GDPR Compliance

DocLD provides features to help you comply with the General Data Protection Regulation (GDPR). See also HIPAA, ISO 27001, and the Overview Security & Compliance section.

Overview

GDPR gives EU residents rights over their personal data. DocLD supports these rights with built-in compliance features:

• Right to be informed - Clear privacy policies and consent management
• Right of access - Data export functionality
• Right to erasure - Account deletion with grace period
• Right to data portability - Export in standard formats
• Consent management - Granular consent tracking

Consent Management

Consent Types

DocLD tracks consent for:

Recording Consent

Consent is recorded with:

• Timestamp
• IP address
• User agent
• Policy version
• Consent status

Consent API

# Get consent status
curl -X GET "/api/gdpr/consent" \
  -H "Authorization: Bearer YOUR_API_KEY"
 
# Record consent
curl -X POST "/api/gdpr/consent" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{"consentType": "marketing", "granted": true}'
 
# Revoke consent
curl -X DELETE "/api/gdpr/consent?type=marketing" \
  -H "Authorization: Bearer YOUR_API_KEY"

Policy Updates

When policies change:

1. Users are notified of updates
2. Consent renewal is requested
3. New consent is recorded with new version

Check if renewal is needed:

curl -X GET "/api/gdpr/consent/renewal-check" \
  -H "Authorization: Bearer YOUR_API_KEY"

Data Export

Users can request a copy of all their data.

Requesting Export

curl -X POST "/api/gdpr/export" \
  -H "Authorization: Bearer YOUR_API_KEY"

Export Contents

The export includes:

• Profile information
• Documents and metadata
• Extractions and results
• Chat history
• Knowledge bases
• API key metadata (not secrets)
• Consent history
• Audit logs

Export Format

Data is exported as a ZIP file containing:

• profile.json - User profile
• documents/ - Document metadata
• extractions/ - Extraction results
• chat/ - Chat history
• audit/ - Audit log

Export Timeline

Account Deletion

Users can request complete account deletion.

Deletion Process

1. Request - User submits deletion request
2. Grace period - 7-day window to cancel
3. Processing - Data deletion begins
4. Completion - Account fully deleted

Requesting Deletion

curl -X POST "/api/gdpr/delete-account" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{"reason": "No longer need the service"}'

Grace Period

During the 7-day grace period:

• Account remains accessible
• User can cancel the request
• No data is deleted

Canceling Deletion

curl -X DELETE "/api/gdpr/delete-account?requestId={id}" \
  -H "Authorization: Bearer YOUR_API_KEY"

What Gets Deleted

Data Retention

Default retention periods:

Organizations can configure custom retention periods.

Privacy Audit Log

All data access and modifications are logged:

Logged Events

Audit Log Fields

{
  "id": "uuid",
  "user_id": "user-uuid",
  "action": "document_viewed",
  "resource_type": "document",
  "resource_id": "doc-uuid",
  "pii_types": ["name", "email"],
  "ip_address": "192.168.1.1",
  "user_agent": "Mozilla/5.0...",
  "created_at": "2024-01-15T10:00:00Z"
}

Data Processing Agreement

For organizations processing personal data:

1. Review the DPA template
2. Sign and return to hi@docld.com
3. DPA is linked to your organization

Best Practices

1. Get consent - Always obtain proper consent
2. Document processing - Know what data you process
3. Respond promptly - Handle requests within 30 days
4. Maintain records - Keep consent and processing records
5. Regular audits - Review data practices regularly

Technical Measures

DocLD implements:

• Encryption at rest - All data encrypted
• Encryption in transit - TLS 1.3
• Access controls - Role-based access
• Audit logging - Comprehensive logs
• Data minimization - Only store necessary data

API Reference

See the GDPR API for complete endpoint documentation.