Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Frameworks: NIST SP 800-88 Rev. 1; SOC 2 CC6.5; ISO/IEC 27001 A.7.14 / A.8.10. Implements the Data Management Policy and Asset Management Policy.
The operational procedure that implements the disposal requirements of the Data Management Policy and the Asset Management Policy. It governs how Neuroscale destroys records — paper, magnetic, solid-state, and cloud-resident — at the end of their retention period and how that destruction is verified. The methods below are aligned with NIST SP 800-88 Rev. 1, “Guidelines for Media Sanitization.”

Scope

  • Paper records held by Neuroscale.
  • Magnetic media (hard disk drives, tapes).
  • Solid-state media (SSDs, NVMe drives, eMMC, USB flash, memory cards).
  • Cloud-resident data on AWS (S3, RDS, EBS, EFS, DynamoDB) and SaaS systems.
  • Endpoint devices (laptops, mobile phones).

Triggers

A disposal action is initiated when any of the following occurs:
  • A record reaches the end of its retention period in the Records Retention Schedule.
  • A customer contract terminates and the post-termination retention window has elapsed (see Customer Data Export).
  • A customer Data Subject Rights deletion request is approved.
  • A device is retired, lost, or returned at offboarding (see Offboarding).
  • A system is decommissioned.

Roles

RoleResponsibility
CISOProcedure owner; approves all destruction methods; signs Certificates of Destruction (COD).
Asset OwnerConfirms classification of the record/media; approves disposal in writing.
RequestorEngineer, IT, or CHRO member initiating the disposal.
Certified Vendor (as needed)When physical destruction is required, provides destruction / e-waste services and issues the COD. Engaged ad hoc; no standing contract.

Methods by media type

Paper

Neuroscale operates effectively paperless; Confidential records are created and retained electronically. No bulk paper-destruction vendor or secure-shred-bin service is retained.
  • Incidental printouts: any Confidential paper produced ad hoc is cross-cut shredded in-house to NIST 800-88 Destroy level (DIN 66399 P-4 or higher).

Magnetic media (HDD, tape)

  • Clear (low-sensitivity): single-pass overwrite using a tested utility.
  • Purge: ATA Secure Erase, or NIST-recognized degaussing for tape.
  • Destroy: physical shredding or disintegration via approved vendor. Required for HDDs that fail Purge or that held Restricted data.

Solid-state media (SSD, NVMe, eMMC, USB)

  • Cryptographic erase is the default Purge method — destruction of the media-encryption key on a self-encrypting drive (SED), invoked via the vendor’s documented Secure Erase procedure (e.g., nvme sanitize, hdparm --security-erase, vendor-supplied tool).
  • For drives without functioning SED support, physical destruction by an approved vendor (shredding to ≤2 mm particle size for solid-state per NIST 800-88).
  • Verification is per the manufacturer’s procedure for the specific drive model; the verification log is retained with the COD.

Cloud — AWS

  • S3: delete objects; for data subject to Restricted classification, also rotate or destroy the KMS customer-managed key (CMK) used to encrypt the bucket prefix — a cryptographic erase per the AWS shared-responsibility model.
  • RDS / Aurora: delete the database; the underlying EBS volumes are cryptographically erased by AWS upon volume deletion. For Restricted data, also delete or schedule for destruction the CMK that encrypted the snapshots.
  • EBS: delete the volume; AWS performs cryptographic erase of the underlying storage.
  • DynamoDB / EFS / Other: follow the AWS service-specific deletion documentation; destroy the CMK where applicable.
  • Backups: AWS Backup vaults follow the lifecycle policy; backups containing data slated for disposal are either aged out per policy or, where required, the recovery-point CMK is destroyed for cryptographic erase.

Cloud — Vultr

  • Vultr Object Storage: delete objects; where the data is Confidential and was wrapped with an AWS KMS application-layer key before storage, also destroy the AWS KMS CMK to render any residual ciphertext unrecoverable (cryptographic erase).
  • Vultr-hosted Postgres: drop the database; delete the underlying Vultr Block Storage volume so Vultr cryptographically erases the block storage per the Vultr shared-responsibility model. For Restricted data, also destroy the AWS KMS CMK that wrapped any application-layer ciphertext loaded into the database.
  • Vultr Block Storage: delete the volume; Vultr performs cryptographic erase of the underlying storage.
  • Vultr Cloud Compute / Bare Metal / VKE: destroy instances, bare-metal hosts, and node pools; ensure attached block-storage volumes are also deleted and that no images or snapshots persist beyond their retention window. For bare-metal hosts, request Vultr’s reprovisioning workflow so the underlying disks are wiped before the host is returned to the pool.
  • Backups: Postgres WAL archives and snapshots in Vultr Object Storage follow the configured lifecycle. Where Vultr-hosted Confidential data has a cross-cloud backup copy in AWS S3 (per the Records Retention Schedule), apply the AWS S3 deletion / KMS destruction step above in addition to the Vultr-side deletion.

Endpoint devices

  • Laptops returned through Offboarding are wiped via Rippling and re-provisioned, or retired and physically destroyed via an approved vendor.
  • Mobile devices are factory-reset and remote-wiped via Rippling.
  • Damaged devices that cannot be wiped are sent to an approved e-waste vendor with a COD.

Approved third-party destruction vendors

Because production is entirely cloud-hosted (no on-prem datacenter) and endpoint drives are sanitized by cryptographic erase, physical destruction of data-bearing media is rare. Neuroscale therefore retains no standing destruction vendor. When physical destruction is required — e.g., a damaged or failed-wipe endpoint drive — Neuroscale engages a certified destruction / IT-asset-disposition (ITAD) vendor on an as-needed basis, vetted through the Vendor Risk Assessment flow before the engagement and added to the Vendor Inventory if the relationship becomes ongoing. Any such vendor must:
  • Be NAID AAA Certified (or local equivalent) for the relevant destruction type.
  • Carry adequate liability insurance (limits set by the CISO and Legal).
  • Provide a signed Certificate of Destruction (COD) for each engagement, including: vendor name, date, location, list of items destroyed (with serial numbers where applicable), destruction method, and signature of the destruction technician.
  • Have an executed vendor agreement reviewed under Vendor Risk Assessment.

Verification & sign-off

Each disposal action requires the following sign-off in the disposal log:
  1. Requestor records the asset, classification, retention basis, and proposed method.
  2. Asset Owner confirms the data classification and authorizes disposal.
  3. CISO (or delegate) approves the method and signs upon completion.
  4. Where a third-party vendor was used, the COD is attached.

Records

  • All disposal actions are logged in the Disposal Log.
  • Certificates of Destruction (COD) are retained for 7 years.
  • The CISO performs a quarterly review of the disposal log to confirm coverage, approvals, and COD attachment.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani