I try to explain it shortly:
The encrypted data is in a different datacenter than the keys needed to decrypt the data. The services we implemented to bring both together run in an secured environment that has no services implemented to access the servers and where physical access is restricted. Errors and monitoring data gets out, PII does not. Everything is documented and was inspected and certified by a 3rd party.
If a customer requests to delete his data we instantly delete the key, a litte later we delete the (already useless) data and all backups will lose this information about a month later too.And of course we did that not because we are nice people (though we belive we are). We did it, because we had the hypothesis that a reputation to handle the user-data with proofable utmost respect to security and privacy would be more valuable than having access to this data.
People not believing us or accusing us of lying obviously defy that hypothesis.
No comments yet.