diff --git a/controller/disable.go b/controller/disable.go
index dbff3fa9..672c7f33 100644
--- a/controller/disable.go
+++ b/controller/disable.go
@@ -36,6 +36,10 @@ func (h *disableHandler) Handle(params environment.DisableParams, principal *res
 		logrus.Errorf("error getting environment for user '%v': %v", principal.Email, err)
 		return environment.NewDisableInternalServerError()
 	}
+	if env.Deleted {
+		logrus.Errorf("environment '%v' for user '%v' deleted", env.ZId, principal.Email)
+		return environment.NewDisableUnauthorized()
+	}
 	edge, err := zrokEdgeSdk.Client(cfg.Ziti)
 	if err != nil {
 		logrus.Errorf("error getting edge client for user '%v': %v", principal.Email, err)
@@ -85,29 +89,31 @@ func (h *disableHandler) removeSharesForEnvironment(envId int, tx *sqlx.Tx, edge
 	if err != nil {
 		return err
 	}
-	shrs, err := str.FindSharesForEnvironment(envId, tx)
-	if err != nil {
-		return err
-	}
-	for _, shr := range shrs {
-		shrToken := shr.Token
-		logrus.Infof("garbage collecting share '%v' for environment '%v'", shrToken, env.ZId)
-		if err := zrokEdgeSdk.DeleteServiceEdgeRouterPolicy(env.ZId, shrToken, edge); err != nil {
-			logrus.Error(err)
+	if !env.Deleted {
+		shrs, err := str.FindSharesForEnvironment(envId, tx)
+		if err != nil {
+			return err
 		}
-		if err := zrokEdgeSdk.DeleteServicePolicyDial(env.ZId, shrToken, edge); err != nil {
-			logrus.Error(err)
+		for _, shr := range shrs {
+			shrToken := shr.Token
+			logrus.Infof("garbage collecting share '%v' for environment '%v'", shrToken, env.ZId)
+			if err := zrokEdgeSdk.DeleteServiceEdgeRouterPolicy(env.ZId, shrToken, edge); err != nil {
+				logrus.Error(err)
+			}
+			if err := zrokEdgeSdk.DeleteServicePolicyDial(env.ZId, shrToken, edge); err != nil {
+				logrus.Error(err)
+			}
+			if err := zrokEdgeSdk.DeleteServicePolicyBind(env.ZId, shrToken, edge); err != nil {
+				logrus.Error(err)
+			}
+			if err := zrokEdgeSdk.DeleteConfig(env.ZId, shrToken, edge); err != nil {
+				logrus.Error(err)
+			}
+			if err := zrokEdgeSdk.DeleteService(env.ZId, shr.ZId, edge); err != nil {
+				logrus.Error(err)
+			}
+			logrus.Infof("removed share '%v' for environment '%v'", shr.Token, env.ZId)
 		}
-		if err := zrokEdgeSdk.DeleteServicePolicyBind(env.ZId, shrToken, edge); err != nil {
-			logrus.Error(err)
-		}
-		if err := zrokEdgeSdk.DeleteConfig(env.ZId, shrToken, edge); err != nil {
-			logrus.Error(err)
-		}
-		if err := zrokEdgeSdk.DeleteService(env.ZId, shr.ZId, edge); err != nil {
-			logrus.Error(err)
-		}
-		logrus.Infof("removed share '%v' for environment '%v'", shr.Token, env.ZId)
 	}
 	return nil
 }
@@ -117,13 +123,15 @@ func (h *disableHandler) removeFrontendsForEnvironment(envId int, tx *sqlx.Tx, e
 	if err != nil {
 		return err
 	}
-	fes, err := str.FindFrontendsForEnvironment(envId, tx)
-	if err != nil {
-		return err
-	}
-	for _, fe := range fes {
-		if err := zrokEdgeSdk.DeleteServicePolicy(env.ZId, fmt.Sprintf("tags.zrokFrontendToken=\"%v\" and type=1", fe.Token), edge); err != nil {
-			logrus.Errorf("error removing frontend access for '%v': %v", fe.Token, err)
+	if !env.Deleted {
+		fes, err := str.FindFrontendsForEnvironment(envId, tx)
+		if err != nil {
+			return err
+		}
+		for _, fe := range fes {
+			if err := zrokEdgeSdk.DeleteServicePolicy(env.ZId, fmt.Sprintf("tags.zrokFrontendToken=\"%v\" and type=1", fe.Token), edge); err != nil {
+				logrus.Errorf("error removing frontend access for '%v': %v", fe.Token, err)
+			}
 		}
 	}
 	return nil
diff --git a/controller/invite.go b/controller/invite.go
index aead8aa1..eb38bfd4 100644
--- a/controller/invite.go
+++ b/controller/invite.go
@@ -62,14 +62,14 @@ func (h *inviteHandler) Handle(params account.InviteParams) middleware.Responder
 	}
 
 	// deleted accounts still exist as far as invites are concerned (ignore deleted flag)
-	if _, err := str.FindAccountWithEmail(params.Body.Email, tx); err == nil {
+	if _, err := str.FindAccountWithEmailAndDeleted(params.Body.Email, tx); err == nil {
 		logrus.Errorf("found account for '%v', cannot process account request", params.Body.Email)
 		return account.NewInviteBadRequest().WithPayload("duplicate email found")
 	} else {
 		logrus.Infof("no account found for '%v': %v", params.Body.Email, err)
 	}
 
-	if oldAr, err := str.FindAccountRequestWithEmail(params.Body.Email, tx); err == nil && !oldAr.Deleted {
+	if oldAr, err := str.FindAccountRequestWithEmail(params.Body.Email, tx); err == nil {
 		logrus.Warnf("found previous account request for '%v', removing", params.Body.Email)
 		if err := str.DeleteAccountRequest(oldAr.Id, tx); err != nil {
 			logrus.Errorf("error deleteing previous account request for '%v': %v", params.Body.Email, err)
diff --git a/controller/login.go b/controller/login.go
index ea7872ee..0e048225 100644
--- a/controller/login.go
+++ b/controller/login.go
@@ -26,10 +26,6 @@ func loginHandler(params account.LoginParams) middleware.Responder {
 		logrus.Errorf("error finding account '%v': %v", params.Body.Email, err)
 		return account.NewLoginUnauthorized()
 	}
-	if a.Deleted {
-		logrus.Errorf("account '%v' deleted", params.Body.Email)
-		return account.NewLoginUnauthorized()
-	}
 	hpwd, err := rehashPassword(params.Body.Password, a.Salt)
 	if err != nil {
 		logrus.Errorf("error hashing password for '%v': %v", params.Body.Email, err)
diff --git a/controller/overview.go b/controller/overview.go
index c85e2418..85ce3540 100644
--- a/controller/overview.go
+++ b/controller/overview.go
@@ -21,49 +21,51 @@ func overviewHandler(_ metadata.OverviewParams, principal *rest_model_zrok.Princ
 	}
 	var out rest_model_zrok.EnvironmentSharesList
 	for _, env := range envs {
-		shrs, err := str.FindSharesForEnvironment(env.Id, tx)
-		if err != nil {
-			logrus.Errorf("error finding shares for environment '%v': %v", env.ZId, err)
-			return metadata.NewOverviewInternalServerError()
-		}
-		es := &rest_model_zrok.EnvironmentShares{
-			Environment: &rest_model_zrok.Environment{
-				Address:     env.Address,
-				CreatedAt:   env.CreatedAt.UnixMilli(),
-				Description: env.Description,
-				Host:        env.Host,
-				UpdatedAt:   env.UpdatedAt.UnixMilli(),
-				ZID:         env.ZId,
-			},
-		}
+		if !env.Deleted {
+			shrs, err := str.FindSharesForEnvironment(env.Id, tx)
+			if err != nil {
+				logrus.Errorf("error finding shares for environment '%v': %v", env.ZId, err)
+				return metadata.NewOverviewInternalServerError()
+			}
+			es := &rest_model_zrok.EnvironmentShares{
+				Environment: &rest_model_zrok.Environment{
+					Address:     env.Address,
+					CreatedAt:   env.CreatedAt.UnixMilli(),
+					Description: env.Description,
+					Host:        env.Host,
+					UpdatedAt:   env.UpdatedAt.UnixMilli(),
+					ZID:         env.ZId,
+				},
+			}
 
