Call Recording Retention Policies: CallSphere vs Vapi Defaults
How long should you keep call recordings? CallSphere ships per-vertical retention defaults; Vapi customers DIY. Compare lifecycle and erasure flows.
TL;DR
Retention is a deceptively complex compliance problem. Keep recordings too long and you create unnecessary risk; too short and you fail audit / legal hold requirements. CallSphere ships per-vertical retention defaults (healthcare, sales, salon, IT helpdesk, after-hours) with documented archive and erasure flows. Vapi.ai is voice infrastructure — retention is whatever the customer's storage vendor and DIY scripts produce, with no built-in lifecycle management. This post walks through retention windows by vertical, the lifecycle pipeline (active → warm → cold → erase), and gives you a procurement checklist.
Why Retention Is a CISO Question
Three forces pull retention in opposite directions:
- Pull longer: legal hold, audit requirements, dispute resolution, training data quality
- Pull shorter: GDPR storage limitation (Art. 5(1)(e)), CCPA / CPRA right to erasure, breach blast radius minimization, storage cost
- Pull configurable: state-specific retention (e.g., medical records retention varies state by state — 5 to 30 years)
A platform with per-vertical defaults gives the customer a defensible starting point that maps to common regulatory regimes. A platform that requires the customer to design retention from scratch typically results in either "keep everything forever" (high risk, high cost) or accidental data loss.
Retention Defaults — Sample by Vertical
| Vertical | Active | Warm | Cold / Archive | Total | Notes |
|---|---|---|---|---|---|
| Healthcare | 30 days | 1 year | 6 years | ~7 years | Aligns to HIPAA documentation retention |
| Sales | 14 days | 90 days | 1 year | ~1 year | Coaching + dispute window |
| Salon | 7 days | 30 days | 90 days | ~90 days | Operational only |
| IT Helpdesk | 14 days | 60 days | 1 year | ~1 year | Incident review |
| After-Hours | 30 days | 90 days | 1 year | ~1 year | Escalation review |
These defaults are starting points — every customer can adjust per their legal and operational needs. The lifecycle pipeline is the same: a recording moves from hot storage (fast access) to warm (cheaper) to cold (archive) and finally to erasure.
Vapi's DIY Retention Burden
Because Vapi is voice infrastructure with no built-in storage layer, the customer:
- Picks a storage vendor (S3, Azure Blob, GCS)
- Designs lifecycle rules manually
- Writes erasure scripts (often using S3 Object Lifecycle and bucket policies)
- Wires GDPR / CCPA right-to-erasure requests into the deletion pipeline
- Maintains audit logs of every retention transition
- Tests the pipeline (often skipped — and only discovered during incident response)
A typical maturity curve: customer defaults to "keep forever in S3 standard" for the first 18 months, until storage costs or a breach exposes the gap, then panics and rebuilds.
CallSphere's Lifecycle Architecture
CallSphere's retention pipeline is built into the platform:
- Active (hot): Postgres + S3 standard — fast access for ops, dashboards, analytics
- Warm: S3 Standard-IA — read-occasionally, cheaper
- Cold / archive: S3 Glacier or equivalent — audit-only access
- Erasure: Cryptographic shredding (KMS key destruction) plus storage delete, with audit log entry
Per-tenant policy controls dictate the days at each stage. The right-to-erasure workflow is exposed via the dashboard and a documented API.
Mermaid: Retention Lifecycle
stateDiagram-v2
[*] --> Active : Recording created
Active --> Warm : day N (per vertical)
Warm --> Cold : day M (per vertical)
Cold --> Erased : day P (per vertical)
Active --> Erased : right-to-erasure request
Warm --> Erased : right-to-erasure request
Cold --> Erased : right-to-erasure request
Erased --> [*]
Active --> Hold : legal hold
Warm --> Hold : legal hold
Cold --> Hold : legal hold
Hold --> Active : hold released
The state machine is explicit. Every transition is logged in the audit_logs table with the policy that triggered it.
Comparison Table
| Retention Capability | Vapi DIY | CallSphere |
|---|---|---|
| Per-vertical defaults | Build yourself | Built-in |
| Hot/warm/cold tiers | Build yourself | Default |
| Cryptographic erasure | Build yourself | Default |
| Right-to-erasure API | Build yourself | Built-in |
| Legal hold workflow | Build yourself | Built-in |
| Audit log of transitions | Build yourself | Default |
| Per-tenant policy override | Build yourself | Config |
| State / regional retention rules | Build yourself | Config |
| Time-to-compliance retention | Months | Day 1 |
Right to Erasure — A Practical Walkthrough
A patient submits a deletion request. The flow:
- Request received via support / dashboard / API
- Identity verification step (per HIPAA / GDPR best practices)
- CallSphere logs the request in audit_logs
- Recordings, transcripts, and analytics rows for the patient are erased across hot/warm/cold tiers
- Tokenized references in analytics are scrubbed
- Confirmation logged + sent to requester
- Backups are flagged for the next backup-rotation purge (per documented policy)
In a Vapi-based stack, step 4 alone often spans 5 vendors and the customer's own glue code. Each handoff is a chance for partial deletion, which is itself a compliance issue.
Procurement-Friendly Retention Checklist
- Are per-vertical retention defaults documented?
- Are hot/warm/cold tiers configurable per tenant?
- Is cryptographic erasure (KMS key destruction) supported?
- Is right-to-erasure exposed via API or dashboard?
- How are backups handled in erasure flows?
- Is legal hold a first-class feature?
- Are retention transitions audit-logged?
- Can per-customer state-specific rules be applied?
