GDPR — Article 15 access + Article 17 cascade
Crewship stores agent-authored content (peer cards, memory snapshots, inbox items) that may include personal data about end users. EU operators have an obligation under GDPR Article 15 (Right of Access) and Article 17 (Right to be Forgotten) to produce that data on request and to delete it on demand. This page is the operator playbook for both flows. It covers the two admin endpoints, the audit table that records every action, the idempotency contract, and the parts of the cascade that intentionally remain manual for the operator’s judgement.Two endpoints, one audit table
The
gdpr_actions audit table is the canonical record of every Article 15 / 17 attempt — successful or failed — keyed by (workspace_id, data_subject_id) for fast SAR query lookup. Each invocation creates a new row even when repeated against the same subject, so the audit trail captures the full history of how the workspace handled that subject.
Article 15 — exporting a subject’s data
A data subject contacts the operator (typically via support email or a privacy portal) requesting a copy of all personal data held about them. The operator finds the subject’suser_id in the workspace identity store, then:
data_subject_id (the three data tables below plus gdpr_actions, the audit history — see “What’s NOT in the export” for the boundary):
500 Internal Server Error on ANY query failure — even if a partial bundle was assembled from successful queries — to prevent an incomplete export from being handed to the subject as if it were authoritative. The audit row is still written with status='failed' so the attempt is recorded; the operator retries after investigating the underlying failure.
The export is the canonical artefact the operator hands the subject. The format is JSON because it’s machine-readable for downstream redaction tooling; the operator is responsible for translating it into whatever the subject requested (PDF, CSV, etc.) if a specific format was named.
What’s NOT in the export
The export only covers tables that carry adata_subject_id foreign key:
peer_cards— agent-authored peer cards mentioning the subjectmemory_versions— versioned memory blobs the agent wrote about the subjectinbox_items— inbox rows whose payload references the subject (e.g. persona-suggestion proposals about the subject)gdpr_actions— the audit history itself (always included)
lessons.mdentries that mention the subject byuser_slug— agents append to a per-crew lessons file with free-form text; the cascade logs a warning naming the subject when its slug is found in anylessons.mdbut does not modify the file. Operators are responsible for redacting if the lesson text contains personal data. See Lessons memory tier.- Chat conversation history — the
chatstable is workspace-scoped not subject-scoped; if the subject’s user_id isuser_idon a chat row, the operator filters those rows separately. Covered by Chat sessions retention. - Audit logs from
internal/journal— operator-facing operations the subject performed are tracked in the journal; the operator queries byactor_user_idrather thandata_subject_idbecause the journal is for what the operator did, not what was done to a subject.
Article 17 — cascade delete
A data subject requests deletion of all personal data (“right to be forgotten”). The operator runs:reason is REQUIRED. The handler rejects an empty or whitespace-only reason with 400 Bad Request, and the underlying gdpr_actions CHECK constraint rejects the same at the DB layer (defense-in-depth — even a future admin SQL bypass that skips the handler can’t land an unjustified delete row). Whitespace-only reasons like " " or "\n" are also rejected because they’re functionally blank for audit purposes.
What the cascade touches
The response confirms what landed:
Idempotency
Running the cascade twice for the same subject is safe:- Already-deleted rows are silently skipped (cascade is row-set based, not snapshot-based)
- Each invocation creates a new
gdpr_actionsrow, so the audit trail records BOTH attempts (operators sometimes re-run a cascade weeks after the first attempt to verify completeness — both runs land in the audit) - The
action_idreturned in the response is the audit row id, not a transaction id — quoting it back to the operator’s ticketing system gives a stable handle
SELECT * FROM gdpr_actions WHERE data_subject_id = ? AND action = 'delete' ORDER BY initiated_at and shows both runs without ambiguity.
Verifying a cascade landed
After running the cascade, the operator verifies completeness by re-running the export:scope counts at zero. If any non-zero remains, the cascade either had a partial failure (check the previous gdpr_actions row’s status and error columns) or there’s data without a data_subject_id foreign key that won’t be reached by the cascade (escalate to engineering — likely a column added since the v107 migration).
Audit table reference
gdpr_actions schema (added in migration v107):
Indexes:
idx_gdpr_actions_subject (workspace_id, data_subject_id)— fast SAR lookupidx_gdpr_actions_initiated (initiated_at)— chronological browse
Querying the audit
Every Article 15 + Article 17 attempt for a subject:UI surface
TheGET and DELETE endpoints are reachable from the workspace
Settings → GDPR Actions panel (Settings → Admin → GDPR Actions for
operators who haven’t reorganised the nav). The UI:
- Lets the admin search a user by email or paste a
user_id - Exposes two buttons — Export user data (JSON) + Delete user data (cascade)
- The delete button opens a confirmation dialog with a required reason field + an “I understand this is irreversible” checkbox
- The dialog stays open during the async DELETE (no auto-close) — a failed call surfaces the error toast without wiping the operator’s input, so they can retry without re-typing
gdpr_actions.reason — operators are encouraged to paste their ticketing system’s identifier (“SAR ticket #1234”) rather than free-form text, so the audit query reads naturally.
What’s NOT exposed
Crewship intentionally does NOT provide:- A self-service deletion endpoint for end users — Article 17 requests are mediated by the operator because the cascade affects content the operator owns (agent decisions, audit records that have to survive operator’s own retention obligations)
- A bulk delete endpoint (“delete every user matching this filter”) — every cascade is one subject at a time, by design, because each
gdpr_actionsrow needs a justification specific to that subject - Auto-deletion on user account close — closing a Crewship user account doesn’t trigger Article 17 (the user might have other obligations to a different workspace tenant within the same Crewship instance); the explicit cascade endpoint is the only path
Cross-references
- Threat model — Tenant isolation on internal-auth handlers — how the GDPR cascade endpoints fit into Crewship’s tenant-isolation surface area
- Audit logging — broader audit log shape;
gdpr_actionsis a specialized table for the GDPR cascade subset - Encryption at rest — operator-side encryption that protects
gdpr_actionsrows in backups + filesystem snapshots - Agent memory — peer cards — how peer cards get created and what
data_subject_idthey end up with - Admin API — schemas for the two endpoints