Secure Deletion

Secure deletion practices following NIST 800-88 standards with certification provided to educational agencies.

Our Commitment to Secure Data Destruction

Impact Suite maintains comprehensive data destruction procedures aligned with NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization to ensure secure and complete deletion of educational agency data when no longer needed for contractual purposes. Our multi-layered destruction process ensures data is rendered inaccessible and ultimately permanently deleted from all systems.

Key Principles:

  • Standards-Based: Aligned with NIST 800-88 Rev. 1 industry standards

  • Multi-Phase Process: Immediate isolation, complete deletion, backup purging, and verification

  • Comprehensive Scope: Deletion from production, backups, logs, and all storage systems

  • Verified Completion: Multiple verification steps ensuring complete data removal

  • Certified Results: Written certification provided to educational agencies

  • Documented Process: Complete audit trail of all destruction activities


Data Destruction Standards and Methods

Impact Suite's data destruction practices comply with industry-leading standards ensuring data is permanently and irreversibly deleted.

Compliance with Industry Standards

NIST SP 800-88 Revision 1: Guidelines for Media Sanitization - employing "Clear" sanitization methods appropriate for multi-tenant cloud database architectures.

HIPAA Security Rule: 45 CFR § 164.310(d)(2)(i) - ensuring secure disposal of electronic Protected Health Information (PHI).

FERPA Requirements: 34 CFR § 99.33(a) - proper destruction of education records containing PII.

AWS Security Standards: Leveraging AWS's NIST 800-88 certified physical media destruction processes for underlying infrastructure.

Multi-Tenant Architecture Context

Our Environment: Impact Suite operates a secure multi-tenant architecture where educational agency data is logically segregated within shared database infrastructure using unique organizational identifiers. This industry-standard approach enables efficient service delivery while maintaining strict data isolation.

Destruction Approach: Our destruction procedures are specifically designed for this architecture while maintaining the highest standards of data security and irreversibility. This is the standard approach used by leading educational technology providers and is fully compliant with all regulatory requirements.


Three-Phase Destruction Process

Impact Suite employs a comprehensive three-phase approach to data destruction, ensuring data is immediately isolated, completely deleted, and thoroughly verified.

Phase 1: Immediate Data Isolation (Day 0)

Upon contract termination or data destruction request, Impact Suite immediately implements application-level data isolation to make data functionally inaccessible.

Access Revocation

User Account Deprovisioning:

  • All district user accounts immediately deprovisioned

  • Login credentials invalidated across all systems

  • Session tokens revoked and invalidated

  • Multi-factor authentication disabled

API and Integration Termination:

  • API access credentials and tokens revoked

  • Integration connections terminated

  • Single Sign-On (SSO) integrations disabled

  • Webhook endpoints deactivated

Administrative Access:

  • Administrative access disabled (except as needed for data export during transition period)

  • Privileged account access revoked

  • Audit log access removed

  • System configuration access terminated

Logical Deletion

Database Marking:

  • All educational agency records marked as deleted in database systems using deletion timestamps and status flags

  • Deletion markers applied to all tables containing agency data

  • Parent-child relationships maintained during marking for referential integrity

Application-Level Exclusion:

  • Application-level queries immediately exclude deleted data from all operations

  • Data becomes inaccessible through user interface, APIs, and reports

  • Background processes exclude deleted data from processing

  • Search indexes updated to exclude deleted records

Immediate Effect: From Day 0, educational agency data is functionally deleted and completely inaccessible to all users, applications, and processes. This immediate isolation prevents any further access, use, or disclosure of the data.

File System Isolation

S3 Object Management:

  • Amazon S3 buckets containing uploaded documents, images, and files associated with the educational agency are immediately:

    • Made inaccessible through application access controls

    • Flagged for permanent deletion in our systems

    • Excluded from all application operations and queries

    • Removed from backup inclusion lists

Phase 2: Physical Data Deletion (Within 30 Days)

Complete physical deletion of all educational agency data occurs within thirty (30) calendar days of the destruction request or contract termination.

