diff --git a/pkg/controller/cleanup/handle_cleanup.go b/pkg/controller/cleanup/handle_cleanup.go
index 9d4a804ac..29fc8df24 100644
--- a/pkg/controller/cleanup/handle_cleanup.go
+++ b/pkg/controller/cleanup/handle_cleanup.go
@@ -174,10 +174,10 @@ func (c *Controller) HandleCleanup() http.Handler {
 			defer observability.RecordLatency(ctx, time.Now(), mLatencyMs, &result, &item)
 			item = tag.Upsert(itemTagKey, "VERIFICATION_SIGNING_KEY")
 			if count, err := c.db.PurgeSigningKeys(c.config.VerificationSigningKeyMaxAge); err != nil {
-				merr = multierror.Append(merr, fmt.Errorf("failed to purge token signing keys: %w", err))
+				merr = multierror.Append(merr, fmt.Errorf("failed to purge verification signing keys: %w", err))
 				result = observability.ResultError("FAILED")
 			} else {
-				logger.Infow("purged token signing keys", "count", count)
+				logger.Infow("purged verification signing keys", "count", count)
 				result = observability.ResultOK()
 			}
 		}()
diff --git a/pkg/database/signing_key.go b/pkg/database/signing_key.go
index 05b367b59..ee7b5df1c 100644
--- a/pkg/database/signing_key.go
+++ b/pkg/database/signing_key.go
@@ -46,9 +46,9 @@ func (db *Database) PurgeSigningKeys(maxAge time.Duration) (int64, error) {
 		maxAge = -1 * maxAge
 	}
 	deleteBefore := time.Now().UTC().Add(maxAge)
-	// Delete users who were created/updated before the expiry time.
-	rtn := db.db.Unscoped().
-		Where("deleted_at < ?", deleteBefore).
+
+	result := db.db.Unscoped().
+		Where("deleted_at IS NOT NULL AND deleted_at < ?", deleteBefore).
 		Delete(&SigningKey{})
-	return rtn.RowsAffected, rtn.Error
+	return result.RowsAffected, result.Error
 }