⏱ 20 min read
Deletion looks simple right up until the day it isn’t.
A developer adds a “Delete” button. A database row disappears. Everyone goes home happy. Then six months later, legal asks for proof that a customer account was removed. Finance asks why historical revenue reports changed after records vanished. Support wants to restore an accidentally deleted order. A downstream service still holds a copy. Search results show ghosts. Kafka topics replay old events. Someone discovers that “deleted” means three different things in three different systems. event-driven architecture patterns
That is the moment architects earn their keep.
Delete strategy is one of those design choices that teams dismiss as implementation detail and later discover is a business policy, a compliance control, a recovery mechanism, a data quality issue, and a distributed systems problem all at once. In enterprise systems, deletion is not really about removal. It is about meaning. What does it mean, in this domain, for something to no longer be active, visible, billable, searchable, reportable, or legally retainable? Those are very different verbs wearing the same costume.
This is why the soft delete versus hard delete conversation matters. It is not a database trick. It is a domain decision with architectural consequences. And like many such decisions, the wrong choice does not fail dramatically on day one. It leaks value slowly, through operational confusion, bad reporting, brittle integrations, and compliance risk.
Let’s treat it seriously.
Context
Every enterprise has records that stop being useful before they stop being important.
Customers close accounts. Employees leave. Products are discontinued. Orders are canceled. Contracts expire. Devices are decommissioned. A marketing list entry must disappear immediately under privacy law, while an invoice must remain for seven years. That is normal business life. The architecture has to support it.
In monolithic systems, deletion often starts as a table-level concern:
- add an
is_deletedflag - maybe add
deleted_at - filter rows in queries
- call it done
That works for a while. Then the estate grows. Services split. Data lands in a warehouse. Search indexes get introduced. Event streams become the backbone of integration. Teams build read models, caches, replicas, and machine learning features. Suddenly “deleted” is no longer local. It becomes a distributed semantic.
This is where domain-driven design helps. Aggregates have lifecycles. Entities move between states. Some things are archived, some are revoked, some are voided, some are erased. A patient record in a healthcare system is not the same as a shopping cart line item. A closed bank account is not equivalent to a deleted social media profile. If you collapse all these meanings into one generic delete mechanism, the architecture will eventually push back.
The central question is not “Should we soft delete or hard delete?” The better question is:
What business meaning are we trying to preserve or destroy, and where must that meaning propagate?
Problem
At a technical level, the choice appears binary:
- Soft delete: keep the record, mark it deleted
- Hard delete: physically remove the record
But in real systems, that binary breaks down quickly.
Soft deletes preserve history, support recovery, and play nicely with audits. They also pollute operational tables, complicate queries, break uniqueness constraints, and create “zombie data” when downstream systems do not interpret the flag consistently.
Hard deletes keep data sets clean and semantics crisp. They also eliminate recovery options, can destroy referential context, and become dangerous in event-driven or replicated environments where deletion must be propagated with precision.
In distributed architecture, deletion creates awkward questions:
- If the source system soft deletes a customer, should the CRM hide them, or erase them?
- If Kafka replays events, can a deleted entity be re-materialized accidentally?
- If an order is deleted, what happens to invoices, shipments, and analytics facts?
- If a user exercises the right to erasure, is soft delete even lawful?
- If records are physically deleted, how do you reconcile downstream stores that lag behind?
The hard part is not choosing one strategy. The hard part is handling the mismatch between domain semantics, operational realities, legal requirements, and system boundaries.
Forces
A good architectural decision lives in the tension between forces. Delete strategy has several.
1. Domain semantics
This is the force most teams underplay.
In domain-driven design terms, deletion is part of the lifecycle of an aggregate. Often the right answer is not delete at all, but a richer state transition:
- Customer becomes Inactive
- Contract becomes Terminated
- Order becomes Canceled
- Invoice becomes Voided
- User profile becomes Erased
- Product becomes Retired
These are not cosmetic naming choices. They define invariants, downstream behavior, and reporting.
If the business says “deleted” but still expects the object in reporting, support views, and historical reconciliation, that is not deletion. That is deactivation or archival.
2. Compliance and retention
Regulatory demands pull in both directions.
- Privacy laws may require true erasure of personal data.
- Financial and audit regulations may require retention of business records.
