Compliance policies
The Compliance section of the admin console covers four overlapping capabilities: legal holds, retention policies, data loss prevention (DLP), and eDiscovery. Plus sensitivity labels as a foundation across all four. Each tab in Compliance → Settings configures one of these.
Legal holds#
Place a hold on a user, a share, or an arbitrary set of files. While the hold is active:
- Files matching the hold can't be permanently deleted (move-to-trash is allowed; trash retention is suspended).
- Versions matching the hold aren't pruned, regardless of retention policy.
- Users see a "hold" badge on affected files and can't bypass it.
- Audit events for affected files are exempt from log retention.
Compliance → Legal Holds → New hold. Define:
| Field | Purpose |
|---|---|
| Name + matter | Free text; appears in audit events and reports |
| Scope | User(s), share(s), file path patterns, or explicit file IDs |
| Custodians | Users notified of the hold (optional) |
| Start / end date | End date is informational; you must lift the hold manually |
Lift a hold: same page → Lift. Files become eligible for normal retention again.
Retention policies#
A retention policy keeps content for a minimum duration and/or deletes it after a maximum duration. ScaiDrive distinguishes these explicitly:
- Minimum retention — files can't be deleted before this age, even by an owner. Useful for "keep all contracts for 7 years."
- Maximum retention — files are automatically deleted at this age. Useful for "purge customer support transcripts after 90 days."
Both can be combined on the same policy. The policy targets are flexible: a share, a path within a share, files matching a sensitivity label, or files matching a name pattern.
A nightly job evaluates policies and acts. Effects:
- Files past max-retention go to trash (then to permanent deletion after the trash window).
- Files under min-retention have their delete-permanently action blocked.
- Files matching both move to trash at max-retention and stay there until min-retention elapses.
Policies can be simulated before being saved — Compliance → Retention → policy → Preview impact shows the number of files that would be affected and their total size. Always preview before activating a new policy.
Data Loss Prevention (DLP)#
DLP rules scan file content (and filename + metadata) for patterns. When a rule matches, you can:
- Block the upload / external link / download.
- Alert — log a violation, optionally notify the user and an admin.
- Quarantine — move the file to a special holding share for review.
- Label — automatically apply a sensitivity label.
Compliance → DLP → New rule:
| Field | Notes |
|---|---|
| Detector | Built-in (credit-card, US SSN, AWS keys, …), custom regex, or a vectorization-based "looks like a contract" classifier |
| Target | What triggers it — upload, sharing, external link, download, or any combination |
| Scope | Which shares the rule applies to |
| Action | Block / alert / quarantine / label |
| Severity | Drives event severity in the audit log |
Test a rule before activating: paste sample content, see whether it matches. Then Enable and observe new violations from the same page.
ScaiDrive ships with a starter set of detectors covering the common compliance categories (PCI-DSS, GDPR, HIPAA pattern-style detectors). Tune them to your environment — the defaults are deliberately conservative.
eDiscovery#
Compliance → eDiscovery is the search-and-export workflow for legal review. Create a case:
- Define scope (custodians, date range, optional text or sensitivity-label filter).
- ScaiDrive performs a snapshot: indexes matching content and lists the files.
- Review or annotate from the case page.
- Export as a portable archive: original files + an
events.csvaudit trail + a manifest.
Cases survive independently of file life-cycle: deleting a file after it's part of a case keeps a frozen copy in the case archive. Common pattern: open a case when a legal hold is placed; export the case archive when discovery is requested.
Sensitivity labels#
Labels are first-class metadata you can attach to files (and folders, propagating to children). Each label has a name, a color, and a policy effect:
| Effect | What it does |
|---|---|
| Block external sharing | Files with this label can't be shared via external link |
| Force encryption-at-rest | Storage backend uses a label-specific encryption key |
| Enable watermarking | Previews and downloads show a watermark with viewer's identity |
| Require approval to download | Downloads need an admin approval (workflow opens in admin console) |
Labels can be applied:
- Manually by an admin or contributor with sufficient role.
- Automatically by a DLP rule (e.g., "content matches PCI-DSS detector → label
pci"). - By integration via the
POST /api/v1/files/{id}/labelsAPI.
Configure labels at Compliance → Sensitivity Labels.
Compliance reporting#
A common ask is "give me a report of all files matching X for the last quarter." The Audit Log export covers events; for content state, the eDiscovery case export is the right tool. For storage-utilization-style reports, see Storage → Quotas → History (Shares and quotas).
What's next#
- Audit and activity.
- SIEM integration — stream events to your security platform.
- External link policy — global controls on public sharing.