Production Database Deletion

Comprehensive Record Removal: All database records associated with the educational agency's unique identifier are permanently deleted from production systems including:

Student and Family Data:

  • Student records and demographic information

  • Guardian and family information

  • Student-guardian relationships

  • Enrollment and transfer records

Personnel Data:

  • Staff and faculty records

  • Role and permission assignments

  • Team and organizational assignments

Operational Data:

  • Behavioral concerns and incident reports

  • Case management records and documentation

  • Assessment and evaluation data

  • Intervention plans and progress notes

Training and Compliance:

  • Training completion and acknowledgement records

  • Policy and procedure associations

  • Certificate and completion data

System and Integration Data:

  • Communication logs and system interactions

  • API activity logs and integration records

  • User activity and audit logs (except those required for HIPAA compliance)

  • Configuration and preference data

Deletion Process

Cascading Deletion:

  • Deletion cascades through all related tables maintaining referential integrity

  • Foreign key relationships properly handled

  • Junction tables cleared of agency associations

  • Orphaned records identified and removed

SQL Execution:

  • DELETE commands executed for all tables containing agency data

  • Transaction logs confirm successful execution

  • Rollback capability maintained during execution for safety

  • Completion verified before marking phase complete

Deletion Verification

Automated Verification:

  • Automated verification queries confirm complete removal from all tables

  • Row count comparisons validate expected deletion scope

  • Foreign key relationship validation ensures referential integrity maintained

  • Orphaned records check confirms no isolated data remnants

Manual Verification:

  • Security Officer or designated personnel performs manual verification

  • Sample queries executed to confirm no data remains

  • Edge cases and complex relationships verified

  • Results documented in destruction audit trail

File Storage Deletion

Amazon S3 Object Deletion:

  • All files, documents, images, and uploads associated with educational agency permanently deleted from Amazon S3

  • Object deletion includes all versions if S3 versioning is enabled

  • Deletion cascades to S3 Glacier archives if applicable

  • Deletion markers confirm complete removal from all storage tiers

File Categories Deleted:

  • Uploaded concern and incident documentation

  • Case management attachments and files

  • Training certificates and completion documents

  • Policy documents and acknowledgements

  • Photos and images associated with incidents

  • Any other files linked to educational agency

CloudWatch Log Management

Operational Logs:

  • Operational logs containing educational agency context data are deleted per our standard 30-day log retention policy

  • Application logs with agency identifiers purged

  • System logs specific to agency operations removed

HIPAA-Required Logs (Retained):

  • Security and audit logs required for HIPAA compliance are retained for six (6) years as mandated by regulation

  • These logs include:

    • Access logs showing who accessed PHI and when

    • Authentication records and login attempts

    • Administrative actions and permission changes

    • Security incident logs

  • Access to retained logs is strictly controlled and limited to authorized compliance personnel

  • Retained logs are encrypted and protected with same security as active data

Deletion Audit Trail

Complete Documentation: All deletion operations are logged with:

  • Timestamps of deletion execution

  • Data categories and record counts deleted

  • Database tables affected

  • User/system account performing deletion

  • Verification results

  • Any errors or exceptions encountered

Audit Trail Retention:

  • Deletion logs retained for compliance verification purposes (6 years for HIPAA)

  • Logs maintained separately from deleted data

  • Available for regulatory audits or educational agency verification

  • Secured with access controls and encryption

Phase 3: Backup Management and Verification (30-90 Days)

Educational agency data in backup systems is managed through our backup retention policies, with comprehensive verification ensuring no accessible copies remain.

Backup Retention Policy

Our Backup Schedule:

  • Daily Automated Backups: Retained for 30 days

  • Database Snapshots: Automated snapshots retained for 30 days

  • Disaster Recovery Backups: Incremental backups aged out within 30 days

Backup Data Handling

Immediate Access Prevention:

  • Application-level deletion markers (from Phase 1) ensure that even if a backup is restored, deleted educational agency data would be immediately excluded by the application

  • Deleted data cannot be accessed through normal operational processes

  • Restoration procedures include validation to exclude deleted tenant data

  • Multi-layer protection prevents inadvertent data exposure

Natural Backup Expiration:

  • Deleted data in backups is rendered inaccessible through application controls

  • Physical backup media containing deleted data is aged out according to our 30-day backup retention policy

  • Within 60 days of deletion initiation, no backups containing educational agency data remain in our systems

