NOVARIC® – Data Deletion Policy
Version: 1.0
Issued by: NOVARIC® Governance, Risk & Compliance
Scope: All NOVARIC® systems, applications, and Microsoft 365 services
p>Version: 1.1
Effective Date: March 11, 2025
Originally Enacted: September 1, 2024
Issued by: Legal & Compliance Division, NOVARIC®
Contact for Data Deletion Requests
If you have any questions about this Data Deletion Policy or wish to exercise your GDPR data rights, please contact NOVARIC® at:
Email: privacy@novaric.co
1. Introduction
This Data Deletion Policy defines how NOVARIC® ensures the secure and compliant deletion of personal data across NOVARIC systems and Microsoft 365 cloud services.
It aligns with GDPR, UK GDPR, ISO/IEC 27001:2022, SOC 2, and Microsoft’s officially documented data deletion processes for Microsoft 365 and SharePoint Online.
2. Regulatory & Platform References
- GDPR (EU 2016/679) & UK GDPR
- ISO/IEC 27001:2022 – Information Lifecycle Controls
- SOC 2 Trust Services Criteria
- Microsoft 365 Data Retention & Deletion Standard (Active/Passive deletion timelines)
[1](https://www.cloudally.com/blog/how-to-configure-retention-policies-in-microsoft-365/) - SharePoint Online Deletion Lifecycle (93-day recycle bins, encryption‑key destruction upon hard deletion)
3. Data Deletion Principles
NOVARIC® deletes personal data only when:
- The retention purpose has expired.
- A GDPR erasure request is validated.
- Deletion is required by law or regulation.
- Data is no longer operationally required.
4. Microsoft 365 Deletion Standards
4.1 Active Deletion (Microsoft 365)
When NOVARIC® deletes data from Microsoft 365 during an active subscription:
- Customer Content is retained for ≤ 30 days before deletion.
- Identifiable user data (EUII/EUPI) retained ≤ 30–180 days depending on classification.
[1](https://www.cloudally.com/blog/how-to-configure-retention-policies-in-microsoft-365/)
4.2 Passive Deletion (Subscription Ends)
- Tenant enters a limited-function mode for 90 days.
- Data is permanently deleted no later than 180 days after subscription expiry.
[1](https://www.cloudally.com/blog/how-to-configure-retention-policies-in-microsoft-365/)
5. SharePoint Online Data Deletion
SharePoint Online stores data in encrypted chunks distributed across Microsoft datacenters and maintains multi-stage deletion:
- Stage 1: Deleted items remain in the Recycle Bin for 93 days.
- Stage 2: Items moved to Site Collection Recycle Bin for remainder of 93 days.
- Hard deletion: Purged items have encryption keys destroyed and storage blocks marked for reuse.
6. NOVARIC® Internal Deletion Methods
6.1 Electronic Data
- Cryptographic erasure
- Secure overwrite (multi-pass)
- Microsoft Purview retention automation (delete-only or retain-then-delete)
6.2 Physical Media
- Shredding
- Degaussing
- Certified destruction vendors
7. Backup & Archive Deletion
Microsoft systems retain backup copies in:
- Preservation Hold Library (SharePoint/OneDrive)
- Recoverable Items (Exchange)
- SubstrateHolds (Teams)
Deleted data is removed in accordance with retention policies and never restored contrary to GDPR obligations.
8. GDPR Data Subject Erasure Requests
NOVARIC® uses Microsoft Data Subject Request (DSR) tools to locate and delete personal data across Microsoft 365 services.
- Identity verification required
- Data discovered across Exchange, SharePoint, Teams, OneDrive
- Deletion executed and logged
9. Monitoring & Review
- Annual audits of deletion activities
- Microsoft Purview dashboards used for compliance verification
- Continuous review of Microsoft’s data deletion standards
10. SOC 2 Mapping
| SOC 2 Criterion | Alignment |
|---|---|
| CC1 – Control Environment | Governance and defined roles |
| CC2 – Communication | Transparency & documented deletion processes |
| CC3 – Risk Assessment | Retention misconfiguration risk managed |
| CC4 – Monitoring | Purview oversight & internal audits |
| CC5 – Control Activities | Secure erasure, Purview policies |
| CC6 – Logical Access | Access-controlled deletion rights |
| CC7 – System Operations | Microsoft 30–180 day lifecycle |
| CC8 – Change Management | Policy updates follow Microsoft lifecycle |
| CC9 – Risk Mitigation | Automated deletion reduces exposure |
| Reference | URL |
|---|---|
| Microsoft 365 Data Retention, Deletion & Destruction | https://learn.microsoft.com/en-us/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview [cloudally.com] |
| SharePoint Online Data Deletion Lifecycle | https://learn.microsoft.com/en-us/compliance/assurance/assurance-sharepoint-online-data-deletion |
| Microsoft GDPR Overview | https://learn.microsoft.com/en-us/compliance/regulatory/gdpr |
| What Is DORA? (Digital Operational Resilience Act) | https://learn.microsoft.com/en-us/compliance/dora/dora-what-is-dora |