This document gives you an overview of the secure process that occurs when you delete your customer data (as defined in the StratoZone subscription and licensing agreement) stored in StratoZone. Ensuring safe deletion of customer data at the end of its life cycle is a basic aspect of working with data on any computing platform.
Data storage and replication
At the physical storage level, customer data is stored at rest in two types of systems: active storage systems and backup storage systems. These two types of systems process data differently. Active storage systems are StratoZone production servers.
StratoZone backup storage systems house full and incremental copies of StratoZone active systems for a defined period of time to help StratoZone recover data and systems in the event of a catastrophic outage or disaster. Unlike active systems, backup systems are designed to receive periodic snapshots of StratoZone systems and backup copies are retired after a limited window of time as new backup copies are made. Throughout the storage systems described above, customer data is encrypted when stored at rest.
Data classification
The below should be followed regarding how data throughout the organization is classified and secured:
- All the data scanned by the customer or created by the customer is considered customer data.
- Access to customer data is controlled by the application account access.
- Data is retained until the customer requests deletion or the initial three year subscription expires. In the case of expiration, the customer can request an extension.
Secure and effective data deletion
Data deletion pipeline
Once customer data is stored in Google Cloud, our systems are designed to store the data securely until it completes the stages of Google's data deletion pipeline. This section describes this process in detail.
Stage 1 - Deletion request
The deletion of customer data begins in one of two ways: when a customer initiates a deletion request or when the initial subscription period of three years expires.
Customer requested deletion: A user within the customer account that has administrator access can initiate deletion by navigating to Access Management and clicking the trash can icon next to the customer account.
Subscription Expiration: Once the three year initial subscription term has elapsed the deletion process is initiated for the customer account.
Stage 2 - Soft deletion
Once the deletion request is initiated, the customer account is marked for deletion and is no longer visible. The customer account stays in this state for a period of 60 days. During this period the customer account is still recoverable and can be requested to be extended for another three year term. To request recovery, a customer representative can create a ticket with support by either creating a ticket in the support system on the StratoZone portal or sending an email to stratozone-support.
When there are 14 days remaining in the soft deletion period, users with access to the customer account are sent an email notification that the customer account is pending deletion and will no longer be recoverable.
Stage 3 - Logical deletion from active systems
After the data is marked for deletion and any recovery period has expired, the data is deleted successively from Google's active and backup storage systems. On active systems, data is deleted from the database storing all customer account data which in turn deletes the data from all replicas in the database cluster. At this point in the process the customer account data is only recoverable from backup systems.
Stage 4 - Expiration from backup systems
All backup copies are retained using Google Cloud backup services and have a retention period of 90 days. Each backup copy stored in the backup systems will be permanently deleted within a period of 90 days after backup.
Note that any reasonable backup cycle imposes a pre-defined delay in propagating a data deletion request through backup systems. When customer data is deleted from active systems, it is no longer copied into backup systems. Backups performed prior to deletion are expired regularly based on the pre-defined backup cycle of 90 days.
Deletion timeline
StratoZone is engineered to achieve a high degree of speed, availability, durability, and consistency, and the design of systems optimized for these performance attributes must be balanced carefully with the need to achieve timely data deletion.
StratoZone commits to delete customer data within a maximum period of about six months (180 days).
This commitment incorporates the stages of Google's deletion pipeline described above, including the following stages:
Stage 1: Deletion request is made.
Stage 2: Data is typically marked for deletion immediately and our goal is to perform this step within a maximum period of 24 hours. After the data is marked for deletion, an internal recovery period of up to 60 days may apply depending on the service or deletion request.
Stage 3: The time needed to remove data from the customer database after the 60 day period in Stage 2 depends on the size of the customer account, but generally takes up to a couple of weeks to delete data from active systems.
Stage 4: Google backup cycle is designed to expire deleted data within data center backups within 180 days of the deletion request. Deletion may occur sooner depending on the level of data replication and the timing of Google's ongoing backup cycles.