Skip to main content

Saying Goodbye Securely: Software Decommissioning & Data Wipes

When users are done with your software, they need to know how to remove it securely, especially any personal or sensitive data it handled. The Cyber Resilience Act requires you to provide instructions for this (Annex II, point 8d).

The Secure Exit Strategy

For your software products, your instructions should cover:

  • Secure Decommissioning:
    • What are the steps to properly uninstall or deactivate the software?
    • Are there specific procedures to follow to ensure all components are removed and no residual security risks remain (e.g., de-registering from services, revoking API keys if it's a developer tool)?
  • Secure User Data Removal:
    • Crucially, how can users securely and permanently remove all their data and settings associated with the software?
    • If data is stored locally, what's the process for wiping it?
    • If data is stored in the cloud via your service, how can users request its deletion?
    • If data can be transferred to other products or systems, instructions must ensure this is done securely.

Beyond Just Uninstalling

Simply dragging an app to the trash might not be enough. Consider data caches, configuration files, or cloud-stored data. For a game with cloud saves, how does a user delete their profile and associated data? For a note-taking app, how can all notes be securely erased?

Your instructions should empower users to leave no trace they don't want to, protecting their privacy even after they've stopped using your software.

Key Takeaway

Provide clear guidance on how to securely decommission your software and, importantly, how users can permanently remove their data and settings. This is a key user protection requirement under Annex II, point 8d.