- What is the SLA for completing an erasure request?
- Are retention controls in scope for SOC 2 / HIPAA?
Real-World Cost & Risk Numbers
A typical mid-sized contact center generates ~50,000 minutes of recordings per month. At 24 kbps stereo, that's ~10 GB / month, ~120 GB / year. Over 5 years of "keep forever" with no lifecycle:
- ~600 GB in S3 Standard ≈ $13.80/month, but blast radius is the full 5-year corpus
- Same data with hot-warm-cold lifecycle ≈ $4-5/month and limited blast radius if breached
Cost is small but the blast radius difference is enormous: a breach of an unmaintained "keep forever" bucket exposes 5 years of PII. Lifecycle limits exposure to the active window.
CTA
Lifecycle is what separates "we have recordings" from "we have a defensible retention posture." Book a CallSphere demo, or check our pricing for retention tiers.
FAQ
Can I keep recordings longer than the default?
Yes — per-tenant policy can extend retention to meet legal hold, audit, or training data requirements. Each extension is documented.
See AI Voice Agents Handle Real Calls
Book a free demo or calculate how much you can save with AI voice automation.
What about transcripts vs audio?
Both follow the same lifecycle by default. Customers can choose to retain transcripts longer than audio (cheaper, lower-risk) under documented policy.
Is the right-to-erasure SLA documented?
CallSphere's standard SLA is 30 days from verified request to confirmed erasure across all tiers, well within GDPR / CCPA windows.
Does CallSphere handle legal hold?
Yes. Legal hold halts lifecycle transitions and erasure requests for affected records, with audit trail.
What happens to analytics on erased calls?
Aggregate metrics persist (counts, sentiment averages) but per-call rows are scrubbed. The result is statistically equivalent without retaining individual PII.
Deep Dive: Per-Vertical Retention Rationale
Healthcare Retention
The HIPAA Privacy Rule does not specify a retention period for PHI itself, but the Security Rule (45 CFR § 164.530(j)) requires retention of compliance documentation for 6 years from creation or last effective date. Many states impose longer medical record retention (commonly 7-10 years for adults, longer for minors). CallSphere's healthcare default of ~7 years balances HIPAA documentation retention with state-specific minimums.
Specific retention extensions:
- Pediatric records often retained until age of majority + state retention period
- Mental health records have additional retention rules in some states
- Substance use disorder records are subject to 42 CFR Part 2 — separate retention rules apply
Sales Retention
Sales call retention is driven by:
- Coaching window (90 days typical)
- Dispute / complaint window (1 year typical for B2B; longer for B2C)
- Training data needs (often 6-12 months of representative samples)
The default 1-year retention covers typical sales cycle and dispute resolution windows.
Salon / Personal Services
Lower-stakes operational data — 90 days covers typical operational review and dispute windows.
IT Helpdesk
Typically retained for incident review, root cause analysis, and post-incident learning. 1 year covers typical incident escalation and trend analysis.
After-Hours / Emergency Lines
Retained for escalation review and pattern analysis. After-hours calls may have legal hold requirements (e.g., if escalated to emergency services).
Lifecycle Cost Modeling
A typical 50,000-minute-per-month customer:
| Storage Tier | Monthly Volume | Storage Class | Cost |
|---|---|---|---|
| Active (30 days) | ~10 GB | S3 Standard | ~$0.23 |
| Warm (60 days) | ~20 GB | S3 Standard-IA | ~$0.25 |
| Cold (5+ years) | ~600 GB | S3 Glacier | ~$2.40 |
| Total monthly | ~$2.88 |
Compared to "keep all in S3 Standard forever":
| Tier | Volume after 7 years | Storage | Cost |
|---|---|---|---|
| All Standard | ~840 GB | S3 Standard | ~$19.32/month |
The lifecycle approach is ~85% cheaper at steady state, plus dramatically smaller blast radius.
Backup Erasure Considerations
Backups are the trickiest part of right-to-erasure. Industry best practice:
- Backups are subject to a documented retention period (e.g., 35 days)
- Erasure requests are honored on the next backup rotation cycle
- The DPA discloses that backups are temporarily retained post-erasure
- Customers receive a confirmation when backups are fully purged
CallSphere documents this clearly. A Vapi-based stack inherits whatever backup behavior each upstream vendor exposes — often opaque.
Legal Hold Workflow
When litigation or regulatory hold is anticipated, the typical workflow:
- Legal team identifies scope (specific patient, date range, agent)
- Hold flag set in dashboard with hold ID and reason
- Lifecycle transitions paused for affected records
- Hold review periodically (quarterly recommended)
- Hold released when no longer needed
- Affected records resume normal lifecycle
Hold events are audit-logged and exportable. Legal teams can produce a "litigation hold report" showing which records are on hold and when each hold was applied / released.
Erasure Verification
After erasure, customers can request verification:
- Cryptographic shredding event log entry (KMS key destruction timestamp)
- Storage delete confirmation (S3 delete event log)
- Database row delete confirmation
- Backup purge confirmation (after backup window expires)
This verification package is the kind of evidence a regulator would demand if a deletion request was contested.
Lifecycle Policy Examples
A real CallSphere customer's policy (anonymized):
Healthcare practice with multi-state operations:
Active: 30 days hot storage
Warm: 1 year warm storage
Cold: 6 years cold archive
Erasure: cryptographic shred + storage delete
Backups: 35 days, then purged
Legal hold: per-record flag with audit log
Right-to-erasure SLA: 30 days end-to-end
Each parameter is configurable in the dashboard, with audit log on every change.
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.