docs: move retention policy to security page, add SOX and BSA/AML compliance

Move policy/procedure retention and audit log sections from /privacy to
/security where they belong. Extend retention period from 6 to 7 years
to satisfy SOX Section 802, and add BSA/AML (31 CFR §1010.430) coverage.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tianzhou

src/app/[locale]/(legal)/privacy/page.tsx

@@ -13,7 +13,7 @@ export default function Page() {
         Privacy Policy
       </h1>
       <p className="text-gray-50 sm:my-3">
-        Last modified: <time>Mar 23, 2026</time>
+        Last modified: <time>Mar 24, 2026</time>
       </p>
       <p className="sm:mt-3">
         This Privacy Policy describes how your personal information is collected, used, and shared
@@ -112,22 +112,6 @@ export default function Page() {
         When you place an order through the Site, we will maintain your Order Information for our
         records unless and until you ask us to delete this information.
       </p>
-      <h2 id="policy-retention">Policy and procedure retention</h2>
-      <p>
-        Bytebase retains all privacy, security, and operational policies and procedures for a
-        minimum of six (6) years from the date of creation or the date when they were last in
-        effect, whichever is later. This retention practice is maintained in accordance with HIPAA
-        §164.530(j) and other applicable regulatory requirements. Policy documents are versioned,
-        and prior versions are archived for the full retention period.
-      </p>
-      <h2 id="audit-logs">Audit Logs</h2>
-      <p>
-        Bytebase collects audit logs for user operations inside Bytebase. Bytebase retains audit
-        history for a minimum of six (6) years to satisfy HIPAA and other compliance requirements.
-        The audit logs can be readily accessed for analysis from the{' '}
-        <Link href="/docs/security/audit-log/">Audit Log</Link> section inside the Bytebase product,
-        and can be streamed to external SIEM platforms for long-term archival.
-      </p>
       <h2 id="changes">Changes</h2>
       <p>
         We may update this privacy policy from time to time in order to reflect, for example,

src/app/[locale]/(legal)/security/page.tsx

@@ -112,6 +112,42 @@ export default function Page() {
           be further enforced in the Enterprise plan.
         </li>
       </ul>
+      <h2 id="policy-retention">Policy and procedure retention</h2>
+      <p>
+        Bytebase retains all privacy, security, and operational policies and procedures for a
+        minimum of seven (7) years from the date of creation or the date when they were last in
+        effect, whichever is later. This retention practice is maintained in accordance with the
+        following regulatory requirements:
+      </p>
+      <ul>
+        <li>
+          <strong>HIPAA §164.530(j)</strong> &mdash; requires retention of policies and procedures,
+          and documentation of required actions, activities, or assessments for six (6) years.
+        </li>
+        <li>
+          <strong>Sarbanes-Oxley Act (SOX) Section 802</strong> &mdash; requires retention of audit
+          workpapers, financial records, and related communications for seven (7) years.
+        </li>
+        <li>
+          <strong>Bank Secrecy Act (BSA) / Anti-Money Laundering (AML)</strong> &mdash; requires
+          retention of transaction records, Suspicious Activity Reports (SARs), Currency Transaction
+          Reports (CTRs), and customer due diligence documentation for five (5) years per 31 CFR
+          §1010.430.
+        </li>
+      </ul>
+      <p>
+        Policy documents are versioned, and prior versions are archived for the full retention
+        period. Bytebase applies the longest applicable retention period across all frameworks to
+        ensure simultaneous compliance.
+      </p>
+      <h2 id="audit-logs">Audit Logs</h2>
+      <p>
+        Bytebase collects audit logs for user operations inside Bytebase. Bytebase retains audit
+        history for a minimum of seven (7) years to satisfy HIPAA, SOX, BSA/AML, and other
+        compliance requirements. The audit logs can be readily accessed for analysis from the{' '}
+        <Link href="/docs/security/audit-log/">Audit Log</Link> section inside the Bytebase product,
+        and can be streamed to external SIEM platforms for long-term archival.
+      </p>
       <h2 id="faq">FAQ</h2>
       <h3>Which certification does Bytebase have?</h3>
       <p> SOC 2 Type II.</p>