- Litigation holds may block deletion entirely.
One memorable enterprise truth: the same record may need to be simultaneously erased and retained, depending on which parts of it you mean.
That often leads to selective hard deletion of personal attributes, while retaining non-identifying transactional records.
3. Operational recovery
Accidental deletion happens. Soft deletes are forgiving. Hard deletes are not.
Production support teams love recoverability. Security teams often do not. There is tension here. The architecture must decide whether recovery belongs in the operational model, backup restoration, temporal history, or event replay.
4. Performance and storage
Soft deletes increase table size. Indexes become less selective. Queries need filters. Old rows accumulate in the hottest tables. You pay for that over time.
Hard deletes keep operational stores leaner. But if you need historical analysis, you may simply shift storage cost elsewhere into archives, warehouses, or event logs.
5. Referential integrity and consistency
Deleting a parent with dependent children is rarely a local action.
Should child records cascade delete?
Should they be orphaned?
Should deletion be prevented?
Should the relationship be severed but history retained?
These are domain decisions masquerading as foreign key settings.
6. Distributed propagation
In microservices, deletion becomes messaging.
You need to answer:
- what event is emitted?
- is it a tombstone, a lifecycle event, or an erasure command?
- what should subscribers do?
- how do late subscribers reconcile?
- how do snapshots and materialized views behave?
This is where Kafka enters. Event streams are excellent at preserving history, but deletion semantics in event-driven systems require discipline. Otherwise the event log becomes a haunted house.
Solution
My opinion is straightforward:
Default to domain-specific lifecycle states, use soft delete selectively for operational reversibility, and reserve hard delete for true erasure, bounded retention cleanup, or data that has no historical business value.
That is more nuanced than picking one side, because enterprises do not live on one side.
A practical delete strategy usually has three layers:
- Business lifecycle state
- The domain says an entity is inactive, canceled, retired, revoked, closed, or archived.
- This is explicit and meaningful.
- Operational deletion marker
- For some entities, use soft delete fields such as deleted_at, deleted_by, delete_reason.
- This supports reversibility and operational safety.
- Physical deletion policy
- Use hard deletion when retention expires, privacy erasure is required, or the data is genuinely disposable.
- This is often asynchronous and policy-driven.
That stack is often healthier than pretending one mechanism covers all needs.
A useful rule of thumb
- If the business still talks about the thing after “deletion,” do not hard delete it immediately.
- If the law requires it to vanish, do not rely on soft delete.
- If another aggregate depends on it for history, model the lifecycle explicitly.
- If restoration is common, build for it intentionally.
- If deletion is rare and irreversible by policy, keep the operational path simple.
Architecture
A robust delete architecture separates business semantics, storage behavior, and integration contracts.
Core model
At the domain level, model lifecycle first. Consider a customer aggregate:
ActiveSuspendedClosedErasurePendingErased
Notice that only one of those states implies physical data destruction. This matters. “Closed” might mean no new activity but retained history. “Erased” means personal data removed.
Then align storage patterns to those states.
Data architecture layers
- Operational database: may use soft delete or status columns
- Event backbone: emits lifecycle and deletion events
- Analytical store: retains facts but may anonymize dimensions
- Search/cache/read models: remove visibility quickly
- Archive or cold storage: optional retention store for non-operational access
Here is a simplified view.
Soft delete implementation shape
A classic implementation adds:
deleted_atdeleted_bydelete_reason- possibly
versionfor optimistic locking
And then all read paths must exclude deleted rows unless explicitly requested.
That sounds manageable. In practice, it fails when one of these happens:
- developers forget the filter
- unique constraints still collide with soft-deleted rows
- joins pull in deleted children
- downstream systems ignore delete semantics
- reporting includes records nobody expects
A soft delete strategy is not complete until the query model, indexes, and integration contracts are all shaped around it.
Hard delete implementation shape
Hard delete is physically simpler but architecturally stricter.
You need:
- referential rules
- deletion authorization
- event publication before or after delete
- reconciliation jobs
- recovery strategy outside the primary path
With Kafka, hard deletes are often represented as a tombstone or explicit deletion event. Which one you use depends on how consumers work.
