Danijel Martinek
622ef8ba70
Maps all 22 DPA/GDPR playbook sections to their covering ADR, guide, template, or epic in this template. Restates ADR-025's four explicit deferrals (RBAC, MFA, breach-detection, GDPR Art. 22) and documents consumer/infra-scope items (EU region, TLS, MDM, legal instruments). Includes a full reference index linking every compliance guide, ADR, template, and epic.
23 KiB
23 KiB
Compliance overview
This hub maps each of the 22 sections of the DPA/GDPR compliance playbook reviewed in ADR-025 to the ADR, guide, template, or epic that covers it in this template. Use it as the entry point when answering "is feature X compliant?" or "where do I find the relevant doc?"
For the action-item checklist (pass/fail gate before EU go-live), see pre-launch-compliance-checklist.md. For architectural rationale and deferral decisions, see ADR-025.
Coverage labels
| Label | Meaning |
|---|---|
| Shipped by template | Mechanism is in the codebase. Run the inline verification command to produce audit evidence. |
| Consumer responsibility | You own this obligation. The template ships fill-in templates or interfaces, not the values. |
| Infra responsibility | Your deployment infrastructure owns this. No application-code change is sufficient. |
| Deferred | Explicitly deferred in ADR-025 with a documented trigger condition. |
22-section map
| § | Playbook section | Coverage | Covering doc |
|---|---|---|---|
| 1 | Infrastructure security baseline — EU/EEA region pinning, TLS termination, encryption-at-rest, VPN/bastion | Infra responsibility | operator-checklist.md; pre-launch-compliance-checklist.md §1 |
| 2 | Data governance and accountability — controller/processor identification, accountability framework | Consumer responsibility | ADR-025; pre-launch-compliance-checklist.md §12 |
| 3 | PII inventory and data mapping — field-level custom.pii tags, compliance/data-map.yml |
Shipped by template | ADR-025 Epic A; docs/compliance/README.md; data-map.example.yml; subject-linkage.example.md |
| 4 | Data retention schedules and purge — custom.retention per collection, background purge job |
Shipped by template | ADR-025 Epic A; docs/compliance/README.md; retention-policy.example.yml |
| 5 | Access control and rate limiting — rateLimit manifest field, IRateLimit / withRateLimit brand |
Shipped by template | ADR-025 Epic C; rate-limiting.md; pre-launch-compliance-checklist.md §3 |
| 6 | Authentication policy — password complexity, rotation, lockout, MFA | Consumer responsibility / Deferred | password-policy.template.md; MFA + lockout deferred — see Deferrals |
| 7 | Consent management — requiresConsent manifest field, IConsent / withConsent, consent grant/withdraw |
Shipped by template | ADR-025 Epic B; consent.md; pre-launch-compliance-checklist.md §3 |
| 8 | Cookie notice and transparency — EU-prominent banner (<CookieConsentBanner>), granular categories |
Shipped by template | ADR-025 Epic B; consent.md |
| 9 | Data Subject Rights (Art. 15, 16, 17, 18, 20, 21) — core-dsr, four interfaces, GDPR endpoints |
Shipped by template | ADR-025 Epic B; dsr.md; dsr-procedure.template.md; pre-launch-compliance-checklist.md §8 |
| 10 | Automated decision-making (Art. 22) — profiling, solely-automated decisions | Deferred | ADR-025 §deferrals; see Deferrals |
| 11 | Privacy by Design and Default — PII scrubbing, sendDefaultPii: false, replay masking, id-only observability |
Shipped by template | ADR-017; audit-and-compliance.md; pre-launch-compliance-checklist.md §3 |
| 12 | Network security and backup strategy — firewall rules, bastion access, backup schedule, restore testing | Infra / Consumer responsibility | backup-policy.template.md; pre-launch-compliance-checklist.md §1, §9 |
| 13 | Data Protection Impact Assessment (DPIA, Art. 35) — high-risk processing assessment | Consumer responsibility | pre-launch-compliance-checklist.md §12 |
| 14 | Device management — MDM enrollment, EDR, acceptable-use policy, lost/stolen response | Consumer responsibility | device-policy.template.md; pre-launch-compliance-checklist.md §11 |
| 15 | Workforce management — onboarding access provisioning, offboarding revocation, NDAs, security training | Consumer responsibility | onboarding.template.md; offboarding.template.md; pre-launch-compliance-checklist.md §11 |
| 16 | Audit logging and evidence artifacts — append-only core-audit, withAudit brand, eraseSubject, evidence YAML bundle |
Shipped by template | ADR-018; audit-and-compliance.md; docs/compliance/README.md; pre-launch-compliance-checklist.md §6, §13 |
| 17 | Legal instruments — DPA, Privacy Policy, Terms of Service, SCCs for non-EU transfers, RoPA (Art. 30) | Consumer responsibility | pre-launch-compliance-checklist.md §12 |
| 18 | Sub-processor management — extended ADR-022 library traces, compliance/sub-processors.yml generator |
Shipped by template | ADR-022; ADR-025 Epic A; sub-processors.example.yml; pre-launch-compliance-checklist.md §5 |
| 19 | Pre-launch compliance verification — gate checklist operationalising this ADR | Shipped by template | pre-launch-compliance-checklist.md |
| 20 | Breach detection and incident response — Sentry alerting, GDPR Art. 33/34 notification runbook | Consumer responsibility / Deferred | incident-runbook.template.md; pre-launch-compliance-checklist.md §7; breach-detection patterns deferred — see Deferrals |
| 21 | SDLC security — Renovate, Socket.dev, CodeQL, gitleaks, SBOM (CycloneDX), trace revalidation | Shipped by template | ADR-023; ci-security.md; pre-launch-compliance-checklist.md §10 |
| 22 | Observability and PII boundary — PiiScrubSpanProcessor, PiiScrubLogRecordProcessor, OTel exporter pipeline |
Shipped by template | ADR-017; audit-and-compliance.md; pre-launch-compliance-checklist.md §3 |
Deferrals
Four items were explicitly deferred in ADR-025 because they require product-level shape before they can be meaningfully implemented. Each has a documented trigger so the decision-when belongs to the consumer, not the template authors.
| Deferred item | Why | Trigger to revisit |
|---|---|---|
| RBAC primitive (roles, permissions, tenant scoping) | Requires product decisions: which roles exist, single- vs. multi-tenant, permission granularity | First downstream consumer ships with a stable role model |
MFA + lockout (auth feature extension) |
Requires identity-infrastructure choices (TOTP/WebAuthn), OTP vendor (ADR-022 scope), threat-model-specific policy values | First downstream consumer establishes auth threat model |
| Breach detection patterns (failed-login burst, bulk-access anomaly, off-hours admin) | Requires real auth flows, analytics backend, on-call infrastructure, product-specific anomaly thresholds | First downstream consumer has live traffic + observability backend |
| GDPR Art. 22 (automated decision-making and profiling) | Template has no ML or automated decisions | First downstream consumer adds automated decisions |
Consumer and infra scope
The following playbook items are explicitly outside the template's scope. The template ships no meaningful implementation for them; coverage is consumer-authored or deployment-infrastructure decisions.
Infrastructure (§1, §12) — EU/EEA region pinning for compute, managed database, object storage, and backups; TLS termination and HTTPS enforcement at the deploy edge; encryption-at-rest configuration; VPN or bastion for admin access; firewall ingress rules; backup restore testing and RPO/RTO targets. See operator-checklist.md.
Legal instruments (§17) — Data Processing Agreement (DPA) with every counterparty; Privacy Policy (GDPR Art. 13/14 notices); Terms of Service; Standard Contractual Clauses (SCCs) for data transfers outside EU/EEA; DPIA artifacts (Art. 35); Records of Processing Activities (RoPA, Art. 30). See pre-launch-compliance-checklist.md §12.
MDM and organisational measures (§14, §15) — MDM enrollment, EDR tooling, acceptable-use enforcement, lost/stolen device response; HR onboarding/offboarding execution; NDAs; security awareness training; background checks; quarterly privilege access reviews. The template ships fill-in templates for the policy documents; the values and execution are consumer-owned. See device-policy.template.md, onboarding.template.md, offboarding.template.md.
Reference index
ADRs
| ADR | Title | Compliance role |
|---|---|---|
| ADR-017 | OpenTelemetry migration | PII scrubbing on the observability pipeline (§11, §22) |
| ADR-018 | Audit logging and DPA compliance | Audit baseline, core-audit, eraseSubject (§16) |
| ADR-022 | Library evaluation policy | EU residency filter, sub-processor frontmatter extension (§18, §21) |
| ADR-023 | CI security and supply chain | Renovate, Socket.dev, CodeQL, gitleaks, SBOM (§21) |
| ADR-024 | Product analytics channel | Analytics PII boundary and consent gating (§7) |
| ADR-025 | EU compliance baseline | Master strategy; four epics, three deferrals, all manifest extensions |
Guides
| Guide | Covers |
|---|---|
| audit-and-compliance.md | core-audit cookbook — wiring, action types, log-shipper config, eraseSubject (§16, §22) |
| ci-security.md | Four-pillar supply-chain stack — Renovate, Socket.dev, trace revalidation, GitHub gates (§21) |
| consent.md | core-consent cookbook — IConsent, withConsent, cookie banner, category versioning (§7, §8) |
| dsr.md | core-dsr cookbook — four interfaces, GDPR endpoints, multi-subject cascade, deletion modes (§9) |
| operator-checklist.md | Repository secrets, GitHub Apps, branch protection setup (§1, §12) |
| pre-launch-compliance-checklist.md | 13-section launch gate — every obligation with coverage label and verification command (§19) |
| rate-limiting.md | IRateLimit cookbook — manifest declaration, key naming, multi-budget patterns (§5) |
| security-headers.md | Six security headers, CSP nonce wiring, per-framework middleware setup (§11) |
| analytics.md | core-analytics cookbook — consent-gated analytics events (§7) |
Templates
| Template | Covers |
|---|---|
| incident-runbook.template.md | GDPR Art. 33/34 breach response — 72-hour notification timeline, SA contact, subject notification (§20) |
| dsr-procedure.template.md | DSR intake — identity validation, response log, per-article procedure (§9) |
| backup-policy.template.md | Backup schedule, storage location (EU/EEA), encryption, restore testing, RPO/RTO (§12) |
| password-policy.template.md | Password complexity, rotation cadence, account lockout thresholds (§6) |
| device-policy.template.md | MDM enrollment, EDR, acceptable-use rules, lost/stolen response (§14) |
| onboarding.template.md | Staff access provisioning, security orientation, acknowledgement, 30-day review (§15) |
| offboarding.template.md | Access revocation checklist, device return, data handover, 30-day post-departure review (§15) |
Schema examples
| File | Covers |
|---|---|
| data-map.example.yml | Field-level custom.pii annotation schema — category, purpose, exportable, restrictable (§3) |
| retention-policy.example.yml | Collection-level custom.retention schema — purgeSchedule, activeRetention, postDeletion (§4) |
| sub-processors.example.yml | Sub-processor inventory schema — library trace extensions + manual REST entries (§18) |
| subject-linkage.example.md | Multi-subject DSR cascade pattern — scope declaration per collection (§9) |
Epics
| Epic | PRD | Covers |
|---|---|---|
| Epic A — Declarative compliance manifests | PRD | §3 PII inventory, §4 retention, §18 sub-processors |
| Epic B — DSR, consent, cookie banner | PRD | §7 consent, §8 cookie notice, §9 DSR |
| Epic C — Security hardening | PRD | §5 rate limiting, §11 security headers, §21 SBOM |
| Epic D — Compliance docs scaffolds | PRD | §19 checklist, all fill-in templates |
Governed by ADR-025. Part of Epic D — Compliance docs scaffolds.