Re: Not my field of expertise
"Erase-on-restore is probably a nonstarter because it is technically trivial to *not* erase-on-restore"
It's equally technically trivial to not act on the request in the first place. No difference.
"If you delete the tokenisation key or the master record, the record in the backup becomes (to some extent) anonymous."
How do you handle the restoration of the backup of the key?