  • Backup rotation ensures complete elimination of data from backup infrastructure

Encryption Protection

Backup Security:

  • All backups are encrypted using AWS RDS encryption with AES-256

  • Backup encryption keys are managed through AWS Key Management Service (KMS)

  • Access to backup decryption keys is strictly controlled and audited

  • Only authorized personnel can access or restore backups

Final Verification (Day 45-60)

Comprehensive Verification Process

Within 60 days of initiating destruction, Impact Suite performs comprehensive verification:

Production Database Verification:

  • Execute COUNT queries on all tables filtering by educational agency identifier

  • Confirm zero rows returned for all data tables

  • Verify foreign key relationships properly maintained

  • Check for orphaned records in junction tables

  • Document query results with timestamps

S3 Bucket Verification:

  • List all S3 objects with educational agency prefix or tags

  • Confirm zero objects returned in all buckets

  • Verify deletion markers present for versioned objects

  • Document S3 API responses with deletion confirmation

Application Verification:

  • Attempt to access educational agency data through application interface

  • Confirm all access attempts return "not found" or access denied

  • Test API endpoints for educational agency data

  • Verify reporting systems show no data for educational agency

  • Test search functionality returns no results

Backup Verification:

  • Inventory all backups and snapshots

  • Confirm educational agency data marked as deleted in all backups

  • Document backup retention status and expiration dates

  • Verify encryption and access controls on remaining backups

  • Confirm backups containing data have expired per retention policy

Verification Documentation

All verification activities documented including:

  • Verification method and specific procedures used

  • Date and time of each verification activity

  • Results of verification queries and tests

  • Name and role of individual performing verification (typically Security Officer or Compliance Officer)

  • Any anomalies or issues identified and their resolution

  • Final confirmation that destruction is complete and verified

Independent Review

Compliance Officer Review: Destruction verification is reviewed by our Compliance Officer (Kris Kofoed) who:

  • Reviews all verification documentation for completeness

  • Confirms all destruction phases completed successfully

  • Verifies compliance with contractual and regulatory requirements

  • Authorizes issuance of destruction certification

  • Maintains destruction records for audit purposes (6 years)

AWS Infrastructure and Physical Media Destruction

Impact Suite's infrastructure is hosted on Amazon Web Services (AWS), which maintains industry-leading physical security and media destruction processes.

Cloud Infrastructure Security

AWS Maintains:

NIST 800-88 Compliance: AWS certified processes for physical media sanitization and destruction when storage hardware is decommissioned.

FedRAMP Authorization: Federal Risk and Authorization Management Program compliance demonstrating government-grade security.

SOC 2 Type II: Annual third-party audits of security controls including data destruction procedures.

ISO 27001 Certification: International information security management system certification covering full data lifecycle.

Physical Media Destruction

When AWS Decommissions Physical Storage Media:

Degaussing: Magnetic media is degaussed to render data unrecoverable per NIST 800-88 "Purge" methods.

Physical Destruction: Media is physically destroyed (shredding, crushing, incinerating) per NIST 800-88 "Destroy" methods.

Documentation: Destruction is documented and auditable through AWS attestations and compliance reports.

Impact Suite Reliance: Impact Suite relies on AWS's certified media destruction processes for underlying physical storage, leveraging their expertise and certifications.

Attestation Availability: AWS provides attestation reports available for customer review demonstrating compliance with media destruction standards.

Subprocessor Destruction

For Data Processed by Subprocessors:

Ednition (SIS Integration):

  • Subprocessor agreements require deletion of educational agency data upon contract termination

  • Ednition must delete data from their systems within their stated timelines

  • Deletion confirmation provided to Impact Suite

  • Impact Suite coordinates destruction timelines to ensure complete data removal

Destruction Coordination:

  • Impact Suite notifies subprocessors of data destruction requirements

  • Coordinates destruction timelines with subprocessor destruction procedures

  • Obtains deletion certificates or confirmations from subprocessors

  • Provides consolidated destruction certification to educational agencies including subprocessor confirmations


Data Destruction Timeline

Impact Suite follows a structured timeline ensuring timely and complete data destruction.

