---
title: Compliance policies
path: administration/compliance-policies
status: published
---

The Compliance section of the admin console covers four overlapping capabilities: **legal holds**, **retention policies**, **data loss prevention (DLP)**, and **eDiscovery**. Plus **sensitivity labels** as a foundation across all four. Each tab in **Compliance → Settings** configures one of these.

## Legal holds

Place a hold on a user, a share, or an arbitrary set of files. While the hold is active:

- Files matching the hold can't be permanently deleted (move-to-trash is allowed; trash retention is suspended).
- Versions matching the hold aren't pruned, regardless of retention policy.
- Users see a "hold" badge on affected files and can't bypass it.
- Audit events for affected files are exempt from log retention.

Compliance → Legal Holds → **New hold**. Define:

| Field | Purpose |
|---|---|
| Name + matter | Free text; appears in audit events and reports |
| Scope | User(s), share(s), file path patterns, or explicit file IDs |
| Custodians | Users notified of the hold (optional) |
| Start / end date | End date is informational; you must lift the hold manually |

Lift a hold: same page → **Lift**. Files become eligible for normal retention again.

## Retention policies

A retention policy keeps content for a minimum duration and/or deletes it after a maximum duration. ScaiDrive distinguishes these explicitly:

- **Minimum retention** — files can't be deleted before this age, even by an owner. Useful for "keep all contracts for 7 years."
- **Maximum retention** — files are automatically deleted at this age. Useful for "purge customer support transcripts after 90 days."

Both can be combined on the same policy. The policy targets are flexible: a share, a path within a share, files matching a [sensitivity label](#sensitivity-labels), or files matching a name pattern.

A nightly job evaluates policies and acts. Effects:

- Files past max-retention go to trash (then to permanent deletion after the trash window).
- Files under min-retention have their delete-permanently action blocked.
- Files matching both move to trash at max-retention and stay there until min-retention elapses.

Policies can be **simulated** before being saved — Compliance → Retention → policy → **Preview impact** shows the number of files that would be affected and their total size. Always preview before activating a new policy.

## Data Loss Prevention (DLP)

DLP rules scan file content (and filename + metadata) for patterns. When a rule matches, you can:

- **Block** the upload / external link / download.
- **Alert** — log a violation, optionally notify the user and an admin.
- **Quarantine** — move the file to a special holding share for review.
- **Label** — automatically apply a sensitivity label.

Compliance → DLP → **New rule**:

| Field | Notes |
|---|---|
| Detector | Built-in (credit-card, US SSN, AWS keys, …), custom regex, or a vectorization-based "looks like a contract" classifier |
| Target | What triggers it — upload, sharing, external link, download, or any combination |
| Scope | Which shares the rule applies to |
| Action | Block / alert / quarantine / label |
| Severity | Drives event severity in the audit log |

Test a rule before activating: paste sample content, see whether it matches. Then **Enable** and observe new violations from the same page.

ScaiDrive ships with a starter set of detectors covering the common compliance categories (PCI-DSS, GDPR, HIPAA pattern-style detectors). Tune them to your environment — the defaults are deliberately conservative.

## eDiscovery

Compliance → eDiscovery is the search-and-export workflow for legal review. Create a **case**:

1. Define scope (custodians, date range, optional text or sensitivity-label filter).
2. ScaiDrive performs a snapshot: indexes matching content and lists the files.
3. Review or annotate from the case page.
4. **Export** as a portable archive: original files + an `events.csv` audit trail + a manifest.

Cases survive independently of file life-cycle: deleting a file after it's part of a case keeps a frozen copy in the case archive. Common pattern: open a case when a legal hold is placed; export the case archive when discovery is requested.

## Sensitivity labels

Labels are first-class metadata you can attach to files (and folders, propagating to children). Each label has a name, a color, and a policy effect:

| Effect | What it does |
|---|---|
| Block external sharing | Files with this label can't be shared via external link |
| Force encryption-at-rest | Storage backend uses a label-specific encryption key |
| Enable watermarking | Previews and downloads show a watermark with viewer's identity |
| Require approval to download | Downloads need an admin approval (workflow opens in admin console) |

Labels can be applied:

- **Manually** by an admin or contributor with sufficient role.
- **Automatically** by a DLP rule (e.g., "content matches PCI-DSS detector → label `pci`").
- **By integration** via the `POST /api/v1/files/{id}/labels` API.

Configure labels at Compliance → Sensitivity Labels.

## Compliance reporting

A common ask is "give me a report of all files matching X for the last quarter." The Audit Log export covers events; for content state, the eDiscovery case export is the right tool. For storage-utilization-style reports, see Storage → Quotas → **History** ([Shares and quotas](/docs/scaidrive/administration/shares-and-quotas)).

## What's next

- [Audit and activity](/docs/scaidrive/administration/audit-and-activity).
- [SIEM integration](/docs/scaidrive/administration/siem-integration) — stream events to your security platform.
- [External link policy](/docs/scaidrive/administration/external-link-policy) — global controls on public sharing.