Cryptographic erasure
Team and Enterprise: per-Space customer-managed KMS keys. Schedule deletion via kms:ScheduleKeyDeletion with a 7–30-day pending window. After the window, every ciphertext encrypted under that CMK is permanently unrecoverable.
On Team and Enterprise, every Shared Space has its own customer-managed KMS CMK (spaces.kms_key_arn). The crypto is identical at both tiers; Enterprise adds per-Space audit-log filtering and procurement features around it.
Provisioning
App.SpaceProvisionKMS calls kms:CreateKey and kms:CreateAlias to mint a new CMK and tag it to the Space. Provisioning happens automatically the first time a Shared Space is created.
Erasure
Offboarding calls App.SpaceScheduleKMSDeletion → kmsadmin.ScheduleDeletion → kms:ScheduleKeyDeletion with a 30-day pending window (configurable 7–30 days).
After the pending window elapses:
- Every ciphertext encrypted under that CMK is permanently unrecoverable
- The data still exists in DDB
- No key exists to decrypt it
- Not by you, not by ShellYard, not by AWS
This is the audit primitive every MSP compliance review eventually asks for. The mechanic ships on Team; Enterprise wraps it in the procurement and audit-filtering features that compliance reviews additionally require.