- Explicit deletion event: richer semantics, easier for business consumers
- Kafka tombstone: useful for log-compacted topics and state store cleanup
- Both: common in mature platforms
Domain event taxonomy matters
Do not publish only CustomerDeleted if what really happened is one of these:
CustomerClosedCustomerAnonymizedCustomerErasureRequestedCustomerErasedCustomerArchived
A vague event creates vague downstream behavior. Vague behavior is where enterprise pain goes to breed.
Migration Strategy
Most large organizations do not get to redesign deletion from scratch. They inherit a mess: inconsistent flags, direct SQL deletes, cached copies, half-synchronized warehouses, and a compliance team asking nervous questions.
This is where progressive strangler migration is the right instinct. Do not stop the world. Wrap the old semantics, introduce clearer behavior at the edges, and gradually move systems toward explicit lifecycle handling.
Step 1: Classify data by deletion semantics
Create a catalog:
- entities that should never be hard deleted operationally
- entities eligible for soft delete only
- entities requiring privacy erasure
- entities that can be hard deleted safely
- records needing retention windows and purge schedules
This is as much domain work as technical work. Get business owners involved.
Step 2: Standardize events and API contracts
Even if legacy tables are messy, define a clean contract for downstream systems:
- lifecycle status changes
- deletion markers
- erasure commands
- purge completion notifications
This gives you a semantic seam.
Step 3: Introduce an anti-corruption layer
If legacy systems use is_deleted = Y, but the new domain model uses Closed vs Erased, translate between them. Do not infect the new model with old ambiguity.
Step 4: Build reconciliation
This is the step teams skip and later regret.
In a distributed delete migration, things will drift:
- source soft deleted, downstream still active
- source hard deleted, warehouse still has PII
- cache not invalidated
- search index stale
- event missed by one consumer group
Reconciliation jobs compare source-of-truth states against downstream representations and repair differences. In delete architecture, reconciliation is not optional. It is your insurance against the normal failures of asynchronous systems.
Step 5: Purge in waves
Once soft delete exists, teams often never reach actual purge. That creates legal and storage risk.
Add retention-driven purge processes:
- identify eligible records
- verify no legal hold
- anonymize or archive where needed
- publish purge events
- hard delete safely
- reconcile downstream removal
Here is a practical migration flow.
Step 6: Strangle old read paths
Legacy systems often have hidden assumptions that deleted rows are still queryable. Replace those paths gradually:
- new APIs enforce semantics
- reports move to curated views
- old direct table access is retired
- search and read models become lifecycle-aware
This is classical strangler pattern, applied not to UI or service decomposition, but to data semantics.
Enterprise Example
Consider a global retail bank modernizing customer platforms.
The bank had:
- a core customer master in a relational monolith
- CRM and onboarding systems
- Kafka-based integration platform
- downstream marketing, fraud, and analytics systems
- regulatory requirements for retention and privacy erasure
The legacy customer table used a single flag: deleted_ind.
That flag meant at least four different things depending on who you asked:
- branch staff thought it meant account closed
- operations thought it meant merged duplicate customer
- marketing thought it meant opt-out
- compliance thought it meant right-to-erasure completed
Predictably, the estate behaved badly.
A customer marked deleted disappeared from one application but still received marketing emails because the campaign platform subscribed only to create/update events. Fraud models retained full personal data indefinitely in a feature store. Analytics dashboards changed historical counts because some ETL jobs excluded deleted customers while others did not. Support could undelete records manually in the source database, which made Kafka consumers drift further.
The bank fixed this by reworking the domain semantics, not by adding more flags.
They introduced explicit lifecycle states in a customer domain service:
ActiveDormantClosedMergedErasureRequestedErased
Then they split event contracts:
CustomerClosedCustomerMergedCustomerMarketingSuppressedCustomerErasureRequestedCustomerErased
Operationally, the core customer record remained soft deletable only for a short reversal window. Personal data fields were tokenized or nullified during erasure workflows. Historical transaction facts stayed intact in the warehouse, but personally identifying dimensions were anonymized after the legal retention rules were applied.
Kafka played a central role. Compacting topics used tombstones for state cleanup, but the platform also emitted explicit business events so consumers did not have to infer intent from a null payload. Search indexes removed customers quickly on CustomerClosed for operational UX, while the privacy platform triggered deeper purge workflows for CustomerErased.