-		for _, shr := range shrs {
-			feEndpoint := ""
-			if shr.FrontendEndpoint != nil {
-				feEndpoint = *shr.FrontendEndpoint
+			for _, shr := range shrs {
+				feEndpoint := ""
+				if shr.FrontendEndpoint != nil {
+					feEndpoint = *shr.FrontendEndpoint
+				}
+				feSelection := ""
+				if shr.FrontendSelection != nil {
+					feSelection = *shr.FrontendSelection
+				}
+				beProxyEndpoint := ""
+				if shr.BackendProxyEndpoint != nil {
+					beProxyEndpoint = *shr.BackendProxyEndpoint
+				}
+				es.Shares = append(es.Shares, &rest_model_zrok.Share{
+					Token:                shr.Token,
+					ZID:                  shr.ZId,
+					ShareMode:            shr.ShareMode,
+					BackendMode:          shr.BackendMode,
+					FrontendSelection:    feSelection,
+					FrontendEndpoint:     feEndpoint,
+					BackendProxyEndpoint: beProxyEndpoint,
+					Reserved:             shr.Reserved,
+					CreatedAt:            shr.CreatedAt.UnixMilli(),
+					UpdatedAt:            shr.UpdatedAt.UnixMilli(),
+				})
 			}
-			feSelection := ""
-			if shr.FrontendSelection != nil {
-				feSelection = *shr.FrontendSelection
-			}
-			beProxyEndpoint := ""
-			if shr.BackendProxyEndpoint != nil {
-				beProxyEndpoint = *shr.BackendProxyEndpoint
-			}
-			es.Shares = append(es.Shares, &rest_model_zrok.Share{
-				Token:                shr.Token,
-				ZID:                  shr.ZId,
-				ShareMode:            shr.ShareMode,
-				BackendMode:          shr.BackendMode,
-				FrontendSelection:    feSelection,
-				FrontendEndpoint:     feEndpoint,
-				BackendProxyEndpoint: beProxyEndpoint,
-				Reserved:             shr.Reserved,
-				CreatedAt:            shr.CreatedAt.UnixMilli(),
-				UpdatedAt:            shr.UpdatedAt.UnixMilli(),
-			})
+			out = append(out, es)
 		}
-		out = append(out, es)
 	}
 	return metadata.NewOverviewOK().WithPayload(out)
 }
diff --git a/controller/register.go b/controller/register.go
index be153f74..6ffdf50b 100644
--- a/controller/register.go
+++ b/controller/register.go
@@ -32,10 +32,6 @@ func (h *registerHandler) Handle(params account.RegisterParams) middleware.Respo
 		logrus.Errorf("error finding account request with token '%v': %v", params.Body.Token, err)
 		return account.NewRegisterNotFound()
 	}
-	if ar.Deleted {
-		logrus.Errorf("account request with token '%v' deleted", params.Body.Token)
-		return account.NewRegisterNotFound()
-	}
 
 	token, err := createToken()
 	if err != nil {
diff --git a/controller/resetPasswordRequest.go b/controller/resetPasswordRequest.go
index 0ae03f1a..7913d359 100644
--- a/controller/resetPasswordRequest.go
+++ b/controller/resetPasswordRequest.go
@@ -45,10 +45,6 @@ func (handler *resetPasswordRequestHandler) Handle(params account.ResetPasswordR
 		logrus.Errorf("no account found for '%v': %v", params.Body.EmailAddress, err)
 		return account.NewResetPasswordRequestInternalServerError()
 	}
-	if a.Deleted {
-		logrus.Errorf("account '%v' deleted", params.Body.EmailAddress)
-		return account.NewResetPasswordRequestInternalServerError()
-	}
 
 	prr := &store.PasswordResetRequest{
 		Token:     token,
diff --git a/controller/share.go b/controller/share.go
index a79965ab..1450d701 100644
--- a/controller/share.go
+++ b/controller/share.go
@@ -35,7 +35,7 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
 	if err == nil {
 		found := false
 		for _, env := range envs {
-			if env.ZId == envZId {
+			if !env.Deleted && env.ZId == envZId {
 				logrus.Debugf("found identity '%v' for user '%v'", envZId, principal.Email)
 				envId = env.Id
 				found = true
diff --git a/controller/shareDetail.go b/controller/shareDetail.go
index 453d0eb1..62d5edb2 100644
--- a/controller/shareDetail.go
+++ b/controller/shareDetail.go
@@ -33,7 +33,7 @@ func (h *shareDetailHandler) Handle(params metadata.GetShareDetailParams, princi
 	}
 	found := false
 	for _, env := range envs {
-		if shr.EnvironmentId == env.Id {
+		if !env.Deleted && shr.EnvironmentId == env.Id {
 			found = true
 			break
 		}
diff --git a/controller/store/account.go b/controller/store/account.go
index cf33ce03..9872f943 100644
--- a/controller/store/account.go
+++ b/controller/store/account.go
@@ -37,15 +37,23 @@ func (self *Store) GetAccount(id int, tx *sqlx.Tx) (*Account, error) {
 
