Retention Policy — Alerts & Incidents
This document explains how FixFast retains, expires, and deletes alert and incident data. Retention keeps data available for investigation and learning while keeping storage predictable and secure.
Overview
- Retention is applied at the organization level.
- All data is scoped by
org_idand isolated per tenant.
Retention covers:
- Alerts
- Incidents
- Incident summaries
- Incident pattern analytics (aggregated data)
Key Definitions
| Term | Meaning |
|---|---|
| Retained | Data is fully accessible in the product and APIs. |
| Expired | Data is no longer visible in the UI but may exist briefly for cleanup. |
| Deleted | Data is permanently removed and cannot be recovered. |
Alert Retention
Alerts represent raw incoming signals from alert sources.
What is retained
- Alert metadata (timestamp, severity, labels)
- Source information (Grafana Alertmanager)
- Alert → Incident linkage
Retention behavior
| State | Behavior |
|---|---|
| Active | Alerts are available in real time. |
| Grouped into Incident | Alerts remain linked to the incident. |
| After Retention Period | Alerts are expired and removed. |
Notes
- Alerts are retained only for operational use.
- Alerts do not persist indefinitely.
- Alerts that contribute to incidents are summarized into incident records.
Incident Retention
Incidents represent grouped, explainable operational events.
What is retained
- Incident metadata (title, status, timestamps)
- Explainable summaries
- Alert grouping rationale
- Ownership and handoff notes
- Resolution details
Retention behavior
| Incident State | Retention |
|---|---|
| Active | Always retained |
| Resolved | Retained for the configured retention period |
| After Retention Period | Incident expires and is deleted |
Important rules
- Retention starts after incident resolution.
- Retention applies uniformly across all resolved incidents.
- Expired incidents are not visible in the UI or APIs.
Incident Pattern Intelligence Retention
Incident Pattern Intelligence uses aggregated and derived data.
What is retained
- Daily and weekly aggregates
- Incident counts
- Exposure metrics
- Alert noise metrics
- MTTR calculations
Retention behavior
- Aggregated metrics may outlive raw alerts.
- No raw alert data is stored beyond alert retention.
- Aggregates cannot be reverse-engineered to individual alerts.
Retention by Plan (example)
Actual values depend on your subscription plan. See Billing & Plans for current retention.
- Free: 7-day retention for incidents and alerts.
- Pro: 14-day retention for incidents and alerts.
- Enterprise: 30-day default; custom retention available by agreement.
Deletion
The following data is permanently deleted after retention expires:
- Raw alerts
- Resolved incidents
- Incident summaries
- Associated metadata
Deleted data:
- Cannot be recovered.
- Is not available via API.
- Is not included in exports.
- A 3-day grace period may be applied between expiration and deletion to allow system cleanup; data remains inaccessible during this window.
Compliance & Security
- Retention policies are enforced automatically.
- Data deletion is irreversible.
- All data is isolated per organization (
org_id). - Access is governed by RBAC:
- Admin – Manage retention and access
- Editor – View and operate on retained data
- Viewer – Read-only access to retained data
Common Questions
Are expired incidents visible anywhere? No. Expired incidents are removed from the UI and APIs.
Do retention changes apply retroactively? Changes apply to future expirations. Already expired data is not restored.
Are backups accessible to users? No. Backups are internal and not user-accessible.
Summary
- Alerts are short-lived and operational.
- Incidents are retained longer for learning.
- Pattern intelligence uses aggregated data.
- Expired data is removed from visibility.
- Deleted data cannot be recovered.