Last updated 05.06.2021 

PANDA User Account Deletion Policy

How PANDA handles security vulnerabilities

This document gives you an overview of the secure process that occurs when you delete your Customer Data (as defined in the PANDA Terms of Service) stored in PANDA. Ensuring the safe deletion of Customer Data at the end of its life cycle is a basic aspect of working with data on any computing platform.

Data Storage and Replication

PANDA utilizes commercial Cloud storage services designed to provide low latency, highly available, scalable, and durable solutions. Data replication is critical to achieving these key performance goals. Redundant copies of Customer Data could be stored locally and regionally and even globally. 

At the physical storage level, Customer Data is stored at rest in two types of systems: active storage systems and backup storage systems. These two types of systems process data differently. Active storage systems are PANDA’s production servers running PANDA’s application and storage layers. PANDA’s backup storage systems house full and incremental copies of PANDA’s active systems for a defined period of time to help PANDA recover data and systems in the event of a catastrophic outage or disaster. 

Throughout the storage systems described above, Customer Data is encrypted when stored at rest. Encryption of data at rest occurs at the application and storage layers, on both active and backup storage media.

Data Storage and Replication

Data Deletion Pipeline

Once Customer Data is stored in PANDA, our systems are designed to store the data securely until it completes the stages of PANDA’s data deletion pipeline. This section describes this process in detail.

Stage 1 - Deletion request

The deletion of Customer Data begins when the customer initiates a closure request for the customer’s PANDA account.  When you close your PANDA account, it deletes all PANDA data that is solely owned by you. Note that when there are multiple owners, the data is not deleted until all owners delete their PANDA accounts. This ensures that PANDA projects continue so long as they have an owner.

While deletion requests are designed primarily to be used by Customers to manage their data, PANDA may issue deletion requests automatically, for instance when a customer terminates their relationship with PANDA.

Stage 2 - Soft Deletion

Soft deletion is the natural point in the process to provide a brief internal staging and recovery period to ensure that there is time to recover any data that has been marked for deletion by accident or error.  When a PANDA account is closed, PANDA may impose an internal recovery period up to 30 days, depending on past account activity. Once that grace period expires, PANDA resources tied solely to that account are marked for deletion.

Stage 3 - Logical Deletion from Active Systems

Logical deletion of Customer Data is only performed upon customer request.  Customers should submit requests for the logical deletion of customer data to  Once PANDA support has confirmed the request, Customer Data has been marked for logical deletion, and any recovery period has expired, the data is deleted successively from PANDA’s active and backup storage systems. 

Stage 4 - Expiration from Backup Systems

Similar to deletion from PANDA’s active systems, deleted data is eliminated from backup systems using both overwriting and cryptographic techniques. When a backup is retired, it is marked as available space and overwritten as new daily / weekly / monthly backups are performed.  When Customer Data is deleted from active systems, it is no longer copied into backup systems. Backups performed prior to deletion are expired regularly based on the pre-defined backup cycle.

Deletion Timeline

PANDA commits to delete Customer Data within a maximum period of about six months (180 days). This commitment incorporates the stages of PANDA’s deletion pipeline described above, including:

Stage 2 - Once the deletion request is made, data is typically marked for deletion immediately and our goal is to perform this step within a maximum period of 24 hours. After the data is marked for deletion, an internal recovery period of up to 30 days may apply depending on the service or deletion request.

Stage 3 - The time needed to complete garbage collection tasks and achieve logical deletion from active systems. These processes may occur immediately after the deletion request is received, depending on the level of data replication and the timing of ongoing garbage collection cycles. From deletion request, it generally takes about two months to delete data from active systems, which is typically enough time to complete two major garbage collection cycles and ensure that logical deletion is completed.

Stage 4 - PANDA backup cycle is designed to expire deleted data within data center backups within six months of the deletion request. Deletion may occur sooner depending on the level of data replication and the timing of PANDA’s ongoing backup cycles.