Deletion and retention of GCP customer data conforms to these principles:
Prior to deletion, customer data is stored securely
Customer data is encrypted at rest, replicated on active systems, and copied to backup systems to protect against data loss and ensure the availability and integrity of that information. Your data may be replicated in multiple locations to ensure you have uninterrupted access to your projects, even if there are performance-impacting changes in the environment. Redundant copies of your data can be stored locally, regionally, and even globally on active and backup storage systems, depending on the geographic limitations you configure.
When customer data is deleted, GCP completes the following steps in the deletion pipeline:
Respond to the deletion request. There are many different ways to delete customer data on GCP. You can flag a specific resource, a GCP project, or your Google account for deletion. GCP services are configured to await these requests and initiate different processes depending on the type and scope of deletion request.
Data removal. Once you flag customer data for deletion, it is marked as deleted, made inaccessible and removed from your interface, confirming your request. At this stage, individual GCP services may impose a grace period before logical deletion begins in order to permit recovery of erroneously deleted data.
Logical deletion from active systems. Once the data is marked as deleted and any recovery period has ended, customer data is deleted in two ways: mark-and-sweep garbage collection and cryptographic erasure. (You can find details of these implementation methods in the whitepaper.)
Backup expiration. Our backup technology stores data in large aggregate chunks for static periods of time. When a backup volume is retired, it is overwritten as new daily/weekly/monthly backup snapshots are created. Cryptographic erasure is also used to ensure the deletion of backup copies.
Secure media sanitization. Long after deletion has occurred, the final step in assuring deletion is to securely decommission our physical storage media. As discussed in the whitepaper, Google tracks this media and performs a complete low-level overwrite before releasing it. Where that is not possible or not effective, the media is physically destroyed in accordance with U.S. government and industry standards.
It generally takes about two months from the deletion request to delete data from active systems and six months to expire deleted data in data center backups, as shown here: