Logging & Retention Policy

Mercury Security | 2025

Introduction

Effective logging and retention practices are critical for ensuring AI systems are transparent, auditable, and compliant with regulatory expectations. Logs provide the evidence needed to demonstrate accountability, while retention policies ensure that data is stored only as long as necessary and deleted when no longer required. This policy outlines Mercury Security’s approach to logging and retention for AI agents and audited systems, in line with GDPR, the EU AI Act, NIST AI RMF, and ISO/IEC 42001 (European Union, 2016; European Union, 2024; NIST, 2023; ISO, 2023).

Purpose

The purpose of this policy is to:

  • Ensure complete and tamper-evident logging of AI agent activity.
  • Define clear retention periods consistent with regulatory requirements.
  • Provide a framework for deletion and export requests.
  • Support governance and compliance reporting for internal and external stakeholders.

Scope

This policy applies to:

  • All AI agents hosted or audited by Mercury Security.
  • Logs generated during customer-facing and internal use.
  • Data collected through secure audit upload services.

Logging Standards

All AI systems must generate logs that include:

  • Timestamps of interactions.
  • User role (not personal identity unless necessary).
  • Prompts and responses.
  • Source links or “no source” disclaimers.
  • Escalation events and outcomes.
  • Configuration or version identifiers.

Logs must be tamper-evident. Mercury Security recommends write-once, read-many (WORM) storage, cryptographic hashing, or equivalent integrity mechanisms (Kaur & Chana, 2022).

Retention Periods

  • Operational logs: Retained for up to 12 months to support troubleshooting and monitoring.
  • Audit evidence logs: Retained for 24 months to support compliance cycles.
  • Incident logs: Retained for 36 months or as required by regulation.
  • Uploaded files: Retained only for the duration of the audit and deleted within 30 days of project completion.

Retention periods may be shortened if a client requests early deletion.

Deletion and Export

  • Clients may request deletion of logs associated with their systems at any time.
  • Deletion requests must be honored within 30 days and confirmed in writing.
  • Export requests (e.g., GDPR data portability) must include all available log fields in a machine-readable format (CSV/JSON).

Monitoring and Review

Governance teams must review log integrity monthly and confirm that deletion and retention schedules are being followed. Annual reviews ensure alignment with changes to regulatory frameworks.

Conclusion

Logging and retention are foundational to responsible AI governance. By enforcing consistent standards, Mercury Security ensures that organizations can demonstrate compliance, protect user rights, and maintain transparency with regulators and stakeholders.

References

European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679

European Union. (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union. https://eur-lex.europa.eu

ISO. (2023). ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system. International Organization for Standardization.

Kaur, H., & Chana, I. (2022). Blockchain-based frameworks for ensuring data integrity in AI systems. Journal of Cloud Computing, 11(1), 45–63. https://doi.org/10.1186/s13677-022-00301-9

National Institute of Standards and Technology. (2023). AI Risk Management Framework (NIST AI RMF 1.0). Gaithersburg, MD: NIST.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram