Processor Erasure Confirmation
Processor Erasure Confirmation is a third-party governance artifact used to document that a service provider (processor) has actioned an erasure or return instruction for specific data under contract and policy. It is commonly issued as a signed attestation, a system-generated completion record, or a deletion report referencing the controller’s request ID. A good confirmation specifies what was deleted (scope), where it was deleted from (systems/environments), when it was completed, how deletion was performed (e.g., logical deletion, crypto-erasure, secure purge), and how backups and disaster recovery copies are handled (immediate deletion where feasible, cryptographic key destruction, or deletion upon backup expiry). This record helps bridge internal retention rules and vendor obligations by providing traceable evidence that downstream data lifecycle instructions were executed.
Processors commonly provide a written statement or digitally signed record confirming completion of the deletion/return request. The confirmation should be attributable to the vendor (e.g., signed by an authorized representative) and should clearly state scope, completion time, method, and how backups/sub-processors are handled.
Verification involves reviewing the provided processor erasure confirmation against the original data set shared, checking for specific timestamps and methods of destruction, and exercising contractual audit rights to inspect processor data destruction logs if necessary.
Processors must provide processor erasure documentation that includes the date of erasure, the specific data categories deleted, the method used (e.g., cryptographic erasure, overwriting), and a warranty that no copies remain in active or archival storage.
Auditing processor compliance with erasure requirements involves conducting periodic vendor security reviews, requesting evidence of processor deletion audit trails, and ensuring that the vendor's sub-processors have also issued similar confirmation certificates.
Deletion timelines are usually defined contractually (e.g., within a specified number of days) and may vary based on system design and backup strategy. Where immediate deletion from backups is not feasible, vendors should document the backup handling approach (expiry schedule or crypto-erasure) and the expected completion window.
Non-compliance should be treated as a breach of contract and a security incident. Organizations must escalate the issue legally, potentially suspend data transfers, and report the failure to regulatory authorities if the processor erasure compliance gap poses a risk to data subjects.
Technical verification may include reviewing system-generated logs that record the `DELETE` operations, confirmation of cryptographic key destruction (crypto-shredding) for encrypted data, or third-party forensic reports validating the processor data disposal.
In complex chains, the primary processor must be contractually obligated to cascade processor erasure instructions to all sub-processors and aggregate their deletion confirmations into a single master report for the controller.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-13 | WatchDog Security GRC Wiki Team | Initial publication |
