platform

Account erasure

ENTERPRISEEstimated read: 12 min· Updated 2026-06-02

Account erasure

EnterpriseAdmin

Account erasure honors a user's GDPR-style right-to-erasure request. AxisSynapse implements a five-wall safety model so an erasure that completes is provably intentional, provably authorized, and provably allowed by every active regulatory hold. The walls are: authentication, four-eyes review, dual control on completion, cooling-off window, and retention holds. Together, they make erasure safe enough that the platform can offer it to every workspace by default, without the "we don't really delete data" disclaimers other vendors hide behind.

TL;DR — A user requests erasure from Account → Privacy. An admin approves. A different admin completes (after a cooling-off window). The completion step asks for a fresh step-up. Regulatory holds (IRS / ERISA / SOX / EEOC / FMLA) automatically pause the completion until they expire or are explicitly overridden with a 64-character rationale.

The five walls

FieldWhat it doesAccepted values / default
1. AuthenticationOnly signed-in users can request erasure of their own account.Step-up at completion (phishing-resistant) — see /platform/step-up-authentication.
2. Four-eyes reviewAn admin who is not the subject must approve the request before completion.The approver is recorded; the completer must be a different admin (wall 3).
3. Dual control on completionThe approver and the completer must be different admins.The platform refuses if they're the same person — ACCOUNT_DELETION_DUAL_CONTROL_BLOCKED fires.
4. Cooling-off windowA configurable wait between approval and completion.Default 7 days. Lets the subject cancel in good faith and gives the workspace time to retrieve anything required.
5. Retention holdsRegulatory retention floors (IRS, ERISA, SOX, EEOC, FMLA) automatically pause completion.Fail-closed: any active hold blocks the action until expiration or explicit override.
Each wall is independent. Bypassing one doesn't bypass the rest. Bypassing all five (the holds-override path) is itself an audit-logged event held for 10 years.

The end-to-end flow

  1. Subject requests erasure (Account → Privacy)

    The user opens Account → Privacy and clicks Request account erasure. The form asks for a free-text reason and a confirmation checkbox. On submit, the request enters the admin queue.

  2. Pre-flight check

    AxisSynapse runs a server-side pre-flight that estimates: which tables hold the subject's data, which retention holds are currently active, how many audit lines reference the subject, and the estimated completion time. The result is shown to the requesting admin before they approve.

  3. Workspace admin reviews + approves

    From Settings → Privacy → Erasure requests, an admin opens the row, reviews the pre-flight report, optionally adjusts the cooling-off window for this request, and clicks Approve. A fresh step-up is required.

  4. Cooling-off window begins

    The subject sees the approval and can Cancel any time during the window. The window default is 7 days but can be set per request between 1 and 30 days.

  5. Different admin completes

    After the window elapses, a second admin (different from the approver) opens the request, reviews any retention holds that are still active, and clicks Complete erasure. A fresh phishing-resistant step-up is required.

  6. Per-module erasure runs

    Each enabled module — HCM, EEO, ELR, Inventory, Fixed Assets, Procurement, Ethics — runs its own erasure helper. The platform returns a per-module report naming every table touched and the counts of rows removed, redacted, or skipped.

  7. Regulator-defensible report

    The completed erasure produces a downloadable regulator-defensible report: who requested, who approved, who completed, every table touched, every hold honored or overridden, and the per-row outcome. Keep this with your GDPR / privacy compliance evidence.

Retention holds

Each module knows the retention rules that apply to its data and publishes them to the erasure orchestrator. When you complete an erasure, the orchestrator collects every active hold and refuses to proceed if any apply.

FieldWhat it doesAccepted values / default
IRS retentionUS payroll, year-end forms, ACH receipts.Held by HCM. Period varies by record class (typically 4-7 years from filing).
ERISA retentionBenefits plan records.Held by HCM benefits. Period typically 6 years from plan year.
SOX § 802 retentionAudit-relevant financial records.Held by platform + FA + Procurement. 7 years.
EEOC retentionEEO case and demographic data.Held by EEO + HCM compliance. Period varies by case status.
FMLA retentionFMLA leave records.Held by HCM. 3 years from the leave date.
Litigation holdAn explicit hold placed by the workspace's legal team.Held until the legal team releases it.

Overriding holds

When a hold blocks an erasure that must complete (a regulator's direct order, for example), the workspace admin can override. The override:

  • Requires a 64-character minimum rationale describing why the override is necessary. Free-text — read by your compliance reviewer.
  • Requires a second admin's co-sign before it takes effect.
  • Emits ACCOUNT_DELETION_HOLDS_OVERRIDDEN at critical severity. The audit line itself is retained for 10 years, regardless of the workspace's SECURITY retention window.
  • Is reflected in the regulator-defensible report.

