Vault retention: the quietest, most important Google Workspace config

Figure 1: Visual representation of the BeyondTrust vulnerability chain

A mid-market firm receives a legal hold notice for the first time. The notice covers email, chat, and document communications across 12 specific employees over the past 4 years, related to a contract dispute. The legal team forwards the notice to IT with the instruction "preserve everything immediately."

IT discovers, in the course of trying to comply, that:

1. Vault retention has never been configured. The default policy is "no retention applied."
2. Several of the 12 custodians have left the company in the past 4 years. Their accounts were deleted as part of off-boarding. The data is gone.
3. The active custodians' email and chat history is intact, but only because Workspace defaults to keeping deleted items recoverable for 25-30 days. Anything deleted before that window is unrecoverable.
4. The shared documents the custodians worked on are mostly intact in Drive, but version history older than the configured limit (and the limit was never set) is gone.

The legal hold cannot be complied with. The firm faces sanctions for failure to preserve. The dispute resolution becomes much more expensive than it would have been if Vault had been configured properly four years earlier.

This is not a hypothetical. It is the most common Workspace failure mode we encounter at mid-market firms that have never had structured IT governance — which is most of them.

Google Vault is the eDiscovery and information governance product included with Workspace Business Plus, Enterprise, Education Plus, and several other paid tiers. It does three things:

1. Retention. Defines policies that hold communications and content for specified periods regardless of user actions. A policy might say "keep all email from anyone in the Sales OU for 7 years" — meaning even if a salesperson deletes an email from their inbox, Vault preserves it for 7 years before it can be permanently removed.

2. Holds. Allows legal counsel to place specific custodians or topics under hold for the duration of a legal matter. Held content is preserved indefinitely, regardless of retention policies, until the hold is lifted.

3. Search and export. Lets legal counsel (and authorized administrators) search across the preserved content with eDiscovery-grade tooling. Filter by custodian, date range, sender, subject keyword, attachment content. Export as PST, MBOX, or XML for use in litigation.

Vault is the legal-defensibility layer of Workspace. Without it configured, the platform is a productivity tool with no information governance posture. With it configured, the platform passes the same eDiscovery scrutiny as enterprise email archives from Microsoft and others.

Figure 2: How the authentication bypass vulnerability works

Three reasons Vault retention typically goes unconfigured:

1. It is opt-in, not on by default. Unlike Microsoft 365's default retention policies (which apply default settings if no custom policy is configured), Workspace's default Vault state is "no retention." If you do not configure it, you have no retention.

2. The interface is in a separate product. Vault is at vault.google.com, not in the main Workspace admin console. Many admins have never opened it. The setup feels disconnected from regular Workspace administration.

3. The configuration is non-trivial. Retention policies need to balance legal requirements (typically 7 years for general business records, longer for tax records and contracts) with storage cost (Vault content counts against Drive storage limits) and operational simplicity. Getting it right requires actual thought about your business retention obligations, not just clicking through defaults.

The result: most Workspace deployments we audit at mid-market scale have never had Vault retention policies configured. They discover this when they need it — which is the worst possible time to discover it.

A standard Workspace deployment retention policy stack we deploy on every engagement (adjusted for industry-specific obligations):

Default retention rules:

• Email (Gmail): 7 years from message receipt. Covers general business records obligations across most jurisdictions.
• Chat (Spaces and DMs): 3 years. Chat is more transient than email; long retention drives storage cost without much defense value.
• Drive (excluding Shared Drives): Indefinite by default; deletion-resistant for 30 days after user-initiated deletion.
• Shared Drives: Indefinite by default; access tied to Shared Drive ownership rather than individual user accounts.
• Calendar: 3 years. Most calendar data is operational rather than legally meaningful.
• Sites (classic and new): Indefinite while the site exists.
• Meet recordings: 90 days unless explicitly preserved by the recording owner.

Per-OU overrides for sensitive functions:

• Legal OU: 10 years on email, with explicit hold capability for the entire OU.
• Finance OU: 7 years on email and Drive content, aligned with tax retention requirements.
• Executive OU: 7 years on all communications, with optional indefinite retention configurable by the GC.
• HR OU: Retention aligned with employment law in your jurisdiction (typically 7 years post-employment for general records, longer for specific document types).

Hold workflow setup:

• Custodian groups defined per organizational structure so legal can apply holds quickly.
• A documented runbook in the legal team's hands explaining how to request a hold (turnaround commitment: 4 hours during business hours).
• Audit logging of all hold creation, modification, and removal.
• Quarterly review with legal to surface holds that should be lifted.

eDiscovery readiness:

• The legal team trained on Vault's search interface (or, more commonly, on how to request searches from IT with sufficient parameters).
• Standard search templates for common matter types (employment dispute, contract dispute, regulatory inquiry, customer dispute).
• Export workflows tested annually with a real eDiscovery exercise.

This configuration takes about a week of effort to deploy and produces a Workspace tenant that is genuinely litigation-defensible.

Figure 3: Privilege escalation from user to SYSTEM level

Vault is included with Workspace Business Plus and above (Enterprise tiers, Education Plus, etc.). It is not a separate license. The "cost" of Vault retention is:

1. Storage. Retained content counts against Drive storage limits. For a typical 100-person Business Plus tenant, the impact is modest (the per-user 5TB limit absorbs most retention easily). For very email-heavy organizations or legal retention beyond 7 years, additional storage may be needed.

2. Operational overhead. Quarterly retention review (15 minutes), hold workflow execution when needed, eDiscovery searches when matters arise. Modest if the configuration is right; expensive if you have to scramble to set up the configuration AFTER a legal hold arrives.

3. Setup effort. A week of work to deploy properly. Falls on either internal IT or an MSP.

Compared to the cost of failing to comply with a legal hold (sanctions, adverse inferences in litigation, regulatory fines), the Vault investment is trivial. It is one of the highest-leverage configurations in Workspace.

Vault matters most for:

• Any organization with regulatory exposure (healthcare, legal, financial services, insurance, real estate, government contracting).
• Any organization that may face contract disputes with customers, vendors, or partners (which is most organizations).
• Any organization in employment-law-heavy jurisdictions where wrongful termination claims, discrimination complaints, or workplace investigations are realistic.
• Any organization that handles personal data at scale and may face GDPR or similar data subject access requests.
• Any organization above ~50 employees where the operational maturity bar is "we do this professionally" rather than "we wing it."

For an org of any size, Vault is cheap insurance. The configuration takes a week. The protection is years of legal defensibility.

The free 90-minute IT health check we run for prospective clients includes a Workspace governance audit: Vault retention review, hold workflow assessment, eDiscovery readiness check, and a documented configuration plan if your tenant is missing pieces. Yours to keep either way.

The Workspace positioning page is at /google-workspace. The full security architecture (Vault is one of six layers) is at /google-workspace/security. The case-study gallery covers the no-Vault-policy discovery as one of five common Workspace failure modes at /google-workspace/case-studies.

Vault is the quietest, most important Workspace configuration. The mid-market organizations that discover this on the day a legal hold arrives wish they had configured it years earlier. The ones that configured it years earlier sleep better when the hold notice arrives.