| Thanks for the prompt response. > DBAN is not physical destruction, which is what we do. We do it this way because it's the only way to guarantee that your data will disappear, forever. Hence the second part of that comment. I mentioned DBAN (or any means of overwriting with randomness and/or zeroes) because it clears the data and further minimizes opportunities for recovery should a shard (or whole drive) escape before being destroyed. It's just like why your company degausses first; it's an extra level of protection and assurance that the data is gone forever. > Taking a hammer to the drive, disassembling it and burning it might do the trick. We're not here to serve hardcore DIYers, we're here to serve people that need a guaranteed, quick and inexpensive service that does it for them. Throwing drive platters in a fireplace sounds pretty guaranteed, quick, and inexpensive to me. Just costs firewood and a willingness to see pretty colors in your living room :) > Having said that, I'm by now certain that the NSA wording will be changed. Just seeing those words makes people uncomfortable, and after a lot of feedback it seems that it's doing our company a disservice. That's certainly a good idea. If you want to reference a government agency that isn't notorious for doing whatever it can to circumvent data destruction as part of the reason it exists, might I recommend NIST, whose guidelines are the ones that the Department of Defense, HIPAA, etc. use for data retention/destruction requirements? While I'm not necessarily trusting of any government agency on a personal level, there are plenty of hospitals and other medical facilities that follow HIPAA, HITECH, etc. to the letter and will feel better that you're actually paying attention to the requirements HIPAA bases its own from. > You can also schedule a free pickup or drop it off yourself at any of their facilities. That solves the problem of the drop box, yes, but that wasn't what I was talking about. As much as I like UPS, it's not impossible for them to misplace a package during transit, for example, nor is it for a rogue UPS guy to snatch the hard drives during transit and sell them to identity thieves / business competitors / the NSA / etc. That's a huge problem when a drive contains ePHI or trade secrets or something else requiring absolute confidentiality. The hospital I happen to work for right now (and whose data destruction policy I've had a hand in influencing by recommending our recent policy of wiping and destroying drives that may contain ePHI) handles the physical destruction through a local company which gives us a bunch of locked dropboxes (for hard drives and paper documents, both of which frequently contain PHI) and picks them up routinely and frequently, transporting everything themselves. While that degree of service might be out of your current capacity (I haven't the slightest idea what your expansion potential and/or willingness to buy some vans are), I do recommend allowing local businesses to drop off media at your facility directly (or otherwise providing a drop-off location that you control yourself) in order to avoid the potential hassles of damage control that would arise should their hard-drive-in-a-box disappear or be tampered with somewhere between their companies/homes and your own. > In conclusion, thanks for taking the time to detail your pain points. We shouldn't be leaving so many unanswered questions, our messaging should be clearer and leave nothing to doubt. I'll take all of your feedback, along with the rest that I've gotten today, and improve our message and service. Good to hear. I really do like the idea; it just needs these seemingly-little-snags (among others that other folks commented on) worked out, since such snags - no matter how seemingly minor - are often the difference between proper security and potential data leaks. Nice to know you're taking it all to heart and at least interested in making your service as rock-solid as it can possibly be. |
> Already removed the NSA wording. It's amazing how many people it spooked.
> It's safe to say we're going to stay away from referencing other government agencies.
> I answered this in your other comment, on the other thread, but we're only using USPS.
> Offering some sort of en-route layer to our product seems likely. There will always be a weakest link when it comes to data security (proving your social for some, your data being stored in the cloud for others, etc.) and the fact that you're shipping the drive to us is ours. We'll work on making this as much as a non-issue as the business model allows.
> The service that your hospital has is exactly what big corporations can afford. We're filling a gap for companies that are not there yet.
Shoot me an email at alex@destroyer.io with your address and I'll send a Destroyer.io sticker your way (if you trust me with your address :). The feedback here has been great, and the goal is to offer a service that makes everyone feel safe, this thread definitely pushes us in that direction.