What evidence must I retain if the data protection authority asks questions?

At minimum three artefacts. First, the system prompts and bot configuration as they existed at the relevant point in time — versioning is mandatory; without it you cannot prove what was active on day X. Second, the conversation logs for the requested period, with timestamps and user IDs. Third, the training records for staff who manage the bot. Retention period: at least three years, and for ongoing proceedings until resolution. Anyone who cannot produce these is exposed under Art. 5 Abs. 2 DSGVO (accountability principle).