Knogin
[Developers]

Certified Data Destruction with Dual Authorisation

When a regulator or an inquiry asks you to prove that data was destroyed, "we deleted it" is not an answer. Certified Data Destruction replaces ad-hoc manual deletion with a fully auditable, lifecycle-managed workflow in

Back to All Modules
Category: Data IntegrationLast Updated: May 26, 2026
data-integrationcompliance

Overview#

When a regulator or an inquiry asks you to prove that data was destroyed, "we deleted it" is not an answer. Certified Data Destruction replaces ad-hoc manual deletion with a fully auditable, lifecycle-managed workflow in which no single person can erase data alone and every store is verified before a tamper-evident certificate is issued.

A destruction order moves through a strict state machine from request to completion, enforcing at every step that the requester, the first authoriser, and the second authoriser are three distinct individuals. On execution the service cascades deletion across every data store that holds the records, captures a per-store verification flag for each one, and generates an archival PDF/A-3 destruction certificate carrying the full authorisation chain, the item count, the verification status, and an optional National Archives reference number.

For bodies subject to Irish statutory investigations under the Commission of Investigation Act 2004, and for any regulated organisation that must demonstrate the right to erasure, this turns destruction from an operational footnote into a court-defensible, machine-auditable record.

Key Features#

  • Dual-Authorisation Gate: Every order requires two separate authorisations after the initial request, and the workflow rejects any attempt to have the requester, the first authoriser, or the second authoriser overlap. Three distinct individuals must touch each order, so no one person can unilaterally destroy data.

  • Strict Lifecycle State Machine: Orders advance through a defined sequence of states from requested, to first authorised, to second authorised, to in progress, to verifying, to completed. Execution is only permitted once second authorisation is in place, and any failure routes the order to a failed state with a recorded reason rather than leaving it ambiguous.

  • Multi-Store Cascade Deletion: On execution the service removes the in-scope records from object storage, the relational store, the search index, and the cache in a single coordinated operation, so data does not survive in a secondary copy after the primary record is gone.

  • Per-Store Verification Trail: Each store records an independent verification flag and an item count, giving you an explicit, store-by-store confirmation that deletion actually completed rather than a single opaque success signal.

  • Archival Destruction Certificate: On completion the module generates a PDF/A-3 certificate stored in object storage, embedding the order details, the authorisation chain, the item count, the per-store verification status, and the National Archives reference. The archival format keeps the evidentiary record self-describing for the long retention periods that inquiries demand.

  • Flexible Destruction Scope: A single order can target a whole case, an investigation strand, an individual document, a disclosure bundle, or an entity, so the same controlled workflow covers both a one-document erasure request and a full case closure.

  • National Archives Reference Tracking: Orders carry an optional National Archives reference so that destruction aligned to a statutory disposal schedule is linked to its archival authority record from request through to certificate.

  • Granular Permission Gates: Each stage of the lifecycle is governed by its own permission, separating who may create an order, who may authorise, who may execute, who may verify, who may complete, and who may cancel, so duties stay segregated end to end.

Use Cases#

Statutory Investigations#

  • Commission of Investigation disposal: A tribunal or commission operating under the Commission of Investigation Act 2004 Section 43 must destroy evidence on a controlled schedule and prove it was done. The dual-authorisation workflow and certificate provide the disposal record the legislation requires.

  • Court-defensible erasure: Where destruction may later be challenged, the recorded authorisation chain, per-store verification, and archival certificate give counsel a clear, attributable account of who authorised what and when.

Data Protection and Privacy#

  • Right-to-erasure requests: A data protection officer handling an erasure request can run a scoped destruction order over the relevant documents or entity, then hand the requester or the supervisory authority a certificate proving the data was removed from every store.

  • Retention-schedule enforcement: When a retention period ends, records are disposed of through the same controlled, two-person workflow rather than a manual cleanup that leaves no evidence.

Regulated Operations#

  • Audited closure of cases: Investigators closing a case can destroy its complete evidence set, including bundles and strands, in one coordinated order with a single certificate covering the whole disposal.

  • Separation of duties for sensitive deletion: Security and compliance teams that must prevent unilateral deletion of sensitive material rely on the three-distinct-individuals rule to make destruction a deliberate, reviewable act.

Integration#

The entire destruction lifecycle is exposed over the platform GraphQL surface, so it slots into existing case management, compliance, and records workflows without bespoke plumbing.

  • GraphQL Operations: Read and search orders, raise a new order, apply first and second authorisation, run the execution, update per-store verification, complete an order, and cancel one, all through named GraphQL fields with consistent inputs and a single normalised order model returned to every caller.

  • OAuth2 and JWT: Calls are authenticated with bearer tokens, and the per-stage permission gates are evaluated from the caller's roles and scopes, so your existing identity provider and role model drive who can do what.

  • Object-Storage Connector: Evidence files and the generated certificate live in object storage, and the certificate object key is recorded on the order so downstream systems can retrieve the proof on demand.

  • Multi-Store Reach: The execution step coordinates removal across object storage, the relational store, the search index, and the cache, so an integrating team gets complete cleanup from one call rather than orchestrating four deletions themselves.

  • Normalised Order Model: Every operation returns the same order shape, including status, the full authorisation chain, verification flags, item count, certificate key, and National Archives reference, so dashboards and audit tooling read one consistent structure.

  • Webhook-Friendly Lifecycle: Because state transitions are explicit and attributable, order progress can drive notifications and compliance dashboards through your existing event and webhook routing.

Open Standards#

  • Commission of Investigation Act 2004 (Ireland) Section 43: the dual-authorisation, multi-store verification, and certified-disposal workflow is built to satisfy the statutory destruction requirements placed on Irish commissions of investigation.

  • GDPR (EU 2016/679) Article 17, Right to Erasure: scoped destruction orders and the resulting certificate provide the demonstrable, complete erasure that the right to erasure requires across every store holding the data.

  • ISO/IEC 27040, Storage Security: the coordinated deletion across object storage, the relational store, the search index, and the cache, with explicit verification, aligns with the storage sanitisation and assurance guidance of the storage security standard.

  • NIST SP 800-88, Guidelines for Media Sanitisation: the per-store verification flags and recorded item counts implement the verify-after-sanitise principle central to the media sanitisation guidelines.

  • PDF/A-3 (ISO 19005-3), Archival PDF with Embedded Metadata: destruction certificates are generated as PDF/A-3 with embedded structured metadata, so the evidentiary record stays self-contained and readable across the long retention periods inquiries require.

  • OAuth2 and JWT: bearer-token authentication and scope-based authorisation use the standard web authorisation and token formats for interoperable access control.

  • GraphQL: the destruction lifecycle is published over a standard GraphQL surface for typed, interoperable access from any client.

Security and Compliance#

  • No unilateral destruction: the three-distinct-individuals rule is enforced in the workflow itself, not left to policy, so a single compromised or rogue account cannot erase data.

  • Attributable authorisation chain: the requester, first authoriser, and second authoriser, with their timestamps, are recorded on the order and embedded in the certificate, giving a permanent account of accountability.

  • Tenant isolation: orders are scoped to the owning organisation throughout, so one tenant can never view, authorise, or act on another tenant's destruction orders.

  • Verifiable completion: an order only reaches completed after per-store verification, and any failure is recorded with a reason, so the trail never overstates what was destroyed.

  • Evidentiary certificate: the archival PDF/A-3 certificate, with its embedded metadata and optional National Archives reference, is the record regulators, data protection authorities, and inquiry bodies can rely on.

Last Reviewed: 2026-05-26 Last Updated: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.