HomeKnowledge base › Web hosting and cloud providers
IT

Web hosting and cloud providers: destroying customer data

Servers, drives and customer data of a hosting provider ready for confidential destruction

A hosting or cloud provider manages the data of dozens to thousands of customers: accounts, databases, files, backups and log files. On top of that come decommissioned drives and servers that must be physically destroyed at the end of their life. For that data you are usually the processor, not the owner, and that carries its own obligations. This guide shows what you keep, what you destroy and how to do it confidentially and demonstrably.

The quick answer: customer content you keep only as long as you provide the service and the contract requires it. Your own invoicing falls under the seven-year tax retention obligation. Decommissioned drives and servers you destroy physically. What may go disappears confidentially and with a certificate as proof.

Two kinds of data: what you host and what you manage

At a hosting party two volumes run together. The first is the customer content: the databases, websites, files, mailboxes and backups you store on behalf of your customers. For that the customer is the controller and you are the processor. The second is your own operation: your invoicing, contracts, support tickets and internal administration. For that you are the controller yourself.

That distinction determines who decides when something may go. Over customer content the customer decides, within the frameworks you agreed together. Over your own administration you decide yourself, with the tax and statutory periods as guidance. So treat the two volumes separately, because they have different grounds and different retention periods.

Your role as processor and the processor agreement

For the customer content you are the processor within the meaning of the GDPR. That means you only process the data on the customer's instructions and that you do not simply decide yourself to keep or destroy anything. The arrangements about this belong in a processor agreement, and the end of the road deserves attention there in particular. Record that you delete or return the data after the assignment ends, within which period and in what manner that happens.

In that agreement also include that physical data carriers are destroyed confidentially and that the customer receives proof on request. That way your customer knows in advance what happens to the data when the collaboration stops. What exactly belongs in such a document is in the processor agreement checklist.

Retention periods by part

The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the customer-bound periods from the end of the contract.

PartStarting pointPeriod
Invoicing and administrationTax retention obligation7 years
Customer content (databases, files)Processor, service durationduration of the contract
Accounts and login dataAs long as the customer is activeuntil offboarding
Log files (access, security)Security and liabilitypurpose-bound, short
BackupsRetention window of the servicerolling, then wiped
Decommissioned drives and serversPhysical data carriersdestroy at end-of-life

Use this as a guideline, not a substitute for your own arrangements. The tax side is in the 7-year tax retention obligation. For customer content, what you recorded in the contract mainly applies.

Decommissioned drives and servers: destroy physically

Servers and drives go out of service at some point. A faulty drive, a replaced SSD, a phased-out server or a full tape cartridge almost always still holds remnants of customer data. On modern storage a simple delete action is not enough, because data sits spread across the drive and on faulty hardware can no longer be wiped reliably at all. For everything you decommission, physical destruction is therefore the safest choice.

Collect decommissioned data carriers separately and keep them sealed until destruction, not loose in a warehouse where they can disappear. How the shredding works physically and what particle size goes with it you can read in how a hard drive is shredded. For complete machines, having servers destroyed at end-of-life is the matching step plan, and for a whole server room datacenter hardware destruction helps.

Log files and backups

Log files and backups are often forgotten, while they can contain a lot of personal data. Access logs, IP addresses and error messages belong to security, but are not an archive. Keep them as briefly as the purpose requires and clear them out in a structured way afterwards. A log file that stays for years without reason is a risk without use.

Backups deserve the same attention as the live environment. When you offboard a customer, the data must also disappear from the backup rotation, otherwise it lives on quietly there. So work with a clear retention window in which old backups roll out and are overwritten by themselves. That way you know a delete action really carries through into all copies over time. In the cloud that requires extra vigilance, as really deleting cloud data shows.

Offboarding a customer

The moment a customer leaves is the moment the processor agreement is tested. Return the data or delete it, within the agreed period, and make sure that also covers the backups and logs. Do not leave an export for the customer sitting on your systems forever. An export is meant to hand over, not to keep for years just in case.

Document what you deleted and when. If there are still physical data carriers with that customer's data, schedule those into the destruction too. That way you close the customer's file neatly and keep no data yourself for which you no longer have a ground.

How to handle it in 6 steps

  1. Separate the volumes into customer content, own administration and physical data carriers.
  2. Record destruction in the processor agreement with period and method.
  3. Clear out logs and backups within a clear retention window.
  4. Delete customer data at offboarding from live, backup and exports.
  5. Collect decommissioned drives and servers sealed until destruction.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

Data carriers with customer data are destroyed confidentially, because you manage other people's data and must be able to vouch for it. The drives, servers, tapes and any paper travel sealed and stay that way until destruction, so the chain is closed. That way you prevent a phased-out drive from surfacing again somewhere along the way.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the customer and the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Drives and servers to be destroyed?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Only wiping decommissioned drives. On faulty or modern storage wiping does not always fully succeed.
  • Forgetting backups at offboarding. Data that disappears from live lives on quietly there.
  • Keeping log files forever. Without a purpose that is a risk without use.
  • Not arranging destruction in the agreement. Then you are empty-handed when the customer leaves.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction.

Frequently asked questions

How long may I keep customer data as a hosting party?

Only as long as you provide the service and the contract requires it. Your own invoicing falls under the seven-year tax retention obligation. Customer content such as databases and files you delete after the agreed period at offboarding, as the processor agreement prescribes.

What must the processor agreement say about destruction?

That you delete or return the data after the assignment ends, within which period and in what manner. Record that physical data carriers are destroyed confidentially and that the customer receives proof on request.

Is wiping a drive enough or must it be destroyed?

For a drive you reuse a certified wiping method can suffice. For a drive or server you decommission physical destruction is the safest choice, because wiping does not always fully succeed on faulty or modern storage.

How do I demonstrate a customer's data is really destroyed?

With a certificate of destruction showing the date, quantity and level, and with a note in your record of processing. That way you can demonstrate to the customer and the GDPR that you acted carefully.

Conclusion

A hosting or cloud provider manages the data of many customers and carries its own responsibility for that as processor. Separate the customer content from your own administration, record destruction in the processor agreement and clear out logs and backups within a clear window. At offboarding you delete the data from all copies and decommissioned drives and servers you destroy physically. What may go you have destroyed confidentially with a certificate as proof. That way you protect your customers' data and can demonstrate it at any moment.

Read also: software companies: destroying customer data, PR and communications agencies: destroying media contact data, publishers: destroying subscriber and author data and the GDPR retention periods cheatsheet.


Have customer data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.