Erasure mechanisms by platform
- Apple (macOS, iOS, iPadOS) — Erase All Content and Settings (EACS), which destroys the per-device encryption keys held in the Secure Enclave. Apple documents EACS compliance with NIST SP 800-88 in the Apple Platform Security Guide.
- Windows — MDM remote wipe via the RemoteWipe CSP. When the disk encryption control is enabled on the device, this destroys the BitLocker key protectors, rendering disk contents cryptographically inaccessible. On devices where the disk encryption control is not active, the wipe performs a factory reset without cryptographic erasure.
- Android — Device Policy Controller factory reset, which destroys the file-based encryption keys held in the hardware-backed keystore (TEE / StrongBox) on Android 10+ devices.
- NIST SP 800-88 Rev. 1 — Purge
- IEEE 2883-2022 — Purge
Compliance framework mapping
| Framework | Control | How Primo satisfies it |
|---|---|---|
| SOC 2 | CC6.5 — Logical and physical protections discontinued only after data can no longer be read or recovered | Primo retains an audit log of wipe commands and device acknowledgments as evidence of execution |
| ISO/IEC 27001:2022 | Annex A.7.14 (Secure disposal or re-use of equipment) and A.8.10 (Information deletion) | ISO 27002:2022 implementation guidance for both controls references NIST 800-88 as an accepted method. Supports demonstration of deletion under GDPR Article 17 obligations |
| NIS2 | Article 21(2) — Risk management obligations covering asset management and disposal | Primo documents cryptographic destruction in its ISMS and asset register |
Evidence available on request
- Wipe command audit logs (command issued, device acknowledgment, timestamp)
- Configuration baselines confirming hardware keystore requirements on Android
- Reference to Apple Platform Security Guide for EACS / NIST 800-88 attestation
- For Windows: configuration baseline confirming disk encryption control activation, where applicable