How long to keep signed documents, what industry regulations require, and how GetSigned handles expiry — retaining the hash-chained audit trail permanently while purging the PDF blob on your configured schedule.
These are common minimums — always verify with qualified legal counsel for your jurisdiction and specific document types.
The PDF blob is deleted. The evidentiary record is retained permanently.
Proves the original document's content even after the file is gone.
Proves the sealed document's content — if a copy is produced later, its hash can be verified against this record.
Full event log: view, consent, OTP, signature, seal — with timestamps, IPs, and user agents.
Append-only chain covering every event. Tampering with any row breaks the chain.
Who signed, in what order, and when — without the PDF content itself.
Deleted from Cloudflare R2 on retention expiry. The audit trail proves what was signed without storing the file.
It depends on the document type and your jurisdiction. Common rules of thumb: general contracts — 6–7 years (matching the statute of limitations for written contracts in most US states and Canadian provinces); financial and tax records — 7 years; employment documents — 7 years post-termination; grant agreements — 7 years post-project completion. These are minimums — your legal counsel may recommend longer periods based on your specific risk profile and jurisdiction.
The default is 30 days, and it is fully configurable per tenant — set a longer window in your tenant configuration to match your records-management requirements. Different document types within the same organization can have different retention periods by using different tenants. The point is data minimization: GetSigned is not designed to be your long-term document store.
The PDF blob (both the original upload and the sealed document) is deleted from storage. However, the audit trail is retained permanently: the SHA-256 hashes of both the original and sealed PDFs, all signature_events rows, and all hash-chained audit_log rows. This means you can verify the authenticity of a signed document copy even after the stored PDF has been purged — the hashes prove whether a produced copy matches what was signed.
Yes — within the retention window. When all parties sign, GetSigned emails the sealed copy to everyone: attached if the file is small, or a secure tokenized download link if it is too large to attach. If you received a link and have not saved your copy, GetSigned reminds you at 20, 10, and 1 day before deletion. Integration customers can also pull the sealed PDF any time before purge via GET /v1/envelopes/{id}/document. Best practice: archive to your own document management system (DMS) on the envelope.completed webhook rather than relying on GetSigned as your primary store.
Yes. The audit_log table is append-only at the database grant level — the application role cannot UPDATE or DELETE rows. On purge, only the documents table's storage_key is cleared and the R2 blob is deleted. The signature_events and audit_log records for the envelope remain intact. The SHA-256 hashes are stored in the envelopes table (document_hash_original, document_hash_final) which is also retained.
GetSigned's configurable retention system supports the technical side of retention policy compliance: you set the retention period, documents are purged on expiry, and audit trails (which contain minimal personal data) are retained for legal defensibility. For full GDPR or PIPEDA compliance, you also need a privacy policy, a lawful basis for processing, and data subject rights handling (access, correction, deletion) in your application layer. Contact us to discuss your specific compliance requirements.
This page is for informational purposes only. Retention requirements vary by document type, jurisdiction, and industry. Consult qualified legal counsel for your specific retention obligations.
Set your retention period. GetSigned purges on schedule and retains the evidentiary record forever.
Get free API keys →