All Docs
FeaturesagentOS Direct DebitUpdated March 20, 2026

Data Retention & Mandate Archive Policy

Data Retention & Mandate Archive Policy

The Direct Debit service includes an automated data retention system that enforces configurable archival and purge policies. This helps organisations meet FCA record-keeping requirements, protect sensitive payment data, and control long-term database growth.

How It Works

A weekly background job (powered by Inngest) runs automatically and performs three actions:

  1. Soft-deletes aged mandate records — mandates older than the configured retention period are marked as archived. They are not permanently deleted, so audit metadata remains intact.
  2. Redacts bank details from archived mandates — sensitive fields (account number, sort code, account holder name) are overwritten before the record is archived.
  3. Purges raw webhook payloads — raw Modulr and Griffin webhook payloads older than 90 days are permanently deleted from the database.

All actions are written to the audit trail.

Retention Periods

Data TypeDefault RetentionConfigurable?
Mandate records7 yearsYes — per organisation
Raw webhook payloads (Modulr / Griffin)90 daysNo

The 7-year default for mandate records aligns with FCA requirements for payment service providers. Individual organisations can override this value to accommodate different regulatory obligations.

What Gets Redacted

When a mandate record is archived, the following fields are redacted:

  • Account number
  • Sort code
  • Account holder name

All other mandate fields — including status history, collection amounts, dates, and linked audit events — are preserved and remain queryable.

What Gets Purged

Raw inbound webhook payloads from Modulr and Griffin are purged after 90 days. These are the raw JSON bodies stored at the point of receipt. Processed data derived from these payloads (e.g. collection status updates, mandate state changes) is not affected by this purge.

Audit Trail

Every action taken by the retention job is logged to the audit trail with the following information:

  • Record type and identifier (e.g. mandate ID)
  • Action taken (archived, redacted, purged)
  • Timestamp
  • Retention policy applied (retention period and organisation)

This ensures a full, tamper-evident record of all data lifecycle events for compliance and forensic purposes.

Configuring Retention Per Organisation

The retention period for mandate records is set at the organisation level. To update the retention period for an organisation, set the mandateRetentionDays field on the organisation's configuration record.

{
  "mandateRetentionDays": 2555
}

Note: 2555 days ≈ 7 years. Adjust this value to match your organisation's specific regulatory requirements. The 90-day webhook payload purge window is a system-wide constant and cannot be overridden per organisation.

Schedule

The retention job runs on a weekly schedule via Inngest. It processes all organisations in sequence, applying each organisation's configured retention policy independently.