Data Deletion
Deleting an application in Veriproof initiates a two-phase lifecycle: a grace period during which the deletion can be cancelled, followed by an irreversible purge that destroys all associated data.
Only the CustomerAdmin role can initiate application deletion. The operation cannot be undone once the purge completes.
What Gets Deleted
When an application is purged, the following are destroyed:
| Artifact | Deleted? | Notes |
|---|---|---|
| Session payload blobs | ✅ Yes | All attachments and raw session data |
| Session database rows | ✅ Yes | Cascade-deleted including metadata and annotations |
| Worker attestation records | ✅ Yes | TEE attestation index entries |
| Cryptographic key material | ✅ Yes | Data subject encryption keys (salts) |
| Application configuration | ✅ Yes | Ingest rules, redaction policies, etc. |
| Governance scores and policies | ✅ Yes | Application-level scoring history |
| Blockchain commitment anchors | ❌ No | Anchors on Solana are permanent and cannot be removed |
Blockchain hashes are immutable by design. After purge, commitment anchors remain on-chain and can still be referenced by anyone with the hash. However, because the session payload and keys are gone, the anchored hash cannot be re-linked to any PII. This is by design and is consistent with GDPR compliance — see the GDPR Erasure guide.
The 7-Day Grace Period
When you delete an application, it enters a pending deletion state for 7 days (1 hour in sandbox/pre-production environments). During this window:
- The application is hidden from dashboards and lists.
- All ingest is rejected with
410 Gone. - The deletion can be cancelled by a CustomerAdmin — the application is fully restored.
- No data is actually deleted yet.
After the grace period expires, the purge is executed automatically.
Starting an Application Deletion
Open the application
Navigate to the application in the Customer Portal and open Application → Settings.
Initiate deletion
Scroll to the Danger Zone section at the bottom of the settings page and click Delete Application.
Confirm
Type the application name in the confirmation dialog to prevent accidental deletion, then click Confirm deletion.
The application immediately moves to Pending deletion state with a countdown to the purge date.
Cancelling a Deletion (Grace Period Only)
If you change your mind during the 7-day grace period:
- In the Customer Portal, open Applications.
- Locate the application — it appears with a Pending deletion badge.
- Click Cancel deletion and confirm.
The application is restored to Active status immediately. All data remains intact.
Cancellation is only possible before the purge timer fires. Once the purge begins, it cannot be interrupted.
How the Purge Works
The purge is executed by a background queue worker. When the grace period expires, a message is placed on the purge queue. The worker:
- Verifies the deletion is still confirmed (guards against race conditions).
- Deletes all blob objects under the application’s storage prefix (batched).
- Destroys all data subject encryption salts for the application (making stored payloads cryptographically unreadable).
- Deletes session, annotation, and metadata database rows (cascade).
- Deletes the application configuration record.
- Emits an
application.purge_completedaudit event.
A safety-sweep timer runs daily at 02:00 UTC to catch any applications that slipped through the queue (e.g. due to a transient failure). Failed purge messages are routed to a poison queue for operator review.
API: Initiate Purge
DELETE /v1/applications/{appId}/purgeCalled by the portal on confirmation. Marks the application for deletion and starts the grace period clock.
Checking Purge Status
The application’s lifecycle state is available via:
GET /v1/applications/{appId}Possible lifecycleState values:
| Value | Description |
|---|---|
active | Normal operation |
pending_deletion | Grace period in progress; can still be cancelled |
purging | Purge worker is currently running |
purged | All data deleted; application record is removed |
Tenant Deletion
Deleting your entire Veriproof tenant (all applications and all data) is a staff-assisted operation. Contact support@veriproof.app. The process follows the same grace period and purge mechanics, applied tenant-wide.
Tenant deletion requests require identity verification and a signed deletion authorization form. The operation cannot be initiated unilaterally through the portal.
GDPR Right to Erasure vs Application Deletion
| Scenario | Use case | Guide |
|---|---|---|
| Remove all data for one user (data subject) | GDPR Article 17 — right to erasure | GDPR Erasure |
| Remove all data for one application | Decommissioning an application | This page |
| Remove all data for the whole tenant | Offboarding from Veriproof | Contact support |
These operations are independent. A data subject erasure does not delete the application; an application deletion does not selectively erase individual data subjects.