Standard Destruction Timeline

Phase

Activity

Timeline

Phase 1

Immediate isolation and access revocation

Day 0 (within 24 hours)

Phase 1

Logical deletion and application-level exclusion

Day 0 (within 24 hours)

Phase 2

Production database physical deletion

Within 30 days

Phase 2

S3 file storage deletion

Within 30 days

Phase 2

Deletion verification

Within 30 days

Phase 3

Backup expiration

Within 60 days

Phase 3

Final verification and certification

Within 60 days

Expedited Destruction

Upon Request: Impact Suite can expedite the destruction process for urgent situations:

Expedited Timeline:

  • Production data deletion: Within 10 business days

  • File storage deletion: Within 10 business days

  • Expedited verification: Within 15 business days

Note on Backups: Backup expiration follows standard 30-day retention policy, but data remains inaccessible via application controls immediately upon deletion request.

Automatic Destruction

Post-Contract Retention Period:

If no data export is requested during the 90-day retention period following contract termination:

Day 91:

  • Automatic destruction process initiates

  • Educational agency received 30-day advance notice before automatic destruction

Destruction Process:

  • Follows standard destruction timeline

  • All phases completed systematically

  • Verification performed as with requested destruction

Certification:

  • Certificate of destruction provided upon completion

  • Available upon request if not automatically sent


Verification and Audit Procedures

Impact Suite employs rigorous verification procedures to ensure complete data destruction with multiple layers of validation.

Destruction Verification Process

Database Verification:

  • Execute COUNT queries on all tables filtering by educational agency identifier

  • Confirm zero rows returned for all data tables

  • Verify foreign key relationships properly maintained

  • Check for orphaned records in junction tables

  • Document query results with timestamps and record counts

File System Verification:

  • List all S3 objects with educational agency prefix or tags

  • Confirm zero objects returned across all buckets

  • Verify deletion markers present for versioned objects

  • Document S3 API responses with deletion confirmation

  • Check all storage classes (Standard, Glacier, etc.)

Application Verification:

  • Attempt to access educational agency data through application interface

  • Confirm all access attempts return "not found" or access denied

  • Test API endpoints for educational agency data

  • Verify reporting systems show no data for educational agency

  • Test search and query functionality returns no results

  • Attempt data export to confirm no data available

Backup Verification:

  • Inventory all backups and snapshots in all regions

  • Confirm educational agency data marked as deleted in all backups

  • Document backup retention status and expiration dates

  • Verify encryption and access controls on remaining backups

  • Confirm backups containing data have expired per retention policy

Verification Documentation

Complete Documentation Maintained:

Verification Method:

  • Specific procedures used for each verification type

  • Tools and scripts executed

  • Query text and parameters

  • API calls made

Execution Details:

  • Date and time of verification

  • System state at time of verification

  • Environmental conditions

  • Any relevant system logs

Results:

  • Query results and record counts

  • Screenshots or output captures

  • Confirmation messages

  • Error logs (if any issues encountered)

Personnel:

  • Name of individual performing verification (typically Security Officer Zach Johnson or Compliance Officer Kris Kofoed)

  • Role and authorization level

  • Witness or reviewer (if applicable)

Anomalies:

  • Any anomalies or issues identified during verification

  • Root cause analysis of issues

  • Resolution actions taken

  • Re-verification results

Final Confirmation:

  • Explicit statement that destruction is complete

  • Signature or digital approval

  • Date of final confirmation

  • Authorization to issue certificate

Independent Review

Compliance Officer Oversight:

Kris Kofoed, Compliance Officer, reviews:

  • All verification documentation for completeness and accuracy

  • Confirmation that all destruction phases completed successfully

  • Compliance with contractual obligations and regulatory requirements

  • Adequacy of verification procedures

  • Any anomalies and their resolution

Authorization:

  • Authorizes issuance of destruction certification only after satisfactory review

  • Maintains destruction records for audit purposes (6 years retention)

  • Available to discuss destruction process with educational agencies


Certificate of Data Destruction

Upon completion of the destruction process, Impact Suite provides a formal Certificate of Data Destruction to the educational agency.

