Deleting your data in Google Cloud Platform

As part of our ongoing effort to provide transparency around how Google Cloud Platform (GCP) works, we’re pleased to publish a new whitepaper today: Data deletion on Google Cloud Platform. This paper explains what happens when customer data is deleted in GCP and how long it takes to complete Google’s data deletion process.   

GCP is designed to achieve a consistently high bar in all key performance goals, including low latency, high availability, scalability, integrity, and durability. Behind the scenes, the same engineering that allows customers to quickly access their data from anywhere in the world, scale their applications up or down to meet dramatic shifts in demand, and protect against catastrophic interruptions in service needs to be balanced carefully to ensure safe and effective deletion of customer data. This new whitepaper explains how we balance these performance objectives so customers can manage their data lifecycle.

Check out this video overview for more on data deletion:

Deletion and retention of GCP customer data conforms to these principles:

Prior to deletion, customer data is stored securely

Customer data is encrypted at rest, replicated on active systems, and copied to backup systems to protect against data loss and ensure the availability and integrity of that information. Your data may be replicated in multiple locations to ensure you have uninterrupted access to your projects, even if there are performance-impacting changes in the environment. Redundant copies of your data can be stored locally, regionally, and even globally on active and backup storage systems, depending on the geographic limitations you configure.

When customer data is deleted, GCP completes the following steps in the deletion pipeline:

1. Respond to the deletion request. There are many different ways to delete customer data on GCP. You can flag a specific resource, a GCP project, or your Google account for deletion. GCP services are configured to await these requests and initiate different processes depending on the type and scope of deletion request.

2. Data removal. Once you flag customer data for deletion, it is marked as deleted, made inaccessible and removed from your interface, confirming your request. At this stage, individual GCP services may impose a grace period before logical deletion begins in order to permit recovery of erroneously deleted data.

3. Logical deletion from active systems. Once the data is marked as deleted and any recovery period has ended, customer data is deleted in two ways: mark-and-sweep garbage collection and cryptographic erasure. (You can find details of these implementation methods in the whitepaper.)

4. Backup expiration. Our backup technology stores data in large aggregate chunks for static periods of time. When a backup volume is retired, it is overwritten as new daily/weekly/monthly backup snapshots are created. Cryptographic erasure is also used to ensure the deletion of backup copies.

5. Secure media sanitization. Long after deletion has occurred, the final step in assuring deletion is to securely decommission our physical storage media. As discussed in the whitepaper, Google tracks this media and performs a complete low-level overwrite before releasing it. Where that is not possible or not effective, the media is physically destroyed in accordance with U.S. government and industry standards.  

It generally takes about two months from the deletion request to delete data from active systems and six months to expire deleted data in data center backups, as shown here:

Your data is highly protected on physical media

Our data security authentication and authorization tools work to prevent unauthorized access to the physical disks and drives on which your data is or was stored. You can read more in the Google Infrastructure Security Design Overview whitepaper.

If any component of our physical storage media fails to pass a performance test, conducted periodically to make sure it’s operating properly, at any point during its lifecycle, we remove and retire it from inventory. Whether hardware is decommissioned due to failure, upgrade, or any other reason, storage media is decommissioned using appropriate safeguards.

If you’d like to learn more about the specifics of how we process your data, you can check out the Google Cloud Platform Terms of Service and our Privacy page. And you can find more here on how we process business data.

Enjoy the whitepaper, and rest easy knowing that your GCP data is under your control through its entire lifecycle.