Records Disposal & Certificates of Destruction

​

Scope

• Paper records held by Neuroscale.
• Magnetic media (hard disk drives, tapes).
• Solid-state media (SSDs, NVMe drives, eMMC, USB flash, memory cards).
• Cloud-resident data on AWS (S3, RDS, EBS, EFS, DynamoDB) and SaaS systems.
• Endpoint devices (laptops, mobile phones).

​

Triggers

• A record reaches the end of its retention period in the Records Retention Schedule.
• A customer contract terminates and the post-termination retention window has elapsed (see Customer Data Export).
• A customer Data Subject Rights deletion request is approved.
• A device is retired, lost, or returned at offboarding (see Offboarding).
• A system is decommissioned.

​

Roles

​

Methods by media type

​

Paper

• Internal disposal: cross-cut shredder meeting NIST 800-88 Destroy level for paper (DIN 66399 P-4 or higher).
• Bulk disposal: locked secure-shred bins emptied by an approved vendor; the vendor returns a COD per pickup.

​

Magnetic media (HDD, tape)

• Clear (low-sensitivity): single-pass overwrite using a tested utility.
• Purge: ATA Secure Erase, or NIST-recognized degaussing for tape.
• Destroy: physical shredding or disintegration via approved vendor. Required for HDDs that fail Purge or that held Restricted data.

​

Solid-state media (SSD, NVMe, eMMC, USB)

• Cryptographic erase is the default Purge method — destruction of the media-encryption key on a self-encrypting drive (SED), invoked via the vendor’s documented Secure Erase procedure (e.g., nvme sanitize, hdparm --security-erase, vendor-supplied tool).
• For drives without functioning SED support, physical destruction by an approved vendor (shredding to ≤2 mm particle size for solid-state per NIST 800-88).
• Verification is per the manufacturer’s procedure for the specific drive model; the verification log is retained with the COD.

​

Cloud — AWS

• S3: delete objects; for data subject to Restricted classification, also rotate or destroy the KMS customer-managed key (CMK) used to encrypt the bucket prefix — a cryptographic erase per the AWS shared-responsibility model.
• RDS / Aurora: delete the database; the underlying EBS volumes are cryptographically erased by AWS upon volume deletion. For Restricted data, also delete or schedule for destruction the CMK that encrypted the snapshots.
• EBS: delete the volume; AWS performs cryptographic erase of the underlying storage.
• DynamoDB / EFS / Other: follow the AWS service-specific deletion documentation; destroy the CMK where applicable.
• Backups: AWS Backup vaults follow the lifecycle policy; backups containing data slated for disposal are either aged out per policy or, where required, the recovery-point CMK is destroyed for cryptographic erase.

​

Cloud — Vultr

• Vultr Object Storage: delete objects; where the data is Confidential and was wrapped with an AWS KMS application-layer key before storage, also destroy the AWS KMS CMK to render any residual ciphertext unrecoverable (cryptographic erase).
• Vultr-hosted Postgres: drop the database; delete the underlying Vultr Block Storage volume so Vultr cryptographically erases the block storage per the Vultr shared-responsibility model. For Restricted data, also destroy the AWS KMS CMK that wrapped any application-layer ciphertext loaded into the database.
• Vultr Block Storage: delete the volume; Vultr performs cryptographic erase of the underlying storage.
• Vultr Cloud Compute / Bare Metal / VKE: destroy instances, bare-metal hosts, and node pools; ensure attached block-storage volumes are also deleted and that no images or snapshots persist beyond their retention window. For bare-metal hosts, request Vultr’s reprovisioning workflow so the underlying disks are wiped before the host is returned to the pool.
• Backups: Postgres WAL archives and snapshots in Vultr Object Storage follow the configured lifecycle. Where Vultr-hosted Confidential data has a cross-cloud backup copy in AWS S3 (per the Records Retention Schedule), apply the AWS S3 deletion / KMS destruction step above in addition to the Vultr-side deletion.

​

Endpoint devices

• Laptops returned through Offboarding are wiped via Rippling and re-provisioned, or retired and physically destroyed via an approved vendor.
• Mobile devices are factory-reset and remote-wiped via Rippling.
• Damaged devices that cannot be wiped are sent to an approved e-waste vendor with a COD.

​

Approved third-party destruction vendors

• Be NAID AAA Certified (or local equivalent) for the relevant destruction type.
• Carry adequate liability insurance (limits set by the CISO and Legal).
• Provide a signed Certificate of Destruction (COD) for each engagement, including: vendor name, date, location, list of items destroyed (with serial numbers where applicable), destruction method, and signature of the destruction technician.
• Have an executed vendor agreement reviewed under Vendor Risk Assessment.

​

Verification & sign-off

1. Requestor records the asset, classification, retention basis, and proposed method.
2. Asset Owner confirms the data classification and authorizes disposal.
3. CISO (or delegate) approves the method and signs upon completion.
4. Where a third-party vendor was used, the COD is attached.

​

Records

• All disposal actions are logged in the Disposal Log.
• Certificates of Destruction (COD) are retained for 7 years.
• The CISO performs a quarterly review of the disposal log to confirm coverage, approvals, and COD attachment.

​

Cross-references

• Asset Management Policy
• Data Management Policy
• Records Retention Schedule
• Customer Data Export
• Offboarding

​

Version history