HOW CLEARRECORD WORKS

The files that should be gone
are the ones that end careers.

ClearRecord turns “we think it was deleted” into a certificate an auditor accepts.

Q3_patient_records_export.csv
Downloads · 30-day policycreated 412 days ago
RECOVERABLE
merger_terms_FINAL_v4.docx
Recycle Bin · 7-day policydeleted 90 days ago
RECOVERABLE
student_grades_2023.xlsx
Downloads · 30-day policycreated 268 days ago
RECOVERABLE

Past their retention window. Still on the disk. Still recoverable. And you can’t prove otherwise.

Request a demo See the proof ↓

Watch it work

The whole process, start to finish

Install to certificate, playing on its own. Everything stays inside your network.

1 · Install Deploy a lightweight agent to every workstation, manually or by Group Policy.
2 · Connect Agents dial out to your Hub over mutual-TLS. No inbound ports, and nothing crosses to the internet.
3 · Watch & age The agent watches your folders. Files age toward their retention window.
4 · Secure delete Every 6 hours, expired files (not under hold) are overwritten, flushed to disk, and deleted — NIST 800-88 Clear.
5 · Report Only the metadata of what was destroyed goes to the Hub — never your files, never IPs — into a tamper-evident hash chain.
6 · Prove it A verified destruction certificate — audit-ready, and signed off.

The difference

“Delete” is not “destroyed.”

A normal delete just unlinks the file. The bytes sit on the disk until something happens to overwrite them — and you have no record either way. ClearRecord overwrites, deletes, and logs.

🗑  Standard delete (Recycle Bin / Shift-Delete)
📄 merger_terms_FINAL_v4.docx
A
7
F
2
9
C
The directory entry is removed. The file’s bytes stay on disk and are recoverable with free tools.
Recoverable. Unprovable.
✅  ClearRecord
📄 merger_terms_FINAL_v4.docx
0
0
0
0
0
0
A single zero-fill pass over the full file length, flushed to disk, then deleted — and written to the audit log.
Overwritten, logged, certified.
📋 Added to the destruction certificate & hash chain

How it works

The life of one file

ClearRecord runs as a Windows service on each workstation and reports to a Hub on your own network. Here is exactly what happens to a file — in the order it actually happens.

1

A file ages in a watched folder

Each workstation watches the folders you choose — by default Downloads (30 days) and the Recycle Bin (7 days). Recycle Bin items age from when they were deleted, not created.

2

The sweep finds it — and checks for a hold

Every 6 hours the agent rescans. A file can outlive its window by up to one sweep, then it is flagged. Nothing is deleted on guesswork.

🔒 Gate: the agent only acts after the Hub hands it an approved policy — files under a legal hold are never touched.
3

Secure delete

The file is overwritten with a single zero-fill pass across its full length, flushed to disk, and deleted — identical on every drive type.

NIST 800-88 R2 — Clear
4

The event is recorded

The agent dials out to the Hub over mutual-TLS (it has no inbound port) and the deletion is written into a SHA-256 hash-chained audit log. Your files never leave the workstation; only the metadata of what was destroyed does.

5

You generate proof

From the Hub, an authorized user generates a destruction certificate (PDF/A) covering any date range — the artifact you hand an auditor.

The mechanism, honestly

Why one pass — plus encryption

On a traditional hard drive, one zero-overwrite makes the data unrecoverable. SSDs remap writes, so a single overwrite can leave copies in spare cells — which is why ClearRecord detects and reports BitLocker as an independent layer. Full-disk encryption means any residual bytes are indistinguishable from noise without the key. BitLocker is reported, never used as the deletion method.

