This question has a couple of different aspects to it, the main aspect to be addressed, though, is the relationship between customer data and backups.<p>1. One of our customer promises is to remove customer data when a customer has stopped using our service. Is a `DELETE FROM data WHERE userID=5` plus a `rm -rf data_attachments/customerID/5` sufficient? Are there other methods of data disposal I should consider? Are there other issues to think about?<p>2. We regularly backup all of our data. Because each customer's data is a subset of the application data, that data is stored in the backups. When a business entity says that it has destroyed all customer data, what does it mean for that data to still exist in the backups? Is this legal? Are there solutions to this? One "brainstorm" solution was to go back into the backups, decompress the archive, wipe that customer's data from that data set, recompress, and re-store it. It seems to me that fiddling with backups destroys the purpose of a versioned backup.
You can encrypt the user data, let's say files or photos, with a user key and store the key in the user record in your database database. Even if the backup is on tape (hard to delete just one file) deleting the encryption key from the database renders it useless.