What to Provide
To comply with the SOC 2 framework, you will have made commitments to your customers regarding customer data removal. Your organization likely falls under one of three common procedures for customer data removal:
Scenario A (Data is purged when customer leaves.)
In this scenario, the company states that it will purge all customer data within a certain timeframe after the customer leaves the service.
Scenario B (Data is only purged at customer's request.)
In this scenario, the company states that it will only purge data at the customer's request and will otherwise retain all data indefinitely.
Scenario C (Data is retained and purged after a retention period.)
In this scenario, the company states that customer data will be retained for a set period (e.g., 5 years, 7 years) and will purge data when this period elapses. This scenario is often due to applicable laws and regulations regarding data retention.
For this evidence request, do one of the following:
If your procedures align with Scenario A (Data is purged when customer leaves.), provide a list of all customers that have left the service during the review period.
If your procedures align with Scenario B (Data is only purged at customer's request.), provide a list of all customer data deletion requests that you received during the review period.
If your procedures align with Scenario C (Data is retained and purged after a retention period.), provide a list of all data that has reached its data retention period.
System screenshots, or the system query, or the source documentation, that demonstrates that the list of all customer data deletions you've provided is complete and accurate.
Evidence Format
Exported document in a common file type such as .docx, .csv, or .pdf or screenshots or exported images in a common image file type such as .jpg, .png, or .pdf.