SOC 2
Ragwalla provides built-in controls for SOC 2 Trust Services Criteria, specifically addressing the unique challenges of AI agent deployments.
Trust Services Criteria Coverage
C1.2: Confidential Information Disposal
"The entity disposes of confidential information to meet the entity's objectives related to confidentiality."
AI agents process confidential information across multiple touchpoints: user messages, RAG document retrieval, tool execution, and response generation. Ragwalla ensures proper disposal through:
Automated Retention Enforcement
Configure retention policies per organization and project:
| Data Type | Description |
|---|---|
| Conversations | Agent threads and messages with customers |
| Audit Logs | Records of agent activity and tool usage |
| Files | RAG documents and uploaded content |
When data reaches its retention limit, Ragwalla automatically:
Removes conversations and messages
Deletes files from storage
Archives audit logs to preserve integrity
Records every deletion for audit evidence
Disposal Documentation
Every automated deletion generates a permanent record including:
What was deleted and when
The retention policy that triggered deletion
The original creation date
Whether any legal holds were in effect
Your auditor can query these records to verify disposal occurred according to policy.
P5.1: Data Retention
"The entity retains personal information consistent with the entity's objectives related to privacy."
AI agent conversations often contain personal information—names, account details, support issues. Ragwalla ensures this data is retained only as long as necessary.
Flexible Retention Configuration
Set retention at the organization level for baseline policy, then override at the project level for specific requirements:
Organization: Acme Corp
├── Default: 365 days
├── Project: Customer Support → 90 days (shorter for PII minimization)
├── Project: Legal Intake → 7 years (regulatory requirement)
└── Project: Sales Demo → inherits 365 days
Legal Hold Integration
When retention policy conflicts with preservation requirements, legal holds take precedence:
| Scenario | Behavior |
|---|---|
| Active litigation | Data excluded from retention cleanup |
| Regulatory investigation | Specific threads preserved |
| FOIA request | Relevant conversations held until fulfilled |
| Hold released | Data becomes eligible for retention |
Evidence for Auditors
Ragwalla provides the evidence your SOC 2 auditor needs:
| Control Point | Evidence Available |
|---|---|
| Retention policy defined | Organization and project settings export |
| Disposal executed | Retention job history with execution details |
| Deletions documented | Deletion records with full metadata |
| Legal holds respected | Hold history showing preservation compliance |
Access this evidence through the dashboard or export via API.
Implementation Checklist
Define retention policies for each organization
Configure project-level overrides where requirements differ
Document retention periods in your information security policy
Establish process for creating legal holds when preservation is required
Schedule regular review of retention job history
Export deletion records for audit evidence package
Related
Data Retention — Detailed configuration guide
Legal Holds — Preservation management
Audit Trail — Activity logging