Privacy-first lifecycle

Auto-destroy on normal expiration. Abnormal shutdowns preserved for security review only. Transparent retention policies.

In plain English

On normal expiration: your container is destroyed immediately—filesystem wiped at the container level; access tokens are invalidated. No residuals.
On logout (e.g., public computers): once you log out and the token rotates, any old tab becomes invalid. No one can view your desktop after that point.
On abnormal shutdowns/violations: we preserve a read-only evidence bundle (container snapshot + relevant logs) for security review only. Access is limited to investigators under NDA.

Technical lifecycle

Session & tokens

Short-lived tokens; logout triggers rotation. Expired/rotated tokens are rejected server-side; management actions are audited.

Normal expiration

Timer ends → stop signal → volumes unmounted / instance reclaimed → container filesystem cleared → tokens invalidated.

Abnormal / violations

Policy trigger → produce a read-only evidence bundle (snapshot + logs) → sealed on an isolated management network → access by NDA-bound investigators only.

Management plane

Isolated network, least-privilege accounts, short-lived credentials. Every access is recorded in tamper-evident audit trails.

Transparent retention

Normal sessions

User data: not retained (container destroyed on expiration).
Access tokens: invalidated immediately.
Operational metadata: minimal billing/metrics only; no content.

Abnormal/violations

Evidence bundle: read-only snapshot + relevant logs.
Visibility: investigators only, under NDA.
Retention: up to 1 year per policy, then purged.

Note: Retention periods may vary where stricter legal obligations apply; the shorter period prevails where permitted.

FAQ

Can someone open my desktop after I log out on a public PC?

No. Logout rotates your token. Old tabs/links become invalid and are rejected server-side.

Do you keep my files after normal use?

No. Containers are destroyed on expiration, tokens invalidated, and no residuals are retained.

Why keep anything on violations?

Only to investigate security incidents. A read-only evidence bundle is kept on an isolated network; access is limited to NDA-bound investigators and purged after up to 1 year.

Can admins view my live desktop?

By default, no. Management access uses short-lived credentials on an isolated network and is fully audited.

Where can I see exact retention rules?

See the retention matrix above. For region-specific terms, contact support.