The general rule: keep COIs for the duration of the contract plus the applicable statute of limitations for claims that could arise from that relationship. In most commercial contexts, that means 5-10 years after the contract ends.
The reason is straightforward: a claim related to a vendor's work from two years ago may not be filed for another three years. If you discarded the vendor's COI when the contract ended, you've lost your documentation that coverage was in place when the work was performed.
The Statute of Limitations Framework
COI Retention Periods
Different claim types have different statutes of limitations, and these vary by state. A conservative retention policy accounts for the longest applicable period:
| Claim Type | Typical Statute of Limitations |
|---|---|
| Personal injury (general) | 2-3 years in most states |
| Construction defect | 4-10 years (varies significantly) |
| Property damage | 2-6 years |
| Contract claims | 3-6 years |
| Latent construction defects | Up to 10 years in some states |
For construction and real estate contexts - where latent defect claims can surface years after project completion - a 10-year retention policy is the safest standard.
For general vendor and service contracts with lower complexity and a more limited scope of work, 5-7 years post-contract is generally adequate.
Consult your legal team for guidance specific to your industry, jurisdiction, and contract types. These are general guidelines, not legal advice.
Retention by Contract Type
Commercial leases: Retain through the end of the tenancy plus 5 years. If a tenant dispute, property damage claim, or personal injury claim arises after the tenant vacates, you want historical COIs showing their coverage status during occupancy.
Construction subcontracts: Retain through project completion plus 10 years. Construction defect claims frequently emerge years after completion, and completed operations coverage questions require historical documentation of the subcontractor's policy.
Vendor/service contracts: Retain for the contract term plus 5 years. For high-risk vendors (on-site services, physical work with injury risk), err toward 7 years.
One-time or short-term engagements: Retain for 5 years from the date of service. Even single-day engagements can give rise to claims that take years to surface.
What Specifically to Retain
A complete COI retention file should include:
COI Retention Checklist - What to Keep:
- Every COI received from the vendor during the relationship (not just the most recent)
- Compliance notes or gap reports from when each COI was reviewed
- Correspondence related to deficiencies and remediation
- Endorsement documents if obtained (additional insured, waiver of subrogation)
- Contract or lease provisions specifying the insurance requirements
- Any notes on work suspension decisions or compliance warnings issued
The correspondence and compliance notes are as important as the certificates themselves. They demonstrate that your compliance program was functioning - that you reviewed the COIs, identified issues when they existed, and required remediation.
Why Historical COIs Matter: A Real Scenario
A subcontractor performed roofing work on a commercial building in 2022. A COI was collected at the time showing the required coverage. The project closed, the subcontractor's COI was discarded during a records cleanup in 2024.
In 2025, a water intrusion claim surfaces from the 2022 roofing work. The building owner needs to demonstrate that the subcontractor's policy was in effect during the work and that coverage existed for completed operations.
Without the 2022 COI and the corresponding endorsement documentation, the building owner cannot easily establish that coverage was in place. They may bear costs that the subcontractor's completed operations coverage should have absorbed.
Retaining the 2022 COI makes this a documentation exercise. Discarding it makes it a legal and financial problem.
Digital Retention: Practical Implementation
Physical COI storage is impractical at scale. Digital retention in a structured repository - with metadata for vendor, contract period, and coverage type - enables quick retrieval when claims arise.
Best practices for digital COI retention:
- Consistent naming conventions: Vendor name + date + policy type (e.g., "Acme_Contractors_CGL_2026.pdf")
- Centralized storage: Not individual email inboxes or local drives
- Access controls: Limit who can delete or modify retained documents
- Backup: Redundant copies in case of system failure
- Index: A searchable log of what's on file so specific COIs can be found quickly
COI management platforms like Bramble maintain historical records automatically, with timestamped audit trails that document when each COI was received, reviewed, and what compliance findings were noted.
Related Resources
- How Do I Know If a COI Is Valid
- How to Build a Vendor Insurance Compliance Program
- Risks of Expired Certificate of Insurance
- What Is Vendor Risk Management
Bramble maintains a complete, searchable historical record of every COI in your portfolio - so when a claim surfaces years later, your documentation is ready. Book a demo at getbramble.com.