---
id: s3-governance-retention-policy
title: Governance Retention Policy
module: GROW-S3
module_slug: grow-s3-data-provenance
cluster: Systems
type: policy
version: v0.2.1
status: Draft
tier: membership
contract_role: ""
canonical_url: "https://grow.goodcombinator.ai/library/registry/s3-governance-retention-policy"
download_url: "https://grow.goodcombinator.ai/library/registry/s3-governance-retention-policy.md"
license: CC-BY-4.0 (proposed — owner confirmation required)
source: GROW by Good Combinator
retrieved_at: 2026-05-29
---

# Governance & Retention Policy

> **Legal/compliance notice — flagged for expert review.** This policy includes data-handling provisions that intersect with Florida public-records law (FS Chapter 119), federal records-management practice, contract clauses with platform vendors (e.g., Airbnb, OwnerRez), and possibly municipal/special-district retention schedules. Every section flagged **[ATTORNEY REVIEW]** below must be reviewed by qualified counsel before the policy is treated as binding for civic, regulated, or contractually constrained workloads. Doug's framework requires this flag; do not strip it without sign-off.

## Purpose
Provenance records are durable assets. They establish what a GROW-built system did, on what evidence, under whose authority, and with what confidence. This policy governs how those records — and the source snapshots, evidence pointers, and decision traces they reference — are reused, retained, corrected, and retired.

## Reuse Rules
1. **Reuse is bound by `permissions` and `source_id`.** A provenance record may be reused (cited, surfaced, replayed) only by systems whose permission scope is equal to or stricter than the record's `permissions` field and whose access to every `source_id` is current.
2. **Embeddings and summaries are derivative records, not new sources.** Reuse of a derived artifact carries forward the `confidence_band` of its strictest contributing source unless an explicit upgrade rule from `s3-lineage-map-spec` applies.
3. **Cross-system reuse requires lineage continuation.** A downstream system that consumes a provenance record MUST extend, not replace, its `transformation_history`. Forking lineage is a governance event.
4. **No silent reuse of `restricted` or `regulated` records.** Any reuse is itself a logged event with its own provenance record. **[ATTORNEY REVIEW]** for regulated classes.

## Retention Schedule (default)
The schedule below is the GROW default. Override per workload by counsel review.

| Retention class | Default window | Applies to |
|---|---|---|
| `ephemeral` | 7 days | Internal experiments, demo runs, non-shipped drafts |
| `operational` | 90 days | Day-to-day STR ops, internal Slack-derived summaries |
| `business-2yr` | 2 years | Customer-facing outputs, podcast publishing artifacts, vendor comms |
| `civic-7yr` | 7 years | Commission-facing memos, grant reporting, public comment artifacts **[ATTORNEY REVIEW — FS Ch. 119 may impose different windows]** |
| `regulated-indef` | indefinite, with periodic review | Litigation-hold, regulatory inquiries, any record under legal preservation order **[ATTORNEY REVIEW REQUIRED before assignment]** |

Each provenance record carries `retention_class`. Defaulting is not permitted on `civic-7yr` or `regulated-indef` — those classes require an explicit assignment recorded at write time.

### Florida Public-Records Intersection — flagged
**[ATTORNEY REVIEW]** Florida public-records law (FS Chapter 119) and applicable state retention schedules (issued by the Department of State, Division of Library and Information Services) may apply when a GROW system produces a record on behalf of an elected commissioner, a special district, or a public body. Specific minimums for grant administration, financial records, and meeting-related correspondence are governed by those schedules, not by this policy. This policy does **not** assert a specific Chapter 119 rule. Do not use the defaults above as a substitute for the governing schedule. Counsel must map each record type to the applicable item in the state schedule before the policy goes live for any FL public-sector workload.

## Stale-Source Handling
A source is **stale** when `last_validated` is older than its declared `update_frequency` window. Stale sources trigger the following cascade:

1. The Source Inventory automatically downgrades the source's `confidence_band` by one notch (high → medium → low → unknown).
2. Any provenance record that consumed the stale source has its `confidence_band` recomputed at next read. The stored value is not edited; the read-time value reflects the downgrade.
3. Outputs already published are not retroactively edited. Instead, a **correction record** is issued if the downgrade materially affects a claim (see below).
4. Two consecutive stale cycles route the source to its owner for re-attestation or retirement.

## Corrections and Retractions Workflow
GROW treats corrections as append-only events on the provenance store. Records are never silently rewritten.

1. **Trigger.** A material error is identified in an output (factual error, attribution error, stale data, mis-applied authority).
2. **Classify.** Determine: correction (claim is partially wrong, can be amended) vs. retraction (claim is wholly wrong, must be withdrawn).
3. **Author correction record.** A new provenance record is emitted with `corrections[]` populated: `{correction_id, supersedes_record_id, reason, timestamp, actor}`. `decision_origin` for the new record is `human-override` or `escalation` as appropriate.
4. **Surface to the original artifact.** The original output, if still live, carries a visible correction notice linking to the new `record_id`. If the artifact is published externally (podcast description, memo, grant submission), the publication surface MUST be updated. **[ATTORNEY REVIEW]** for retractions on regulated artifacts.
5. **Log.** A correction event is itself an entry in the system's audit trail per `s2-audit-trail-schema`.
6. **Review cadence.** Corrections rate is a leading reliability indicator; it feeds `s2-scoring-system` as a calibration signal.

## Access, PII, and Sensitive Data Handling
- Provenance records that contain or point to PII carry `pii_flags` per the schema. Storage MUST satisfy the strictest applicable policy (organizational, contractual, statutory). **[ATTORNEY REVIEW]**
- Restricted/regulated records are stored with access logs that themselves are provenance records.
- Deletion of a provenance record under a data-subject request is a governance event requiring counsel sign-off. **[ATTORNEY REVIEW]**

## Review Cadence
- **Quarterly.** Owners re-attest source rows. Retention classes spot-checked.
- **Annual.** Policy refresh; counsel review of every flagged section above; mapping of `civic-7yr` records to the then-current Florida retention schedule. **[ATTORNEY REVIEW]**
- **Triggered.** Any litigation hold, regulatory inquiry, or breach triggers an immediate policy review and freezes affected retention classes.

## Out of Scope (handled elsewhere)
- Encryption-at-rest and key management — operational security, not provenance policy.
- Vendor contract terms — sourced into the inventory; constraints surface through `permissions`.
- Definitions of `evidence`, `decision_origin`, `confidence_band`, `provenance record`, `drift`, `regression`, `lineage`, `source confidence` — see GROW glossary; not redefined here.