Overrides are exceptional

We have never had to override a hold in steady-state operations. Overrides exist for the rare case where regulatory guidance pushes in opposite directions; everyday erasures complete cleanly when the holds expire.

Every field, explained

FieldWhat it doesAccepted values / default
Subject (read-only)The user whose data is being erased.Email + display name + workspace ID. Drawn from the request.
Reason (subject-provided)Why the subject is requesting erasure.Free-text, up to 1000 characters. Required.
Cooling-off windowDays between approval and completion availability.1-30 days. Default 7. Set per request at approval time.
Pre-flight reportWhat will happen at completion.Per-module table list, hold list, row counts, estimated runtime. Read-only — generated by the platform.
Holds listActive retention holds that affect this subject.Updated continuously; final check at completion time.
Override rationaleFree-text explanation when overriding active holds.≥ 64 characters. Required for any override. Stored 10 years.
CosignerSecond admin's confirmation on override.Different from the override initiator. Step-up at cosign.
Regulator-defensible reportThe downloadable completion record.Generated automatically; available from the completed request's row.

What appears in the audit log

ACCOUNT_DELETION_REQUESTACCOUNT_DELETION_APPROVEDACCOUNT_DELETION_REJECTEDACCOUNT_DELETION_CANCELLEDACCOUNT_DELETION_COMPLETEDACCOUNT_DELETION_BLOCKED_BY_HOLDSACCOUNT_DELETION_HOLDS_OVERRIDDENACCOUNT_DELETION_DUAL_CONTROL_BLOCKEDACCOUNT_DELETION_COOLOFF_BLOCKED
  • ACCOUNT_DELETION_REQUEST — the subject submitted the request.
  • ACCOUNT_DELETION_APPROVED / ..._REJECTED — admin decision.
  • ACCOUNT_DELETION_CANCELLED — the subject (or an admin) cancelled during cooling-off.
  • ACCOUNT_DELETION_COMPLETED — erasure ran. Carries the per-module outcome counts.
  • ACCOUNT_DELETION_BLOCKED_BY_HOLDS — completion attempt was refused by an active hold.
  • ACCOUNT_DELETION_HOLDS_OVERRIDDEN — critical-severity override action. 10-year retention.
  • ACCOUNT_DELETION_DUAL_CONTROL_BLOCKED — the completer was the same admin as the approver.
  • ACCOUNT_DELETION_COOLOFF_BLOCKED — completion attempted before the cooling-off window elapsed.

Common gotchas

  • "The completion button is greyed out." Either the cooling-off window hasn't elapsed (wall 4) or you are the same admin who approved (wall 3). Wait, or hand the completion to a different admin.
  • "The erasure says 'blocked by holds' but my legal team cleared it." Holds are evaluated at completion time. If your legal team released the litigation hold but the IRS retention is still active (the most common case), the platform still refuses. You either wait for the IRS window or use the holds-override flow.
  • "The audit log still shows the erased user's name." Audit lines are not subject-data; they're records of actions. The per-module erasure typically redacts the subject's name from user-facing audit-line copy while keeping the action records for the SECURITY retention window. See Audit-log retention.
  • "I cancelled but it still says 'pending'." Refresh the page; the cancellation is asynchronous against the queue. If the row doesn't update within a few minutes, contact your account team.
  • "The report says zero rows for a module." Either the module isn't enabled in your workspace or the subject genuinely had no data in it. The pre-flight report makes this explicit before completion.

Troubleshooting

| Error code | What it means | Fix | |---|---|---| | DELETION_COOLOFF_NOT_ELAPSED | Completion attempted before cooling-off elapsed. | Wait for the window. | | DELETION_DUAL_CONTROL_VIOLATION | Completer is the same admin as approver. | A different admin completes. | | DELETION_HOLDS_ACTIVE | At least one regulatory hold is active. | Wait for hold expiration or use the override flow. | | DELETION_HOLDS_OVERRIDE_RATIONALE_TOO_SHORT | Rationale was below 64 characters. | Expand the rationale. | | DELETION_HOLDS_OVERRIDE_COSIGN_MISSING | The second admin's cosign is missing. | Get a co-signer. |

Related

Audit-log retention

How long audit lines stay; holds intersect with this surface.

Security Console

Where erasure activity is reviewed.

Account privacy

The subject's surface — where requests are filed.