At Turngate, we’re all about making your audit data more transparent and useful to you and the rest of your organization. Despite being a security professional, having access to audit data from your vendors is not guaranteed. Some vendors even make you pay extra for it (just like some vendors make you pay extra for SSO). Even if you do have access to your vendor’s logs, finding out how to get access—and how long they hold the data for you—can be a challenge in its own right. Wouldn’t it be great if someone did the work on assembling SaaS log data retention timelines for you?
In the same vein as one of our favorite reference documents from SSO.tax, Turngate has done the heavy lifting on log retention terms for popular vendor audit records. We compiled this list combining internet research and personal outreach to vendor support teams so that you can focus on the rest of your job, and not spend time looking (or calling around) for it.
Why is it so hard to find this data?
Would you be surprised to hear that it wasn’t easy finding all this information? Some vendors were strangely cagey about sharing this data, which seems… not great—or at least, not transparent. It’s your audit data, so it should be as easy to access the retention periods as the service itself…but we digress.
Without further ado, the table below contains what we’ve uncovered so far. We’ll be updating this list periodically, so bookmark it and set a reminder to check back on our changes. Also, if there are vendors you think would be useful to the community to add to this list, let us know – we’ll use your contact info only for communicating with you on our research.
The Ultimate List of SaaS Log Data Retention Timelines
| Data Source |
Default Retention Term |
Need to Opt-In? |
Can You Buy a Longer Term? |
Required License |
Useful Links |
Last Updated |
| 1Password |
365 days |
No |
No |
- |
https://support.1password.com/activity-log/ |
6/24/24 |
| Asana |
90 days |
No |
No |
Enterprise+ |
https://developers.asana.com/docs/audit-log-events |
6/24/24 |
| Box |
Indefinite |
No |
No |
Business Plus/Enterprise |
https://support.box.com/hc/en-us/articles/360043696594-Tracking-User-Activity-on-Files |
6/24/24 |
| Dropbox |
366 days |
No |
No |
Any |
https://help.dropbox.com/account-access/view-activity
https://help.dropbox.com/delete-restore/version-history-overview |
6/24/24 |
| Duo Security |
Indefinite/180 days |
No |
No |
Any |
https://help.duo.com/s/article/2990 |
6/24/24 |
| GitHub |
7 days for Git events/180 days for non-Git events (some events are not available via web UI) |
No |
No |
Any |
https://docs.github.com/en/enterprise-server@3.6/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise |
6/24/24 |
| GWS |
It’s complicated…30 days to 10 years, depending on the type of log and the organization's Google Workspace edition |
No |
No |
For most audit logs, the default retention period is 6 months. After this period, if the logs are not exported or stored elsewhere, they will be permanently deleted.
Email log searching is limited to a 30-day window.
Organizations can configure Cloud Logging to retain logs in the "_Default" logs bucket for a period ranging from 1 day to 3650 days. This extended retention requires routing the logs to Google Cloud.
The "_Required" bucket, which holds Admin Activity audit logs, System Event audit logs, and Access Transparency logs, has a fixed retention period that cannot be changed.
Google will delete all customer-deleted data from its systems within a maximum period of 180 days.
|
https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
https://support.google.com/a/answer/7061566
https://workspace.google.com/learn-more/security/security-whitepaper/page-8.html |
6/26/24 |
| Hubspot |
“No limit, but if you don't login to the account for 210 days, it will be purged.” |
No |
No |
Enterprise |
https://knowledge.hubspot.com/account-management/view-and-export-account-activity-history |
6/25/24 |
| Microsoft 365 |
180 days |
No |
Yes |
Any – E5 gets longer retention |
https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal
https://www.syskit.com/blog/audit-logs-on-office-365/ |
6/26/24 |
| Okta |
90 days |
No |
No |
Any |
https://support.okta.com/help/s/article/Customer-Data-Retention-Policy |
6/26/24 |
| OneLogin |
? |
? |
? |
? |
? |
? |
| Salesforce |
Indefinite |
No |
Yes |
Basic logging included with Classic and Lightning Experience.
For Enterprise, Performance, and Unlimited editions additional auditing is available.
|
https://help.salesforce.com/s/articleView?id=release-notes.rn_security_field_audit_trail_retention.htm&release=238&type=5
https://help.salesforce.com/s/articleView?id=sf.real_time_event_monitoring_overview.htm&language=en_US&type=5 |
6/26/24 |
| Slack |
Indefinite |
? |
? |
Enterprise Grid |
https://api.slack.com/admins/audit-logs |
6/17/24 |
| Zoom |
180 (meeting logs); Indefinite (operation logs) |
? |
? |
Pro, Business, Education, or Enterprise |
https://explore.zoom.us/docs/doc/NCSC-Cloud-Security-Principles-Zoom-(2005).pdf |
6/26/24 |
| Jira/Atlassian |
For Jira Cloud, the limit is 180 days.
For Jira Server/Data Center, there is a configurable 10MM record limit.
For Confluence, database retention is limited by the retention period, with a maximum of 10MM records.
|
No |
No |
Any |
https://confluence.atlassian.com/adminjiraserver/auditing-in-jira-938847740.html
https://confluence.atlassian.com/jirakb/health-check-audit-log-capacity-1004953466.html |
6/27/24 |
Everything important, all in one place
Or, if you’d like to not think about these problems at all, Turngate thinks we have a pretty nifty solution that aggregates the audit records for you. If you want to try it, you can hook up one SaaS vendor by yourself for free and see what kind of clarity we provide. Or, if you want to try the full product with your suite of SaaS products, ping our sales team and we’ll get you set up with a full trial.