Most importantly, the bank added nightly reconciliation:
- compare active customer IDs in source and read models
- verify erased customers no longer exist in marketing and search
- confirm warehouse dimensions are anonymized
- alert on drift
This was not glamorous architecture. It was grown-up architecture. The result was fewer customer incidents, cleaner compliance evidence, and a delete strategy the business could actually explain.
Operational Considerations
Delete strategy becomes real in operations.
Query discipline
Soft delete means every query path must be deliberate. Mature teams use:
- repository or ORM-level default filters
- database views for active-only records
- partial indexes on non-deleted rows
- tests that validate deleted records are excluded where expected
If you depend on every developer remembering WHERE deleted_at IS NULL, you are not implementing a strategy. You are relying on luck.
Indexing and performance
Soft-deleted rows can bloat hot indexes. Use:
- filtered indexes
- partitioning by lifecycle or retention window
- archive tables for old deleted rows
- periodic purge jobs
Storage is cheap until it lands in the critical path.
Authorization and audit
Deletion should be traceable.
Capture:
- who initiated it
- when
- under what reason code
- whether it was manual or automated
- which downstream systems acknowledged it
For hard deletes, keep audit metadata outside the deleted record itself, otherwise you erase the evidence of your own action.
Event ordering and idempotency
In Kafka and microservices, deletion races with updates.
Possible sequence:
- Update customer address
- Delete customer
- Late consumer processes update after delete
Without versioning or idempotent consumers, the deleted entity can reappear in a read model.
Protect against this with:
- aggregate version numbers
- monotonic event sequencing
- idempotent consumers
- tombstone-aware projections
- periodic reconciliation
Backups and restore
Hard deletion in the primary store does not mean data is gone from backups.
That has legal implications. Privacy programs must define:
- whether backups are exempt temporarily
- how retention applies to backup media
- how restore processes avoid reintroducing erased records
This is a classic failure of partial thinking: teams solve operational deletion and forget recovery infrastructure.
Data warehouse behavior
Analytical systems often should not mirror operational deletes naively.
A deleted product should not rewrite last year’s sales history. Facts remain facts. Dimensions may need end dating, deactivation, or anonymization rather than disappearance.
This is one place where Kimball-style slowly changing dimensions and domain semantics can coexist nicely with DDD. The warehouse is not the operational truth of current state; it is the truth of what happened over time.
Tradeoffs
There is no universally superior strategy. There are only clearer tradeoffs.
Soft deletes: strengths
- easy restoration
- preserves operational history
- useful for audits and support
- avoids accidental irreversible loss
- simpler for some parent-child historical relationships
Soft deletes: weaknesses
- query complexity
- risk of zombie records
- poor uniqueness behavior unless designed carefully
- data bloat
- semantic ambiguity if used as a catch-all
- can violate erasure expectations
Hard deletes: strengths
- cleaner data sets
- simpler query logic
- clearer finality
- better fit for disposable or transient data
- aligns with true erasure requirements
Hard deletes: weaknesses
- difficult recovery
- referential and downstream consistency challenges
- loss of historical context
- needs robust eventing and audit outside the primary row
- dangerous when business semantics are richer than “gone”
A blunt truth
Soft delete is often chosen because it postpones decisions.
Hard delete is often rejected because it forces them.
That is why many enterprises end up with soft delete everywhere and clarity nowhere.
Failure Modes
The interesting part of architecture is not the happy path. It is how systems fail in ordinary ways.
1. Zombie data
The source says deleted, but caches, search, and downstream services still show the entity.
Cause:
- missed events
- ignored flags
- stale indexes
Mitigation:
- deletion events
- cache invalidation
- reconciliation jobs
- expiry policies
2. Resurrection by replay
An old event replay rebuilds a deleted entity into a projection.
Cause:
- projections ignore tombstones or version ordering
- replay logic assumes append-only create/update
Mitigation:
- tombstone-aware consumers
- version checks
- full rebuild from authoritative snapshots
3. Invisible reporting drift
Historical reports change because deleted rows were excluded inconsistently.
Cause:
- operational delete semantics leaked into analytics
- no agreement on historical retention
Mitigation:
- separate operational and analytical semantics
- explicit dimensional handling
- reconciliation across facts and dimensions
4. Compliance theater
The system soft deletes personal data but still retains it everywhere meaningful.
