tier EDS design with different TTL enforcement rules
- Onboarding flow must clearly explain both options before payment
- Tier 2 consultation and Tier 3 drift detection only available to clients who opted in
- Client deletion request process required for retained tier