 func (self *Store) FindAccountWithEmail(email string, tx *sqlx.Tx) (*Account, error) {
 	a := &Account{}
-	if err := tx.QueryRowx("select * from accounts where email = $1", email).StructScan(a); err != nil {
+	if err := tx.QueryRowx("select * from accounts where email = $1 and not deleted", email).StructScan(a); err != nil {
 		return nil, errors.Wrap(err, "error selecting account by email")
 	}
 	return a, nil
 }
 
+func (self *Store) FindAccountWithEmailAndDeleted(email string, tx *sqlx.Tx) (*Account, error) {
+	a := &Account{}
+	if err := tx.QueryRowx("select * from accounts where email = $1", email).StructScan(a); err != nil {
+		return nil, errors.Wrap(err, "error selecting acount by email")
+	}
+	return a, nil
+}
+
 func (self *Store) FindAccountWithToken(token string, tx *sqlx.Tx) (*Account, error) {
 	a := &Account{}
-	if err := tx.QueryRowx("select * from accounts where token = $1", token).StructScan(a); err != nil {
+	if err := tx.QueryRowx("select * from accounts where token = $1 and not deleted", token).StructScan(a); err != nil {
 		return nil, errors.Wrap(err, "error selecting account by token")
 	}
 	return a, nil
diff --git a/controller/store/account_request.go b/controller/store/account_request.go
index 44d7d40f..9b3f1961 100644
--- a/controller/store/account_request.go
+++ b/controller/store/account_request.go
@@ -39,7 +39,7 @@ func (self *Store) GetAccountRequest(id int, tx *sqlx.Tx) (*AccountRequest, erro
 
 func (self *Store) FindAccountRequestWithToken(token string, tx *sqlx.Tx) (*AccountRequest, error) {
 	ar := &AccountRequest{}
-	if err := tx.QueryRowx("select * from account_requests where token = $1", token).StructScan(ar); err != nil {
+	if err := tx.QueryRowx("select * from account_requests where token = $1 and not deleted", token).StructScan(ar); err != nil {
 		return nil, errors.Wrap(err, "error selecting account_request by token")
 	}
 	return ar, nil
@@ -75,7 +75,7 @@ func (self *Store) FindExpiredAccountRequests(before time.Time, limit int, tx *s
 
 func (self *Store) FindAccountRequestWithEmail(email string, tx *sqlx.Tx) (*AccountRequest, error) {
 	ar := &AccountRequest{}
-	if err := tx.QueryRowx("select * from account_requests where email = $1", email).StructScan(ar); err != nil {
+	if err := tx.QueryRowx("select * from account_requests where email = $1 and not deleted", email).StructScan(ar); err != nil {
 		return nil, errors.Wrap(err, "error selecting account_request by email")
 	}
 	return ar, nil
diff --git a/controller/store/environment.go b/controller/store/environment.go
index 834a2292..4c3e47c0 100644
--- a/controller/store/environment.go
+++ b/controller/store/environment.go
@@ -48,7 +48,7 @@ func (self *Store) GetEnvironment(id int, tx *sqlx.Tx) (*Environment, error) {
 }
 
 func (self *Store) FindEnvironmentsForAccount(accountId int, tx *sqlx.Tx) ([]*Environment, error) {
-	rows, err := tx.Queryx("select environments.* from environments where account_id = $1", accountId)
+	rows, err := tx.Queryx("select environments.* from environments where account_id = $1 and not deleted", accountId)
 	if err != nil {
 		return nil, errors.Wrap(err, "error selecting environments by account id")
 	}
@@ -65,14 +65,14 @@ func (self *Store) FindEnvironmentsForAccount(accountId int, tx *sqlx.Tx) ([]*En
 
 func (self *Store) FindEnvironmentForAccount(envZId string, accountId int, tx *sqlx.Tx) (*Environment, error) {
 	env := &Environment{}
-	if err := tx.QueryRowx("select environments.* from environments where z_id = $1 and account_id = $2", envZId, accountId).StructScan(env); err != nil {
+	if err := tx.QueryRowx("select environments.* from environments where z_id = $1 and account_id = $2 and not deleted", envZId, accountId).StructScan(env); err != nil {
 		return nil, errors.Wrap(err, "error finding environment by z_id and account_id")
 	}
 	return env, nil
 }
 