Required Certificate Elements

Educational Agency Information:

  • Complete name and identification of educational agency

  • Contract or agreement reference number

  • Primary contact information

Destruction Date:

  • Date destruction process was initiated

  • Date destruction process was completed

  • Date final verification performed

Data Categories Destroyed: Comprehensive list of all data types permanently deleted including:

  • Student records and demographic information

  • Guardian and family information

  • Staff and faculty data

  • Behavioral concerns and incident reports

  • Case management records and documentation

  • Training and policy acknowledgement records

  • Uploaded documents and files

  • System logs and operational data (excluding HIPAA-required audit logs retained for 6 years)

Destruction Methods: Description of destruction methods employed:

  • Application-level logical deletion with immediate isolation

  • Physical database record deletion via SQL DELETE operations

  • File system object deletion from Amazon S3

  • Backup management procedures (30-day retention expiration)

  • Compliance with NIST 800-88 Rev. 1 standards

Verification Statement: Attestation that:

  • All educational agency data has been permanently deleted from production systems

  • Data is inaccessible through all application interfaces and APIs

  • Deletion verification procedures were completed successfully with documented results

  • Backup data will age out per retention policy and is inaccessible via application controls

  • Subprocessors have confirmed data deletion where applicable (with subprocessor certificates attached)

AWS Infrastructure Statement: Acknowledgment that Amazon Web Services provides NIST 800-88 compliant physical media destruction for decommissioned storage hardware as part of their certified infrastructure operations.

Compliance Officer Signature:

  • Certificate signed by Kris Kofoed, Compliance Officer

  • Email: kris.kofoed@impactsuite.com

  • Digital signature or electronic authorization

  • Statement of authority to execute certificate

Certification Date:

  • Date certificate was issued

  • Effective date of certification

Contact Information:

  • Point of contact for questions or verification requests

  • Process for requesting additional information

  • Availability for follow-up discussions

Certificate Delivery

Delivery Method:

  • Certificate provided via encrypted email to educational agency designated contacts

  • PDF format with digital signature

  • Secure portal access available if preferred

  • Physical mail available upon request

Timing:

  • Standard timeline: Certificate provided within 60 days of destruction completion

  • Upon request: Certificate expedited within 15 days of destruction completion

  • Automatic delivery for scheduled destructions

Retention:

  • Copy retained in Impact Suite compliance records for audit purposes (6 years)

  • Additional copies provided upon request at no charge

  • Available for regulatory audits or agency verification needs


Destruction Documentation Retention

In accordance with HIPAA and other regulatory requirements, Impact Suite retains destruction-related documentation for compliance verification purposes.

Documentation Retained for Six (6) Years

Destruction Certificates:

  • Copies of all certificates issued to educational agencies

  • Delivery confirmations

  • Any amendments or clarifications

Deletion Audit Logs:

  • Logs documenting deletion operations performed

  • Timestamps and user accounts

  • Tables and record counts affected

  • Verification results

Verification Reports:

  • Documentation of verification procedures executed

  • Query results and screenshots

  • Confirmation of data removal

  • Anomaly resolution documentation

Access Logs (HIPAA Requirement):

  • Audit trails showing data access prior to deletion

  • Authentication and authorization logs

  • Administrative action logs

  • Required for regulatory compliance and potential investigations

Destruction Policies and Procedures:

  • Documentation of destruction methods and standards used

  • Version history of procedures

  • Training materials on destruction processes

  • Policy updates and change logs

Subprocessor Destruction Confirmations:

  • Certificates or confirmations from subprocessors (AWS, Ednition)

  • Coordination documentation

  • Verification of subprocessor deletion completion

Important Note

Documentation ≠ Data: Retention of destruction documentation does not constitute retention of educational agency data itself. Only metadata about the destruction process (what was deleted, when, how, by whom) is retained for compliance verification purposes. No actual student data, PII, or educational records are retained beyond destruction.

Exception Handling

In rare circumstances, data destruction may be delayed or modified due to legal or regulatory requirements.

