Secure Disposal

[All Actors]
1. Dispose of cached inference results and log files the actor retains using approved secure-deletion methods.

2. Purge any user sessions, logs and outputs once the defined retention period expires for data the actor stores or processes.

3. Ensure business- or user-data deletion aligns with compliance obligations for the systems the actor controls.

4. Enable and execute secure-wipe / cryptographic-erasure lifecycle policies.

[Shared among: MP, CSP, OSP]
1. Delete training/validation data and embeddings post-use or repurpose for models the actor trains or fine-tunes.

1. Examine the CSP’s procedures and technical requirements related to the secure disposal of data from storage media. Establish that this process and key controls comply with the CSP’s data privacy and security policy. Establish whether the CSP has documented the roles and responsibilities for this process.

2. Select a sample of disposal requests (if available) and assess whether they have followed the process through to completion. Confirm that all evidence was formally documented and recorded.

3. Examine measure(s) that evaluate(s) this process and determine if the measure(s) address(es) implementation of the process/control requirement(s) as stipulated.

4. Obtain and examine supporting documentation maintained as evidence of these metrics to determine if the office or individual responsible reviews the information and if identified issues were investigated and corrected. Examine related records to determine if the individual or office conducted any follow-ups on the deviations to verify they were corrected as intended.

5. Determine if the CSP has controls to evaluate third parties' secure data disposal methods from storage media.

6. Verify that industry-accepted methods for secure data disposal are defined and implemented, ensuring data is not recoverable by any forensic means.

7. Verify that data disposal techniques include secure deletion, overwriting, and physical destruction of storage media.

8. Verify compliance with relevant data protection laws and organizational policies throughout the data disposal process.

9. Verify the effectiveness of technical measures such as certified data wiping tools and secure destruction methods.

10. Verify that disposal methods align with industry standards (e.g., NIST SP 800-88) and specify appropriate techniques for different media types, such as cryptographic erasure for solid-state drives, degaussing or physical destruction for magnetic media, and secure overwriting where applicable.

3. Review evidence of implementation, including logs, certificates of destruction, or other documentation that confirms proper disposal of decommissioned media.

4. Assess whether disposal procedures address special handling requirements for high-capacity storage systems commonly used in AI workloads.

5. Verify that contracts with any third-party disposal services include appropriate security requirements and that certificates of destruction are obtained.

6. Examine staff training records on secure disposal procedures and confirm that personnel responsible for media handling have appropriate knowledge.