 func (self *Store) DeleteEnvironment(id int, tx *sqlx.Tx) error {
-	stmt, err := tx.Prepare("delete from environments where id = $1")
+	stmt, err := tx.Prepare("update environments set updated_at = current_timestamp, deleted = true where id = $1")
 	if err != nil {
 		return errors.Wrap(err, "error preparing environments delete statement")
 	}
diff --git a/controller/store/environment_test.go b/controller/store/environment_test.go
index 66400806..d5142022 100644
--- a/controller/store/environment_test.go
+++ b/controller/store/environment_test.go
@@ -26,6 +26,7 @@ func TestEphemeralEnvironment(t *testing.T) {
 	assert.Nil(t, err)
 	assert.NotNil(t, env)
 	assert.Nil(t, env.AccountId)
+	assert.False(t, env.Deleted)
 }
 
 func TestEnvironment(t *testing.T) {
@@ -57,4 +58,5 @@ func TestEnvironment(t *testing.T) {
 	assert.NotNil(t, env)
 	assert.NotNil(t, env.AccountId)
 	assert.Equal(t, acctId, *env.AccountId)
+	assert.False(t, env.Deleted)
 }
diff --git a/controller/unaccess.go b/controller/unaccess.go
index a8bcb21b..fc46fae8 100644
--- a/controller/unaccess.go
+++ b/controller/unaccess.go
@@ -38,7 +38,7 @@ func (h *unaccessHandler) Handle(params share.UnaccessParams, principal *rest_mo
 	var senv *store.Environment
 	if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx); err == nil {
 		for _, env := range envs {
-			if env.ZId == envZId {
+			if !env.Deleted && env.ZId == envZId {
 				senv = env
 				break
 			}
diff --git a/controller/unshare.go b/controller/unshare.go
index baf2052b..0bf808af 100644
--- a/controller/unshare.go
+++ b/controller/unshare.go
@@ -43,7 +43,7 @@ func (h *unshareHandler) Handle(params share.UnshareParams, principal *rest_mode
 	var senv *store.Environment
 	if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx); err == nil {
 		for _, env := range envs {
-			if env.ZId == params.Body.EnvZID {
+			if !env.Deleted && env.ZId == params.Body.EnvZID {
 				senv = env
 				break
 			}
diff --git a/controller/updateShare.go b/controller/updateShare.go
index 064a6f8c..b1b72a83 100644
--- a/controller/updateShare.go
+++ b/controller/updateShare.go
@@ -38,7 +38,7 @@ func (h *updateShareHandler) Handle(params share.UpdateShareParams, principal *r
 
 	envFound := false
 	for _, senv := range senvs {
-		if senv.Id == sshr.Id {
+		if !senv.Deleted && senv.Id == sshr.Id {
 			envFound = true
 			break
 		}
diff --git a/controller/util.go b/controller/util.go
index b6336cff..59ee7340 100644
--- a/controller/util.go
+++ b/controller/util.go
@@ -25,7 +25,7 @@ func (za *zrokAuthenticator) authenticate(token string) (*rest_model_zrok.Princi
 	}
 	defer func() { _ = tx.Rollback() }()
 
-	if a, err := str.FindAccountWithToken(token, tx); err == nil && !a.Deleted {
+	if a, err := str.FindAccountWithToken(token, tx); err == nil {
 		principal := &rest_model_zrok.Principal{
 			ID:        int64(a.Id),
 			Token:     a.Token,
diff --git a/controller/verify.go b/controller/verify.go
index 016caec9..a7c1e6af 100644
--- a/controller/verify.go
+++ b/controller/verify.go
@@ -29,10 +29,6 @@ func (self *verifyHandler) Handle(params account.VerifyParams) middleware.Respon
 			logrus.Errorf("error finding account request with token '%v': %v", params.Body.Token, err)
 			return account.NewVerifyNotFound()
 		}
-		if ar.Deleted {
-			logrus.Errorf("account request for '%v' with token '%v' deleted", ar.Email, params.Body.Token)
-			return account.NewVerifyNotFound()
-		}
 
 		return account.NewVerifyOK().WithPayload(&rest_model_zrok.VerifyResponse{Email: ar.Email})
 	}