Legal Hold or Regulatory Requirements

Circumstances Requiring Delay:

Pending Litigation:

  • If educational agency data is subject to legal hold due to litigation, destruction is suspended until legal hold is released

  • Legal counsel determines scope and duration of hold

  • Data remains secured with access limited to legal purposes only

  • Destruction proceeds upon release of hold with updated timeline

Regulatory Investigation:

  • If data is subject to regulatory investigation or audit, destruction is coordinated with regulatory authority requirements

  • Data preserved as required by investigation scope

  • Access limited to investigation purposes

  • Cooperation with regulatory timelines

Law Enforcement Request:

  • If law enforcement requests preservation of data through proper legal process, destruction timeline is adjusted accordingly

  • Subpoena or court order required for preservation

  • Scope limited to specific data requested

  • Destruction proceeds upon completion of legal matter

Communication with Educational Agency

In All Exception Cases:

Immediate Notification:

  • Educational agency is immediately notified of any destruction delays

  • Written notification within 5 business days of hold initiation

  • Clear explanation of reason for delay

  • Expected duration if known

Reason Disclosure:

  • Specific reason for delay is clearly communicated (to extent permitted by law)

  • Legal authority cited (court order, regulatory requirement, etc.)

  • Scope of data affected

  • Any restrictions on disclosure

Data Security During Delay:

  • Data remains secured with same or enhanced controls during delay period

  • Access strictly limited to legal/regulatory purposes

  • Audit trail of any access maintained

  • Regular security monitoring continues

Timeline Updates:

  • Regular updates provided to educational agency on status

  • Notification upon release of hold or completion of legal matter

  • Updated destruction timeline provided

  • Commitment to complete destruction promptly

Completion:

  • Destruction proceeds promptly upon release of hold

  • Standard verification procedures followed

  • Certificate provided with notation of delay reason and duration

  • Copy of legal release documentation available upon request

Partial Destruction Requests

Selective Destruction:

Educational agencies may request selective destruction of specific data categories while retaining others:

Request Process:

  • Request must clearly specify data categories for destruction vs. retention

  • Specification by student cohort, time period, data type, or other criteria

  • Impact analysis performed to ensure feasibility

  • Confirmation of understanding before proceeding

Adapted Procedures:

  • Destruction procedures adapted to accommodate selective deletion

  • Careful scoping to avoid deleting retained data

  • Enhanced verification to confirm only specified data destroyed

  • Referential integrity maintained for retained data

Verification:

  • Verification confirms only specified data categories destroyed

  • Retained data remains accessible and intact

  • Partial verification report provided

  • Full destruction certificate issued for deleted portions

Certification:

  • Certificate notes partial destruction scope

  • Specific data categories deleted listed

  • Retained data categories noted

  • Available for future complete destruction upon request

Continuous Improvement

Impact Suite regularly reviews and updates destruction procedures to ensure they remain effective and aligned with evolving standards and best practices.

Regular Reviews

Quarterly Reviews:

  • Assessment of destruction process effectiveness

  • Review of verification procedures adequacy

  • Analysis of any issues or anomalies

  • Identification of improvement opportunities

  • Technology and tooling updates

Annual Comprehensive Review:

  • Full procedure review and update

  • Incorporation of new regulatory requirements

  • Adaptation to infrastructure or architectural changes

  • Benchmarking against industry best practices

  • Training material updates

Updates Based On

Regulatory Changes:

  • New data destruction requirements in privacy laws

  • Updated NIST guidance or standards

  • State-specific requirement changes

  • Industry-specific standards evolution

Technology Changes:

  • Infrastructure or architecture changes

  • New storage systems or databases

  • Enhanced deletion or sanitization tools

  • Automation opportunities

Lessons Learned:

  • Experience from actual destructions performed

  • Issues encountered and resolutions

  • Efficiency improvements identified

  • Educational agency feedback

Industry Best Practices:

  • Peer organization practices

  • Security research and recommendations

  • Compliance framework updates

  • Technology vendor guidance

Questions About Data Destruction?

For questions about our data destruction procedures, to request expedited destruction, or to obtain destruction certificates, please contact our Compliance Officer.

Primary Contact: Kris Kofoed, Compliance Officer kris.kofoed@impactsuite.com

Secondary Contact: Zach Johnson, VP of Product & Safety Officer zach@impactsuite.com

Note: Our data destruction procedures are reviewed quarterly and updated to reflect current regulatory requirements and industry best practices. All destruction activities are documented and available for audit verification. </artifact>

‹ Data Transition

Customization & Alignment ›