Last Updated: Dec 6, 2024
Overview
Some admins might require all personal data to be securely deleted so that it is rendered irreversibly unretrievable. Inevitably, there might be concerns around user data being deleted through the Management API’s Delete a user endpoint, respectively, if it can satisfy the mentioned requirement. This article aims to address this concern.
Applies To
- User deletion
- Security
- API Management
Solution
What happens to data when an account is deleted
When an end user’s account is deleted, their user profile, including metadata, is removed. This is mentioned here: What happens to data when an account is deleted.
When an object is deleted, the removal of the mapping from the public name to the object starts immediately and is generally processed across the distributed system within several seconds. Once the mapping is removed, there is no external access to the deleted object. That storage area is then made available only for write operations, and the data is overwritten by newly stored data. Additionally, our cloud service providers use the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual") or NIST 800-88(“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process.
How long the personal data will remain available in Auth0’s system before the data is overwritten?
Data deleted from the system will be unavailable immediately. Data in encrypted offline backups will remain stored for 14 months.
This can be found at Auth0 Inc. - User deletion Security API Management.