What to Provide
To comply with the SOC 2 framework, you will have made commitments to your customers regarding customer data removal. Your organization likely falls under one of three common procedures for customer data removal:
Scenario A (Data is purged when customer leaves.)
In this scenario, the company states that it will purge all customer data within a certain timeframe after the customer leaves the service.
Scenario B (Data is only purged at customer's request.)
In this scenario, the company states that it will only purge data at the customer's request and will otherwise retain all data indefinitely.
Scenario C (Data is retained and purged after a retention period.)
In this scenario, the company states that customer data will be retained for a set period (e.g., 5 years, 7 years) and will purge data when this period elapses. This scenario is often due to applicable laws and regulations regarding data retention.
For this evidence request, only follow the instructions for the procedure that your organization uses. The instructions must be repeated for each sampled customer data deletion selected.
If your organization's procedure is Scenario A (Data is purged when customer leaves.), then demonstrate the process taken to purge and remove the sampled customer data from the system after the customer left the service.
The evidence should demonstrate:
The date the customer left the service.
The date the data was purged.
The steps taken to complete the process and remove the data (if applicable)
If your organization's procedure is Scenario B (Data is only purged at customer's request.), then demonstrate the process taken to purge and remove the sampled customer data from the system after a customer made the request.
The evidence should demonstrate:
The date the customer requested deletion
The date the data was purged.
The steps taken to complete the process and remove the data (if applicable)
If your organization's procedure is Scenario C (Data is retained and purged after a retention period.), then demonstrate the process taken to purge and remove the sampled customer data from the system after the data has met it is legal and/or regulatory retention requirements.
The evidence should demonstrate:
How long the data has been in the system.
The date the data was purged.
Retention periods that the customer follows for each of their customers
The steps taken to complete the process and remove the data (if applicable)
NOTE: The audit team will communicate sample selections once they have been finalized. Please refrain from attaching evidence in this ER until samples have been communicated.
Evidence Format
Exported word processing documents in a common file type such as .docx or .pdf, screenshots, or exported images in a common image file type such as .jpg, .png, or .pdf.
Additional Guidance
If it is determined during the population request that this sampled data deletion was a non-occurrence, then make a note in the Evidence Description and submit this with no evidence.
Associated Unified Control ID | Associated Framework Control |
CTRL-899 | LCL-64 |