> ## Documentation Index
> Fetch the complete documentation index at: https://tero-0926be64-video-walkthrough.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Handling

> What data Tero handles, what is stored, and how retention and deletion work.

export const securityEmail = "security@usetero.com";

<Badge>Last reviewed: March 5, 2026</Badge>
<Badge>Owner: Security + Engineering</Badge>
<Badge>Review cadence: Quarterly</Badge>
<Badge color="green">Status: Implemented</Badge>

This page defines the hosted default data scope, retention behavior, and what changes when you self-host.

## Reviewer focus

* Which data classes are stored in the hosted model
* What the default retention and deletion behavior is
* How ownership changes between hosted and self-hosted environments

## Implementation status (March 5, 2026)

Tero limits retained data by default. The control plane stores only the metadata required to operate the product. Full raw telemetry stays in your observability platform.

## Data lifecycle diagram (hosted default)

```mermaid theme={null}
flowchart LR
    IN[Ingested Product Data] --> CL[Classify and Scope]
    CL --> MD[Metadata Processing and Storage]
    MD --> RT[Retention Window Applied]
    RT --> DEL[Deletion from Active Systems]
    RT --> BK[Encrypted Backups]
    BK --> EXP[Backup Expiry]
```

## Data classes and handling model (hosted default)

| Data class                                                | Stored in Tero-hosted | Typical purpose                                          |
| --------------------------------------------------------- | --------------------- | -------------------------------------------------------- |
| Account and workspace configuration                       | Yes                   | Service setup and access control                         |
| Telemetry metadata (schema, field types, volume patterns) | Yes                   | Catalog, analysis, and policy generation                 |
| Full raw telemetry content                                | No (default model)    | Source of record remains customer observability platform |
| Authentication and session metadata                       | Yes                   | Authentication and authorization workflows               |
| Billing metadata (self-service)                           | Limited scope only    | Billing operations                                       |

## Retention and deletion baseline

| Data type                               | Default retention                    |
| --------------------------------------- | ------------------------------------ |
| Account and workspace data              | While account or workspace is active |
| Metadata required for service operation | While workspace is active            |
| Backups                                 | 30 days                              |

When a customer account or workspace is deleted, Tero removes data from active systems within 30 days. Backup copies age out under backup-retention windows.

## Hosted vs self-hosted boundary

| Area                    | Tero-hosted                | Self-hosted                                 |
| ----------------------- | -------------------------- | ------------------------------------------- |
| Data locality control   | Tero-hosted region model   | Customer-selected region and infrastructure |
| Infrastructure boundary | Tero-operated              | Customer-operated                           |
| Subprocessor scope      | Tero-managed service stack | Customer-selected stack                     |
| Data deletion execution | Tero-operated              | Customer-operated runtime                   |

## Evidence you can request

| Topic                               | Primary evidence                                                                |
| ----------------------------------- | ------------------------------------------------------------------------------- |
| High-level storage model            | [Overview](/trust/overview)                                                     |
| Ownership split by deployment       | [Shared Responsibility](/trust/shared-responsibility)                           |
| Retention and deletion expectations | [Data Retention](/trust/policies/data-retention)                                |
| Subprocessor scope                  | [Subprocessors and Third Parties](/trust/assurance/subprocessors-third-parties) |

## Exceptions and governance

Any exception to standard handling or retention behavior requires documented risk, Security and Engineering approval, compensating controls, and a time-bound remediation plan.

Evidence requests: [{securityEmail}](mailto:\{securityEmail})
