GDPR Compliance
Stratum provides built-in tooling for GDPR compliance: data export (Article 20), hard-purge (Article 17), consent management, audit logging, and configurable data retention policies.
Data Export (Article 20)
Section titled “Data Export (Article 20)”Export all data belonging to a tenant as a structured JSON archive:
const archive = await stratum.exportTenantData("tenant-uuid");Via the API:
curl http://localhost:3001/api/v1/tenants/TENANT_UUID/export \ -H "X-API-Key: YOUR_ADMIN_KEY"The export includes:
| Table | Contents |
|---|---|
tenant |
Tenant record (name, slug, metadata, status) |
config_entries |
All config key-value pairs |
permission_policies |
All permission policies |
api_keys |
Key metadata (no plaintext secrets) |
webhooks |
Webhook registrations |
webhook_events |
Event history |
webhook_deliveries |
Delivery history |
audit_logs |
Full audit trail |
consent_records |
Consent records with purposes |
API keys are exported without plaintext secrets for security.
Tenant Purge (Article 17)
Section titled “Tenant Purge (Article 17)”Hard-delete all data belonging to a tenant. This operation is irreversible.
await stratum.purgeTenant("tenant-uuid");Via the API:
curl -X POST http://localhost:3001/api/v1/tenants/TENANT_UUID/purge \ -H "X-API-Key: YOUR_ADMIN_KEY"Deletion Order
Section titled “Deletion Order”Data is deleted in foreign-key-safe order:
- Config entries
- Permission policies
- API keys
- Webhook deliveries (via webhook FK join)
- Webhook events
- Webhooks
- Audit logs
- Consent records (via
ON DELETE CASCADE) - The tenant record itself
Hierarchical Constraint
Section titled “Hierarchical Constraint”A tenant with active children cannot be purged. You must purge children first, working leaf-to-root:
// Purge the subtree bottom-upawait stratum.purgeTenant("child-1");await stratum.purgeTenant("child-2");await stratum.purgeTenant("parent");Attempting to purge a tenant with children returns 409 HAS_CHILDREN.
Consent Management
Section titled “Consent Management”Track per-tenant, per-subject consent with purpose, expiration, and metadata.
Grant Consent
Section titled “Grant Consent”await stratum.grantConsent(tenantId, { subject_id: "user-456", purpose: "marketing", expires_at: "2025-12-31T23:59:59Z", metadata: { source: "signup_form", ip: "10.0.0.1" },});Check Active Consent
Section titled “Check Active Consent”const consent = await stratum.getActiveConsent(tenantId, "user-456", "marketing");if (consent) { // Consent is active (not revoked, not expired) sendMarketingEmail(userId);}getActiveConsent() returns null if consent is revoked or expired.
Revoke Consent
Section titled “Revoke Consent”await stratum.revokeConsent(tenantId, "user-456", "marketing");Predefined Purposes
Section titled “Predefined Purposes”| Constant | Value |
|---|---|
DATA_PROCESSING |
data_processing |
ANALYTICS |
analytics |
MARKETING |
marketing |
THIRD_PARTY_SHARING |
third_party_sharing |
You can also use any custom string as a purpose.
Data Retention
Section titled “Data Retention”Automatically purge expired transactional data (audit logs, webhook events, webhook deliveries) older than a configurable retention period.
const result = await stratum.purgeExpiredData(90); // 90 daysconsole.log(`Deleted ${result.deleted_count} expired records`);Via the API:
# Default: 90 dayscurl -X POST http://localhost:3001/api/v1/maintenance/purge-expired \ -H "X-API-Key: YOUR_ADMIN_KEY"
# Custom: 180 dayscurl -X POST "http://localhost:3001/api/v1/maintenance/purge-expired?retention_days=180" \ -H "X-API-Key: YOUR_ADMIN_KEY"What Gets Purged
Section titled “What Gets Purged”| Table | Records Deleted |
|---|---|
webhook_deliveries |
Deliveries older than cutoff |
webhook_events |
Events older than cutoff |
audit_logs |
Logs older than cutoff |
Tenant records, config entries, and permissions are not affected by retention purges.
Limits
Section titled “Limits”- Default: 90 days
- Maximum: 3,650 days (10 years)
- Invalid values fall back to the default
Recommended GDPR Workflow
Section titled “Recommended GDPR Workflow”- Export the tenant’s data and deliver it to the data subject
- Archive the tenant (
DELETE /api/v1/tenants/:id) for a grace period - Purge after the grace period (
POST /api/v1/tenants/:id/purge) - Schedule regular
purge-expiredcalls for log retention
Authorization
Section titled “Authorization”All GDPR operations require the admin scope:
| Route | Required Scope |
|---|---|
GET /api/v1/tenants/:id/export |
admin |
POST /api/v1/tenants/:id/purge |
admin |
POST /api/v1/maintenance/purge-expired |
admin |
Audit Trail
Section titled “Audit Trail”All GDPR operations are recorded in the audit log with full context (actor, resource, before/after state). This provides evidence of compliance actions for regulatory audits.