💿 HDD

Before overwrite:

A
B
C
D
E
F

After zero overwrite:

0
0
0
0
0
0
Sectors overwritten in place. Old data is gone.
Overwrite works. Data unrecoverable.
SSD (no encryption)

Before overwrite:

A
B
C
D

After “zero overwrite”:

0
0
Controller redirects writes. Old data can survive in hidden cells.
Overwrite alone is insufficient for SSDs.
🔒 SSD + BitLocker

All data encrypted at rest:

🔑
🔑
🔑
🔑
🔑
🔑

After file deletion:

0
0
?
?
?
?
Residual data is encrypted. Without the key, it’s indistinguishable from noise.
Encryption + deletion = data unrecoverable.
For your IT reviewer — the verifiable details
  • Runs as a Windows service under SYSTEM. No inbound port — the agent dials out only.
  • Agent ↔ Hub over mutual-TLS on port 7443; the Hub Dashboard binds to localhost only (console / RDP access).
  • Audit database and the agent queue are encrypted at rest; deletion records form a SHA-256 hash chain.
  • Zero data egress from your network, except an optional monthly license check that carries no file data (and is skippable in an air-gapped deployment).
  • Built on .NET 10, Windows-only.

The proof

The certificate you hand an auditor

The whole site promises destruction certificates. Here is one. This is a sample — the real document is generated from your own deletion records.

Certificate of DestructionCLEARRECORD · NIST SP 800-88 REV. 2
Certificate No.CR-2026-000142
Certificate Details
Organization
SAMPLE ORGANIZATION
Standard
NIST SP 800-88 Rev. 2 — Clear
Period covered
Apr 1 – Jun 30, 2026
Generated
Jul 1, 2026
Destruction Summary
1,284Files
9.4 GBData
12Workstations
18Users
0Failed
2Locked
Workstation Inventory
WorkstationUserFilesBitLocker
FIN-WS-04j.harmon312Enabled
HR-WS-11a.okafor208Enabled
LEGAL-WS-02r.delgado176Enabled
OPS-WS-19s.whitman588Not detected
Compliance Attestation

The files listed in the accompanying record were overwritten with a single zero-fill pass across the full file length, flushed to disk, and deleted, consistent with NIST SP 800-88 Rev. 2 “Clear.” Each action is recorded in a tamper-evident, hash-chained audit log.

Hash chain integrity: VERIFIED (247 of 247 records intact)
Report hash (SHA-256): 9f2c1ab7e44d0c8b6a3e5f12d7c90ab4e1f86d23c5079bb4e2a1d6f803c47e9a1
Authorized byRecords Officer · SAMPLE ORGANIZATION
Prepared byClearRecord Hub · v1.x
ClearRecord is a software tool, not a certification body. This certificate documents actions performed by the software.

Tamper-evident

Change one record — the chain breaks

Every deletion record is hashed together with the one before it. Edit any historical row and every hash after it stops matching. It doesn’t prevent tampering — it makes tampering impossible to hide.

#1a91f… ✓ valid
🔗
#27c20… ✓ valid
🔗
#3f4e8… ✓ valid
🔗
#42db9… ✓ valid
🔗
#58a01… ✓ valid

When the Hub runs “Verify chain,” it reports the first record where the hash no longer matches — so an altered or deleted log entry is detectable, not silent.

What you can prove

— and to whom

Each field on the certificate answers a question an auditor is required to ask.

What the certificate showsWhy it mattersCitation
Who, what, when, and the method of destructionDocumented, repeatable disposal of records containing protected dataHIPAA 45 CFR 164.310(d)(2)
Tamper-evident audit log of every deletionRecords of information-system activity that can be reviewedHIPAA 45 CFR 164.312(b)
Retained certificate + 6-year recordRetention of required documentationHIPAA 45 CFR 164.316(b)
Media sanitization to a recognized standardSanitize or destroy media before disposal or reuseNIST 800-171 / CMMC 3.8.3
Documented destruction of education recordsEvidence supporting records-disposal obligationsFERPA 34 CFR Part 99

After you deploy

Rolled out in an afternoon, safe by default

1

Install via GPO

Push the agent to workstations through Group Policy. It enrolls to your Hub over mutual-TLS automatically.

2

Nothing deletes until you say so

Agents take no action until the Hub hands them an approved policy. You set the folders and windows; holds are respected.

3

Locked files don’t get lost

A file in use is retried, tracked, and escalated as a Dashboard alert if it stays locked — never silently skipped.

See it run on your own workstations

A short walkthrough of the Hub, a real deletion, and the certificate it produces.

Request a demo