Cause:
- treating UI invisibility as erasure
- no purge of downstream copies, backups, exports
Mitigation:
- data lineage
- erasure workflow across all stores
- evidence collection
- legal review of retention boundaries
5. Cascading chaos
Hard deleting a parent breaks children or creates orphaned references.
Cause:
- database cascade applied without domain analysis
- downstream consumers not prepared
Mitigation:
- aggregate lifecycle design
- deletion rules per relationship
- staged deactivation before purge
6. Permanent clutter
Soft delete with no purge becomes the default landfill of enterprise data.
Cause:
- no retention ownership
- purge jobs never prioritized
- fear of deleting anything
Mitigation:
- policy-driven retention
- purge SLAs
- storage and performance observability
Here is a common failure pattern in event-driven systems.
When Not To Use
Architects need the courage to say no to familiar patterns.
Do not use soft delete when:
- privacy regulation requires actual erasure
- the data is transient and has no historical value
- the table is extremely hot and bloat will hurt badly
- consumers cannot reliably honor deletion flags
- the domain already has richer lifecycle states and soft delete adds confusion
Do not use hard delete when:
- the business still needs historical traceability
- support frequently restores deleted entities
- downstream systems depend on retained identity references
- audit obligations require operational evidence
- delete semantics are ambiguous and not yet modeled
Do not use either as a substitute for domain language
If “delete” is really “cancel,” “void,” “retire,” “expire,” or “erase,” say so. The model should speak the business language. Generic delete mechanisms are often the symptom of a domain model that gave up too early.
Related Patterns
Delete strategy touches several adjacent patterns.
Archiving
Move inactive records to colder storage while preserving access for audit or support. Useful when soft-deleted rows no longer belong in hot operational tables.
Temporal tables and history tables
Capture row history separately. This can reduce pressure to keep soft-deleted data forever in the main table.
Event sourcing
If your source of truth is an event stream, deletion becomes even more semantic. You rarely “remove” history; you emit state transitions such as closed, redacted, or erased. But event sourcing does not magically solve privacy erasure. In fact, it makes that conversation sharper.
Tombstone events
Common in Kafka log-compacted topics. Good for state cleanup, but not sufficient alone for business meaning.
Data anonymization and tokenization
Often the right compromise for balancing retention and privacy. Keep transactional integrity, remove identifying attributes.
Strangler fig migration
Use it to evolve legacy delete semantics gradually, especially when you cannot rewrite every consumer at once.
Reconciliation pattern
Essential in asynchronous systems. If deletion must propagate across boundaries, assume drift and design repair loops.
Summary
Delete strategy is where data architecture stops being mechanical and becomes moral, operational, and deeply domain-specific. enterprise architecture with ArchiMate
Soft deletes are not safer by default. Hard deletes are not cleaner by default. Both can be wrong when used without business meaning. The real design move is to start with domain semantics, then choose technical mechanisms that support those semantics across operational databases, microservices, Kafka streams, search indexes, and analytical stores. microservices architecture diagrams
If the business still needs to talk about the thing, model a lifecycle state.
If users need recovery, consider soft delete or archival.
If regulators require disappearance, plan for hard deletion or anonymization across the entire estate.
If events are involved, design deletion contracts explicitly.
And if systems are distributed, build reconciliation from day one.
A good delete strategy does not merely remove records. It preserves trust.
That is the line to remember. In enterprise architecture, deletion is not about making data vanish. It is about making meaning consistent when something is no longer supposed to be there.
Frequently Asked Questions
What is enterprise architecture?
Enterprise architecture aligns strategy, business processes, applications, and technology in a coherent model. It enables impact analysis, portfolio rationalisation, governance, and transformation planning across the organisation.
How does ArchiMate support architecture practice?
ArchiMate provides a standard language connecting strategy, business operations, applications, and technology. It enables traceability from strategic goals through capabilities and services to infrastructure — making architecture decisions explicit and reviewable.
What tools support enterprise architecture modeling?
The main tools are Sparx Enterprise Architect (ArchiMate, UML, BPMN, SysML), Archi (free, ArchiMate-only), and BiZZdesign. Sparx EA is the most feature-rich, supporting concurrent repositories, automation, scripting, and Jira integration.