Who is responsible for applying retention to records that live only inside a SaaS application like Salesforce or Workday?
When records live only inside a Software-as-a-Service (SaaS) application, a common myth is that the cloud provider handles retention. It does not. Responsibility for applying retention to those records stays with the organization that owns the data, no matter where the data physically sits.
The vendor is a custodian, not the records owner
A SaaS provider operates the platform and stores your data, but the records belong to your organization. The provider’s contract and service-level terms typically govern uptime, security, and data location, not whether a customer record, personnel file, or case note is kept for the legally required period and then defensibly disposed of. Treating the vendor’s default backups as a retention program is a frequent and costly mistake.
This distinction matters because retention is a recordkeeping obligation tied to your legal, regulatory, and business requirements. Those requirements follow the record, not the system.
Who inside the organization is accountable
Accountability is usually shared across several roles:
- Records and information governance leaders set retention rules, map them to a retention schedule, and define what counts as a record in each system.
- Business or system owners for the application (for example, the HR or sales operations team) carry day-to-day responsibility for configuring and enforcing those rules.
- IT and the application administrator translate the schedule into platform settings, automated rules, and disposition workflows.
- Legal advises on requirements and issues legal holds that suspend disposition.
In practice, the records program defines the what and how long, while system owners and administrators implement the how inside the tool.
What this looks like in practice
- Confirm the SaaS platform can apply retention and disposition at the record level, and document any gaps.
- Map your retention schedule to the application’s data objects, then configure rules where the platform supports them.
- Establish a process to export or migrate records the system cannot retain or that must outlive the subscription.
- Suspend disposition for legal holds and keep an audit trail of disposition actions.
For more on managing records across digital systems, see the digitization and imaging topic hub.
The bottom line: retention is governed by your organization’s recordkeeping policy, not delegated to a vendor by default.
Sources & further reading
Authoritative government and non-profit references.
How to cite this page
APA
RM University Editorial. (2026). Who is responsible for applying retention to records that live only inside a SaaS application like Salesforce or Workday?. Records Management University. https://www.recordsmgmt.org/questions/who-applies-retention-to-records-living-only-in-saas-apps/
MLA
RM University Editorial. "Who is responsible for applying retention to records that live only inside a SaaS application like Salesforce or Workday?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-applies-retention-to-records-living-only-in-saas-apps/.
Related questions
- Are Microsoft Copilot and ChatGPT outputs considered records, and how do you capture them?
- Are scanned copies legally admissible in the UK under the BS 10008 standard the same way they are in the US?
- Are scanned copies of documents admissible to the SEC and FINRA, and do broker-dealers still need WORM storage after digitizing?
- Are scanned documents legally admissible in court?
- Are there industries where scanning and shredding originals is prohibited by law?