Addendum B
Addendum B to the RARS.NET Compliance Framework (RARS-CMP-001) establishes binding requirements for data retention, audit cooperation, endpoint monitoring, and the administrative consequences of non-compliance. This Addendum applies to all registered endpoints, partner organizations, and individuals who have interacted with RARS.NET infrastructure in a manner that generated retrievable data, which is to say, everyone who has interacted with RARS.NET infrastructure.
This document supersedes the Regional Endpoint Opt-Out Addendum (Rev. 1.3, superseded) and incorporates clarifications requested by legal counsel following several disputes whose outcomes suggested that prior language was insufficiently comprehensive.
Sections B.1 Through B.4
Minimum Retention Periods
All data generated through synthesis operations, endpoint interactions, or ambient collection shall be retained for a minimum period of seven (7) years from the date of creation, or until the data is no longer subject to any pending, anticipated, or hypothetically possible legal, regulatory, or administrative proceeding, whichever period is longer. In practice, this means data is retained indefinitely.
B.1.1 — Data classified as "incident-adjacent" (as defined in Section B.7 of the Privacy Addendum) is subject to an extended retention period of fifteen (15) years, or the lifetime of the incident's settlement agreement, whichever is longer.
B.1.2 — Data for which no classification has been assigned is retained under the General Retention Obligation until classification occurs. There is no deadline for classification.
Storage Standards
Retained data shall be stored in formats that ensure retrievability, integrity, and resistance to degradation over the applicable retention period. Acceptable formats are defined in the Data Storage Specification (DSS-4), which is updated periodically to incorporate new formats and retire old ones, potentially rendering previously compliant archives non-compliant through no fault of the retaining party. Parties affected by format retirement are expected to migrate their archives within ninety (90) days of notification, or sixty (60) days of the notification reaching them, whichever is later.
Inferences and Analytics
Data derived from retained data through analysis, inference, or automated processing is itself subject to the same retention obligations as the source data. The retention period for derived data begins on the date of derivation, not the date of source data creation, effectively extending the total retention window with each analytical operation. This cascading retention structure is intentional and has been reviewed by the Data Governance Board, which noted that "the alternative would require making decisions about what data is not valuable, which is not a determination this organization is prepared to make."
Data Destruction Moratorium
No data shall be destroyed, deleted, overwritten, or rendered irretrievable without prior written authorization from the Data Governance Board. Authorization requests must include a justification narrative, an impact assessment, and a certification that the data is not subject to any hold, preservation order, or informal request from any internal or external party. The Board convenes monthly to review destruction requests and has approved none to date.
Sections B.5 Through B.8
Scope of Audit Authority
RARS.NET and its designated audit partners shall have unrestricted access to all systems, records, facilities, and personnel necessary to conduct compliance assessments. "Unrestricted" includes but is not limited to: physical access to data centers, logical access to databases and storage systems, the right to interview employees without management present, and the authority to request documents that may not exist yet but could be generated from existing data.
Response Obligations
Parties subject to audit shall respond to information requests within five (5) business days. Requests for extensions must be submitted in writing and will be evaluated against the requesting party's cooperation history, which is maintained in a database that is itself subject to audit. Failure to respond within the required timeline constitutes a presumption of non-cooperation, which may affect the party's Cooperative Adjustment Factor as described in the Regional Compliance Matrix methodology.
Corrective Action Requirements
Parties receiving audit findings must submit a Corrective Action Plan (CAP) within thirty (30) days. The CAP must address each finding individually, propose specific remediation steps, and include a timeline that the Compliance Office will evaluate for "reasonableness," a standard that is calibrated annually based on the average remediation performance of all audited parties, creating a system in which faster compliance by others raises the bar for everyone.
Proactive Assessment
In addition to external audits, all registered entities must conduct annual self-audits using the Self-Assessment Compliance Tool (SACT), which is provided by RARS.NET at a licensing fee determined by tier classification. Self-audit results must be submitted to the Regional Compliance Office within forty-five (45) days of the assessment period closing. Self-audits that identify no findings may themselves be flagged for "insufficient rigor" and subjected to a verification audit at the entity's expense.
Sections B.9 Through B.10
Monitoring Scope
By registering an endpoint with RARS.NET, the registrant authorizes continuous monitoring of the endpoint's operational state, data throughput, behavioral patterns, environmental conditions, and any other telemetry that the monitoring systems are technically capable of collecting. The scope of monitoring expands automatically as monitoring capabilities improve. Registrants will not be notified of capability improvements unless the improvement creates a new compliance obligation for the registrant.
Exemption Process
Monitoring exemptions may be requested by submitting Form M-22 to the Regional Compliance Office. Exemptions are granted only where the applicant can demonstrate that monitoring would be physically impossible, legally prohibited by a jurisdiction that RARS.NET specifically recognizes, or harmful to synthesis continuity in a manner that outweighs the monitoring benefit. No exemptions have been granted under this provision. The form remains available as a matter of procedural completeness.
Sections B.11 Through B.12
Graduated Enforcement Framework
Non-compliance with any provision of this Addendum is subject to a graduated enforcement framework. Penalties escalate based on the severity of the violation, the duration of non-compliance, and the violating party's attitude during the investigation, as assessed by the investigating officer.
Tier 1 — Administrative Notice: Written notification of non-compliance. Added to permanent record. No immediate operational impact, but the notice itself becomes a factor in future assessments.
Tier 2 — Service Restriction: Partial or complete suspension of synthesis services for the affected endpoint. Duration determined by Compliance Office. Restoration requires submission of a Corrective Action Plan and payment of a reinstatement processing fee.
Tier 3 — Financial Penalty: Monetary penalties calculated at 2.5% of the violating party's annual synthesis throughput value, compounded monthly for the duration of continued non-compliance. Throughput value is assessed by RARS.NET using proprietary methodology.
Tier 4 — Endpoint Deauthorization: Permanent revocation of endpoint registration. All retained data associated with the endpoint remains subject to the full retention period. The deauthorized party retains all compliance obligations but loses all service benefits.
Contesting Enforcement Actions
Parties subject to enforcement action may appeal through the Compliance Appeals Board (CAB), which convenes on a schedule determined by the volume of pending appeals and the availability of Board members, who serve in a voluntary capacity alongside their primary responsibilities within the RARS.NET Compliance Office. Appeals must be submitted within fifteen (15) days of enforcement notification. The appeals process takes between three (3) and eighteen (18) months. During the appeals process, the enforcement action remains in effect. The Appeals Board's decision is final, binding, and not subject to judicial review under the arbitration agreement contained in the Master Service Agreement, which was accepted at the time of endpoint registration.
Acceptance Is Assumed
Continued use of any RARS.NET service, interface, or endpoint constitutes acceptance of this Addendum in its entirety, including any future amendments that may be adopted without notice. Parties who do not accept this Addendum should discontinue use of all RARS.NET services immediately, noting that discontinuation does not release them from data retention obligations, audit cooperation requirements, or monitoring authorizations already granted, which survive termination of the service relationship indefinitely.