This document gives you an overview of the secure process that occurs when you delete your Customer Data (as defined in the PANDA Terms of Service) stored in PANDA. Ensuring the safe deletion of Customer Data at the end of its life cycle is a basic aspect of working with data on any computing platform.
PANDA utilizes commercial Cloud storage services designed to provide low latency, highly available, scalable, and durable solutions. Data replication is critical to achieving these key performance goals. Redundant copies of Customer Data could be stored locally and regionally and even globally.
At the physical storage level, Customer Data is stored at rest in two types of systems: active storage systems and backup storage systems. These two types of systems process data differently. Active storage systems are PANDA’s production servers running PANDA’s application and storage layers. PANDA’s backup storage systems house full and incremental copies of PANDA’s active systems for a defined period of time to help PANDA recover data and systems in the event of a catastrophic outage or disaster.
Throughout the storage systems described above, Customer Data is encrypted when stored at rest. Encryption of data at rest occurs at the application and storage layers, on both active and backup storage media.
Once Customer Data is stored in PANDA, our systems are designed to store the data securely until it completes the stages of PANDA’s data deletion pipeline. This section describes this process in detail.
The deletion of Customer Data begins when the customer initiates a closure request for the customer’s PANDA account. When you close your PANDA account, it deletes all PANDA data that is solely owned by you. Note that when there are multiple owners, the data is not deleted until all owners delete their PANDA accounts. This ensures that PANDA projects continue so long as they have an owner.
While deletion requests are designed primarily to be used by Customers to manage their data, PANDA may issue deletion requests automatically, for instance when a customer terminates their relationship with PANDA.
Soft deletion is the natural point in the process to provide a brief internal staging and recovery period to ensure that there is time to recover any data that has been marked for deletion by accident or error. When a PANDA account is closed, PANDA may impose an internal recovery period up to 30 days, depending on past account activity. Once that grace period expires, PANDA resources tied solely to that account are marked for deletion.
Logical deletion of Customer Data is only performed upon customer request. Customers should submit requests for the logical deletion of customer data to email@example.com. Once PANDA support has confirmed the request, Customer Data has been marked for logical deletion, and any recovery period has expired, the data is deleted successively from PANDA’s active and backup storage systems.
Similar to deletion from PANDA’s active systems, deleted data is eliminated from backup systems using both overwriting and cryptographic techniques. When a backup is retired, it is marked as available space and overwritten as new daily / weekly / monthly backups are performed. When Customer Data is deleted from active systems, it is no longer copied into backup systems. Backups performed prior to deletion are expired regularly based on the pre-defined backup cycle.
PANDA commits to delete Customer Data within a maximum period of about six months (180 days). This commitment incorporates the stages of PANDA’s deletion pipeline described above, including: