Maps all 22 DPA/GDPR playbook sections to their covering ADR, guide, template, or epic in this template. Restates ADR-025's four explicit deferrals (RBAC, MFA, breach-detection, GDPR Art. 22) and documents consumer/infra-scope items (EU region, TLS, MDM, legal instruments). Includes a full reference index linking every compliance guide, ADR, template, and epic.
134 lines
23 KiB
Markdown
134 lines
23 KiB
Markdown
# Compliance overview
|
|
|
|
This hub maps each of the 22 sections of the DPA/GDPR compliance playbook reviewed in [ADR-025](../decisions/adr-025-eu-compliance-baseline.md) to the ADR, guide, template, or epic that covers it in this template. Use it as the entry point when answering "is feature X compliant?" or "where do I find the relevant doc?"
|
|
|
|
For the action-item checklist (pass/fail gate before EU go-live), see [pre-launch-compliance-checklist.md](./pre-launch-compliance-checklist.md). For architectural rationale and deferral decisions, see [ADR-025](../decisions/adr-025-eu-compliance-baseline.md).
|
|
|
|
---
|
|
|
|
## Coverage labels
|
|
|
|
| Label | Meaning |
|
|
| --------------------------- | -------------------------------------------------------------------------------------------- |
|
|
| **Shipped by template** | Mechanism is in the codebase. Run the inline verification command to produce audit evidence. |
|
|
| **Consumer responsibility** | You own this obligation. The template ships fill-in templates or interfaces, not the values. |
|
|
| **Infra responsibility** | Your deployment infrastructure owns this. No application-code change is sufficient. |
|
|
| **Deferred** | Explicitly deferred in ADR-025 with a documented trigger condition. |
|
|
|
|
---
|
|
|
|
## 22-section map
|
|
|
|
| § | Playbook section | Coverage | Covering doc |
|
|
| --- | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
| 1 | Infrastructure security baseline — EU/EEA region pinning, TLS termination, encryption-at-rest, VPN/bastion | **Infra responsibility** | [operator-checklist.md](./operator-checklist.md); [pre-launch-compliance-checklist.md §1](./pre-launch-compliance-checklist.md) |
|
|
| 2 | Data governance and accountability — controller/processor identification, accountability framework | **Consumer responsibility** | [ADR-025](../decisions/adr-025-eu-compliance-baseline.md); [pre-launch-compliance-checklist.md §12](./pre-launch-compliance-checklist.md) |
|
|
| 3 | PII inventory and data mapping — field-level `custom.pii` tags, `compliance/data-map.yml` | **Shipped by template** | [ADR-025 Epic A](../decisions/adr-025-eu-compliance-baseline.md); [docs/compliance/README.md](../compliance/README.md); [data-map.example.yml](../compliance/data-map.example.yml); [subject-linkage.example.md](../compliance/subject-linkage.example.md) |
|
|
| 4 | Data retention schedules and purge — `custom.retention` per collection, background purge job | **Shipped by template** | [ADR-025 Epic A](../decisions/adr-025-eu-compliance-baseline.md); [docs/compliance/README.md](../compliance/README.md); [retention-policy.example.yml](../compliance/retention-policy.example.yml) |
|
|
| 5 | Access control and rate limiting — `rateLimit` manifest field, `IRateLimit` / `withRateLimit` brand | **Shipped by template** | [ADR-025 Epic C](../decisions/adr-025-eu-compliance-baseline.md); [rate-limiting.md](./rate-limiting.md); [pre-launch-compliance-checklist.md §3](./pre-launch-compliance-checklist.md) |
|
|
| 6 | Authentication policy — password complexity, rotation, lockout, MFA | **Consumer responsibility / Deferred** | [password-policy.template.md](../compliance/templates/password-policy.template.md); MFA + lockout deferred — see [Deferrals](#deferrals) |
|
|
| 7 | Consent management — `requiresConsent` manifest field, `IConsent` / `withConsent`, consent grant/withdraw | **Shipped by template** | [ADR-025 Epic B](../decisions/adr-025-eu-compliance-baseline.md); [consent.md](./consent.md); [pre-launch-compliance-checklist.md §3](./pre-launch-compliance-checklist.md) |
|
|
| 8 | Cookie notice and transparency — EU-prominent banner (`<CookieConsentBanner>`), granular categories | **Shipped by template** | [ADR-025 Epic B](../decisions/adr-025-eu-compliance-baseline.md); [consent.md](./consent.md) |
|
|
| 9 | Data Subject Rights (Art. 15, 16, 17, 18, 20, 21) — `core-dsr`, four interfaces, GDPR endpoints | **Shipped by template** | [ADR-025 Epic B](../decisions/adr-025-eu-compliance-baseline.md); [dsr.md](./dsr.md); [dsr-procedure.template.md](../compliance/templates/dsr-procedure.template.md); [pre-launch-compliance-checklist.md §8](./pre-launch-compliance-checklist.md) |
|
|
| 10 | Automated decision-making (Art. 22) — profiling, solely-automated decisions | **Deferred** | [ADR-025 §deferrals](../decisions/adr-025-eu-compliance-baseline.md); see [Deferrals](#deferrals) |
|
|
| 11 | Privacy by Design and Default — PII scrubbing, `sendDefaultPii: false`, replay masking, id-only observability | **Shipped by template** | [ADR-017](../decisions/adr-017-opentelemetry-migration.md); [audit-and-compliance.md](./audit-and-compliance.md); [pre-launch-compliance-checklist.md §3](./pre-launch-compliance-checklist.md) |
|
|
| 12 | Network security and backup strategy — firewall rules, bastion access, backup schedule, restore testing | **Infra / Consumer responsibility** | [backup-policy.template.md](../compliance/templates/backup-policy.template.md); [pre-launch-compliance-checklist.md §1, §9](./pre-launch-compliance-checklist.md) |
|
|
| 13 | Data Protection Impact Assessment (DPIA, Art. 35) — high-risk processing assessment | **Consumer responsibility** | [pre-launch-compliance-checklist.md §12](./pre-launch-compliance-checklist.md) |
|
|
| 14 | Device management — MDM enrollment, EDR, acceptable-use policy, lost/stolen response | **Consumer responsibility** | [device-policy.template.md](../compliance/templates/device-policy.template.md); [pre-launch-compliance-checklist.md §11](./pre-launch-compliance-checklist.md) |
|
|
| 15 | Workforce management — onboarding access provisioning, offboarding revocation, NDAs, security training | **Consumer responsibility** | [onboarding.template.md](../compliance/templates/onboarding.template.md); [offboarding.template.md](../compliance/templates/offboarding.template.md); [pre-launch-compliance-checklist.md §11](./pre-launch-compliance-checklist.md) |
|
|
| 16 | Audit logging and evidence artifacts — append-only `core-audit`, `withAudit` brand, `eraseSubject`, evidence YAML bundle | **Shipped by template** | [ADR-018](../decisions/adr-018-audit-and-compliance.md); [audit-and-compliance.md](./audit-and-compliance.md); [docs/compliance/README.md](../compliance/README.md); [pre-launch-compliance-checklist.md §6, §13](./pre-launch-compliance-checklist.md) |
|
|
| 17 | Legal instruments — DPA, Privacy Policy, Terms of Service, SCCs for non-EU transfers, RoPA (Art. 30) | **Consumer responsibility** | [pre-launch-compliance-checklist.md §12](./pre-launch-compliance-checklist.md) |
|
|
| 18 | Sub-processor management — extended ADR-022 library traces, `compliance/sub-processors.yml` generator | **Shipped by template** | [ADR-022](../decisions/adr-022-library-evaluation-policy.md); [ADR-025 Epic A](../decisions/adr-025-eu-compliance-baseline.md); [sub-processors.example.yml](../compliance/sub-processors.example.yml); [pre-launch-compliance-checklist.md §5](./pre-launch-compliance-checklist.md) |
|
|
| 19 | Pre-launch compliance verification — gate checklist operationalising this ADR | **Shipped by template** | [pre-launch-compliance-checklist.md](./pre-launch-compliance-checklist.md) |
|
|
| 20 | Breach detection and incident response — Sentry alerting, GDPR Art. 33/34 notification runbook | **Consumer responsibility / Deferred** | [incident-runbook.template.md](../compliance/templates/incident-runbook.template.md); [pre-launch-compliance-checklist.md §7](./pre-launch-compliance-checklist.md); breach-detection patterns deferred — see [Deferrals](#deferrals) |
|
|
| 21 | SDLC security — Renovate, Socket.dev, CodeQL, gitleaks, SBOM (CycloneDX), trace revalidation | **Shipped by template** | [ADR-023](../decisions/adr-023-ci-security-and-supply-chain.md); [ci-security.md](./ci-security.md); [pre-launch-compliance-checklist.md §10](./pre-launch-compliance-checklist.md) |
|
|
| 22 | Observability and PII boundary — `PiiScrubSpanProcessor`, `PiiScrubLogRecordProcessor`, OTel exporter pipeline | **Shipped by template** | [ADR-017](../decisions/adr-017-opentelemetry-migration.md); [audit-and-compliance.md](./audit-and-compliance.md); [pre-launch-compliance-checklist.md §3](./pre-launch-compliance-checklist.md) |
|
|
|
|
---
|
|
|
|
## Deferrals
|
|
|
|
Four items were explicitly deferred in ADR-025 because they require product-level shape before they can be meaningfully implemented. Each has a documented trigger so the decision-when belongs to the consumer, not the template authors.
|
|
|
|
| Deferred item | Why | Trigger to revisit |
|
|
| ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ |
|
|
| **RBAC primitive** (roles, permissions, tenant scoping) | Requires product decisions: which roles exist, single- vs. multi-tenant, permission granularity | First downstream consumer ships with a stable role model |
|
|
| **MFA + lockout** (`auth` feature extension) | Requires identity-infrastructure choices (TOTP/WebAuthn), OTP vendor (ADR-022 scope), threat-model-specific policy values | First downstream consumer establishes auth threat model |
|
|
| **Breach detection patterns** (failed-login burst, bulk-access anomaly, off-hours admin) | Requires real auth flows, analytics backend, on-call infrastructure, product-specific anomaly thresholds | First downstream consumer has live traffic + observability backend |
|
|
| **GDPR Art. 22** (automated decision-making and profiling) | Template has no ML or automated decisions | First downstream consumer adds automated decisions |
|
|
|
|
---
|
|
|
|
## Consumer and infra scope
|
|
|
|
The following playbook items are explicitly outside the template's scope. The template ships no meaningful implementation for them; coverage is consumer-authored or deployment-infrastructure decisions.
|
|
|
|
**Infrastructure (§1, §12)** — EU/EEA region pinning for compute, managed database, object storage, and backups; TLS termination and HTTPS enforcement at the deploy edge; encryption-at-rest configuration; VPN or bastion for admin access; firewall ingress rules; backup restore testing and RPO/RTO targets. See [operator-checklist.md](./operator-checklist.md).
|
|
|
|
**Legal instruments (§17)** — Data Processing Agreement (DPA) with every counterparty; Privacy Policy (GDPR Art. 13/14 notices); Terms of Service; Standard Contractual Clauses (SCCs) for data transfers outside EU/EEA; DPIA artifacts (Art. 35); Records of Processing Activities (RoPA, Art. 30). See [pre-launch-compliance-checklist.md §12](./pre-launch-compliance-checklist.md).
|
|
|
|
**MDM and organisational measures (§14, §15)** — MDM enrollment, EDR tooling, acceptable-use enforcement, lost/stolen device response; HR onboarding/offboarding execution; NDAs; security awareness training; background checks; quarterly privilege access reviews. The template ships fill-in templates for the policy documents; the values and execution are consumer-owned. See [device-policy.template.md](../compliance/templates/device-policy.template.md), [onboarding.template.md](../compliance/templates/onboarding.template.md), [offboarding.template.md](../compliance/templates/offboarding.template.md).
|
|
|
|
---
|
|
|
|
## Reference index
|
|
|
|
### ADRs
|
|
|
|
| ADR | Title | Compliance role |
|
|
| --------------------------------------------------------------- | -------------------------------- | --------------------------------------------------------------------- |
|
|
| [ADR-017](../decisions/adr-017-opentelemetry-migration.md) | OpenTelemetry migration | PII scrubbing on the observability pipeline (§11, §22) |
|
|
| [ADR-018](../decisions/adr-018-audit-and-compliance.md) | Audit logging and DPA compliance | Audit baseline, `core-audit`, `eraseSubject` (§16) |
|
|
| [ADR-022](../decisions/adr-022-library-evaluation-policy.md) | Library evaluation policy | EU residency filter, sub-processor frontmatter extension (§18, §21) |
|
|
| [ADR-023](../decisions/adr-023-ci-security-and-supply-chain.md) | CI security and supply chain | Renovate, Socket.dev, CodeQL, gitleaks, SBOM (§21) |
|
|
| [ADR-024](../decisions/adr-024-product-analytics-channel.md) | Product analytics channel | Analytics PII boundary and consent gating (§7) |
|
|
| [ADR-025](../decisions/adr-025-eu-compliance-baseline.md) | EU compliance baseline | Master strategy; four epics, three deferrals, all manifest extensions |
|
|
|
|
### Guides
|
|
|
|
| Guide | Covers |
|
|
| -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- |
|
|
| [audit-and-compliance.md](./audit-and-compliance.md) | `core-audit` cookbook — wiring, action types, log-shipper config, `eraseSubject` (§16, §22) |
|
|
| [ci-security.md](./ci-security.md) | Four-pillar supply-chain stack — Renovate, Socket.dev, trace revalidation, GitHub gates (§21) |
|
|
| [consent.md](./consent.md) | `core-consent` cookbook — `IConsent`, `withConsent`, cookie banner, category versioning (§7, §8) |
|
|
| [dsr.md](./dsr.md) | `core-dsr` cookbook — four interfaces, GDPR endpoints, multi-subject cascade, deletion modes (§9) |
|
|
| [operator-checklist.md](./operator-checklist.md) | Repository secrets, GitHub Apps, branch protection setup (§1, §12) |
|
|
| [pre-launch-compliance-checklist.md](./pre-launch-compliance-checklist.md) | 13-section launch gate — every obligation with coverage label and verification command (§19) |
|
|
| [rate-limiting.md](./rate-limiting.md) | `IRateLimit` cookbook — manifest declaration, key naming, multi-budget patterns (§5) |
|
|
| [security-headers.md](./security-headers.md) | Six security headers, CSP nonce wiring, per-framework middleware setup (§11) |
|
|
| [analytics.md](./analytics.md) | `core-analytics` cookbook — consent-gated analytics events (§7) |
|
|
|
|
### Templates
|
|
|
|
| Template | Covers |
|
|
| ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------- |
|
|
| [incident-runbook.template.md](../compliance/templates/incident-runbook.template.md) | GDPR Art. 33/34 breach response — 72-hour notification timeline, SA contact, subject notification (§20) |
|
|
| [dsr-procedure.template.md](../compliance/templates/dsr-procedure.template.md) | DSR intake — identity validation, response log, per-article procedure (§9) |
|
|
| [backup-policy.template.md](../compliance/templates/backup-policy.template.md) | Backup schedule, storage location (EU/EEA), encryption, restore testing, RPO/RTO (§12) |
|
|
| [password-policy.template.md](../compliance/templates/password-policy.template.md) | Password complexity, rotation cadence, account lockout thresholds (§6) |
|
|
| [device-policy.template.md](../compliance/templates/device-policy.template.md) | MDM enrollment, EDR, acceptable-use rules, lost/stolen response (§14) |
|
|
| [onboarding.template.md](../compliance/templates/onboarding.template.md) | Staff access provisioning, security orientation, acknowledgement, 30-day review (§15) |
|
|
| [offboarding.template.md](../compliance/templates/offboarding.template.md) | Access revocation checklist, device return, data handover, 30-day post-departure review (§15) |
|
|
|
|
### Schema examples
|
|
|
|
| File | Covers |
|
|
| -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- |
|
|
| [data-map.example.yml](../compliance/data-map.example.yml) | Field-level `custom.pii` annotation schema — `category`, `purpose`, `exportable`, `restrictable` (§3) |
|
|
| [retention-policy.example.yml](../compliance/retention-policy.example.yml) | Collection-level `custom.retention` schema — `purgeSchedule`, `activeRetention`, `postDeletion` (§4) |
|
|
| [sub-processors.example.yml](../compliance/sub-processors.example.yml) | Sub-processor inventory schema — library trace extensions + manual REST entries (§18) |
|
|
| [subject-linkage.example.md](../compliance/subject-linkage.example.md) | Multi-subject DSR cascade pattern — scope declaration per collection (§9) |
|
|
|
|
### Epics
|
|
|
|
| Epic | PRD | Covers |
|
|
| ----------------------------------------- | --------------------------------------------------------------------------- | -------------------------------------------------- |
|
|
| Epic A — Declarative compliance manifests | [PRD](../work/prds/compliance-manifests-pii-retention-subprocessors.prd.md) | §3 PII inventory, §4 retention, §18 sub-processors |
|
|
| Epic B — DSR, consent, cookie banner | [PRD](../work/prds/dsr-consent-and-cookie-banner.prd.md) | §7 consent, §8 cookie notice, §9 DSR |
|
|
| Epic C — Security hardening | [PRD](../work/prds/security-headers-rate-limit-sbom.prd.md) | §5 rate limiting, §11 security headers, §21 SBOM |
|
|
| Epic D — Compliance docs scaffolds | [PRD](../work/prds/compliance-docs-scaffolds.prd.md) | §19 checklist, all fill-in templates |
|
|
|
|
---
|
|
|
|
_Governed by [ADR-025](../decisions/adr-025-eu-compliance-baseline.md). Part of [Epic D — Compliance docs scaffolds](../work/epics/compliance-docs-scaffolds/_epic.md)._
|