Skip to Content
Nemu Inc.
Asset and Info Management🧺 Asset Destruction & Secure Disposal

🧺 Asset Destruction & Secure Disposal

1. Purpose

This document defines Nemu Inc.’s approved methods for secure logical and physical destruction of information assets and storage media throughout their lifecycle. The purpose is to prevent unauthorized access, recovery, or disclosure of scoped or confidential data.

2. Scope

This policy applies to:

  • Application data stored in Supabase Postgres and Supabase Storage
  • Files, emails, and records in Google Workspace
  • Logs, backups, and system data stored or processed by Render
  • All employee-managed endpoints (laptops, phones)
  • Any removable media or devices that store or process customer or confidential data

3. Secure Logical Data Deletion

3.1 Supabase (Database & Storage)

  • Application data is deleted through internal workflows or admin tools.
  • Data may be soft-deleted first for auditability before permanent removal.
  • Hard-deleted data is removed from active systems immediately and ages out of CSP backups using provider retention schedules.
  • Deleted files in Supabase Storage are permanently removed and aged out of replication & backups.

3.2 Google Workspace

  • Deleted Workspace files enter Trash and are automatically purged according to Google retention rules.
  • Email deletions follow the same lifecycle.
  • Google ensures secure destruction of decommissioned physical media.

3.3 Render Logs & System Artifacts

  • Render system logs and artifacts follow platform retention schedules.
  • Once expired, Render deletes them irreversibly using encrypted backend systems.

4. Endpoint Device Disposal

All company-managed endpoints must use full-disk encryption.

During device decommissioning:

  1. Devices are securely wiped using OS-level secure erase tools.
  2. Nemu revokes all identity & system-level access.
  3. If wiping is impossible, devices are physically destroyed by an approved provider.
  4. Wipe logs or destruction certificates are retained when available.

5. Records Retention & Secure Destruction

  • Nemu Inc. maintains data retention schedules for active, archived, and backup data.
  • Scoped data (customer data, confidential business data) is reviewed periodically for deletion or anonymization.
  • Destruction of scoped data requires authorized approval.

6. Secure Disposal of Media Containing Scoped Data

Any media containing scoped data must be:

  • Cryptographically erased
  • Securely wiped following NIST guidelines
  • OR physically destroyed

Use of removable media (USB, external drives) is restricted and monitored.

7. Transmission of Scoped Data

  • Scoped data may only be transmitted electronically as needed.
  • All transmissions must use encrypted channels (TLS 1.2+).

8. Audit Evidence

Examples of evidence:

  • Supabase deletion events / audit logs
  • Google Workspace admin logs
  • Certificates of destruction
  • Endpoint wipe logs
  • Change management records for structured deletions

9. Data Loss Prevention (DLP) Controls

9.1 DLP Program Implementation

Nemu Inc. has implemented a data loss prevention (DLP) security solution program through:

  • Google Workspace DLP
  • Endpoint security controls
  • Access restrictions on external file-sharing services
  • Policies preventing unauthorized data transfer or export
  • Administrative controls defining permitted and prohibited data handling

This program monitors and restricts data exfiltration across email, cloud storage, and device endpoints.

9.2 Annual Review of DLP Rules

DLP rules—including email scanning rules, external sharing restrictions, and endpoint protections—are reviewed at least annually as part of Nemu Inc.’s formal security policy review cycle.

9.3 USB Port & Removable Media Controls

Nemu Inc. restricts the use of USB storage devices for Confidential or Scoped Data. Controls include:

  • Endpoint security tools that detect USB mass-storage devices
  • Policies blocking transfer of Confidential data to removable media
  • Monitoring and logging of USB device activity
  • USB port usage restricted to authorized cases only (e.g., hardware repair)

10. Litigation Hold Controls

10.1 Litigation Hold Capability

In the event of a subpoena, legal request, or forensic investigation, Nemu Inc. can place specific customer or internal data on Litigation Hold without affecting other customers’ data or service availability.

This is made possible by:

  • Supabase row-level data isolation
  • Google Workspace per-document legal hold controls
  • Ability to freeze deletion/retention rules for targeted data sets
  • Segregated multi-tenant logical architecture

Legal holds apply only to data belonging to the relevant customer or investigation target, ensuring that other tenants’ data and retention schedules remain unaffected.

11. Authentication & Email Security Controls

11.1 Two-Factor Authentication (2FA) for Email Access

All users accessing corporate email (Google Workspace) from outside the company environment are required to authenticate using two-factor authentication (2FA).

This requirement is enforced by:

  • Google Workspace Admin mandatory 2FA policy
  • Enforcement of strong authentication methods (TOTP, Security Keys, or Google Prompt)
  • Blocking of login attempts that do not meet enforced MFA rules

12. Compliance Mapping

  • SIG: D.3 – D.3.3, D.3.4, D.3.6, D.7, D.7.3, D.7.11, D.14, D.17
  • SOC 2: CC6.7, CC8.1
  • ISO 27001: A.8.3.2, A.11.2.7

Contact: support@mynemu.com © 2025 Nemu Inc.

Last updated on
Asset and Information Management🗂️ Data Classification & Handling