Summary
Implement evidence retention rules so moderation and audit/security evidence survive user hard-delete lifecycle while preserving userId linkage and pseudonymized data where required.
Problem
The specification requires that when user data is deleted or accounts are deactivated, some classes of evidence must still be retained:
- moderation evidence
- audit events
- security events
At the same time, the retained evidence must support:
- continued userId linkage
- pseudonymization
Without a dedicated evidence-retention model, hard-delete behavior can either remove required evidence or retain too much raw user data incorrectly.
Why This Matters
This protects:
- moderation continuity
- security incident investigation
- auditability after deletion requests
- privacy-aware retention behavior
It also prevents the deletion lifecycle from silently destroying required records.
Required Behavior
- Moderation evidence survives normal user hard-delete flow.
- Audit and security events survive normal user hard-delete flow.
- Retained evidence keeps userId linkage.
- Retained evidence also supports pseudonymized data handling.
- Regular application reads still respect soft-delete / hard-delete rules for user-facing data.
Acceptance Criteria
- Hard-delete does not remove required moderation evidence.
- Hard-delete does not remove required audit/security event records.
- Retained evidence still links to the userId.
- Pseudonymized representation is preserved where required by the retention model.
- Normal user-facing reads do not expose retained evidence as if it were active account data.
Suggested Implementation Targets
- prisma/schema.prisma
- new evidence retention service or repository layer
- backend API modules to be created
- src/services/PostgresDatabaseService.ts
Suggested Technical Direction
Separate retained evidence from normal user profile data.
At minimum, retained evidence records should distinguish:
- evidence type
- retained linkage key (
userId)
- pseudonymized projection fields
- retention reason
- originating guild if applicable
- createdAt / retainedAt timestamps
Do not rely on ordinary user profile rows as the long-term storage location for retained evidence.
Validation
- unit test: hard-delete path preserves evidence records
- unit test: retained evidence still references userId
- integration test: pseudonymized fields remain available
- integration test: normal account reads exclude retained evidence from user-facing profile data
- regression test: deletion workflow does not break moderation investigation capability
Traceability
- Spec: docs/specs/issue-93-specification.md
- Matrix rule: TRC-022
- Related docs:
- docs/specs/traceability-matrix.md
- docs/specs/issue-drafts.md
- docs/specs/non-mvp-roadmap.md
Related Issues
Summary
Implement evidence retention rules so moderation and audit/security evidence survive user hard-delete lifecycle while preserving userId linkage and pseudonymized data where required.
Problem
The specification requires that when user data is deleted or accounts are deactivated, some classes of evidence must still be retained:
At the same time, the retained evidence must support:
Without a dedicated evidence-retention model, hard-delete behavior can either remove required evidence or retain too much raw user data incorrectly.
Why This Matters
This protects:
It also prevents the deletion lifecycle from silently destroying required records.
Required Behavior
Acceptance Criteria
Suggested Implementation Targets
Suggested Technical Direction
Separate retained evidence from normal user profile data.
At minimum, retained evidence records should distinguish:
userId)Do not rely on ordinary user profile rows as the long-term storage location for retained evidence.
Validation
Traceability
Related Issues