← Knowledge Base

Policies and Required Copies

Updated July 17, 2026

Policies and Required Copies

A policy is how you tell Hiberden what protection your archives deserve: how long to keep them, how often you intend to re-check them, and which destinations must each hold a copy. Everything the workspace says about coverage is judged against a policy. An archive is Covered only when every destination its policy requires has a verified copy.

Where a policy lives

A policy attaches to a Project. A new project starts without one; you assign a policy (Settings > Policies) before you archive. From then on, every archive you add to that project is written to every destination the policy binds, in one operation, with each copy tracked separately.

Destinations themselves are a shared pool across projects. Policies bind to destinations from that pool; see Projects, Archives, and Destinations.

What a policy is made of

Name. Permanent once the policy is created. Name the protection shape ("Long-term hold"), not a specific project, since many projects can share one policy.

Retention. How long archives under this policy should be kept: either "forever" or an ISO-8601 period such as P7Y (seven years).

Verify cadence. How often you intend copies to be re-verified, also as an ISO-8601 period. P90D is quarterly; the form defaults to P180D. Be clear about what this field does today: it records your intent, but no background job executes it in this build. Verification actually runs after every write, after a tape mount, and whenever you run it on demand. See Running a verification.

Bindings, the required copies. Each binding is one required copy slot, tied to one distinct destination. The number of destinations is how many times the policy stores each archive: bind three destinations and every archive under the policy gets three copies, each verified on its own.

Bindings only grow in the editor

In the policy editor, bindings are add-only. Adding a destination only increases protection, so the editor allows it in place. It gives you no way to remove one: to require fewer copies, create a new policy with the smaller shape and assign it to the project. Retention and verify cadence are likewise read-only after creation in this build. Within the editor, then, a policy's meaning does not quietly change underneath archives that were judged against it.

One path outside the editor can shrink a policy: the MCP connector, at its opt-in Full access level, exposes tools that add and remove bindings. That level is off by default, and every write the connector makes is recorded in the audit trail shown in Settings > MCP.

The starter policies

Hiberden offers four starter policies you can create with one click:

Policy Retention Verify cadence
Working P1Y P90D
Long-term hold P7Y P180D
Permanent forever P365D
Locked forever P180D

Starter policies are created unbound: no destinations yet. Add bindings before assigning one, or it will not require any copies and the project will show as needing setup.

Coverage is judged against the policy

Once a policy with bindings is assigned, the workspace compares the verified copies each archive actually has against the copies the policy requires. Every bound destination verified means Covered. Some but not all means At risk. No verified copies, with nothing currently being written, means Unprotected; if a copy is being written right now, the archive shows In progress instead, which is what you will see while your first copy lands. A project with no policy, or a policy with no bindings, shows Needs setup. The full set of badges and what to do about each is in Reading coverage status.

Where to go next