Skip to main content

GDPR — Article 15 access + Article 17 cascade

Crewship stores agent-authored content (peer cards, memory snapshots, inbox items) that may include personal data about end users. EU operators have an obligation under GDPR Article 15 (Right of Access) and Article 17 (Right to be Forgotten) to produce that data on request and to delete it on demand. This page is the operator playbook for both flows. It covers the two admin endpoints, the audit table that records every action, the idempotency contract, and the parts of the cascade that intentionally remain manual for the operator’s judgement.

Two endpoints, one audit table

The gdpr_actions audit table is the canonical record of every Article 15 / 17 attempt — successful or failed — keyed by (workspace_id, data_subject_id) for fast SAR query lookup. Each invocation creates a new row even when repeated against the same subject, so the audit trail captures the full history of how the workspace handled that subject.

Article 15 — exporting a subject’s data

A data subject contacts the operator (typically via support email or a privacy portal) requesting a copy of all personal data held about them. The operator finds the subject’s user_id in the workspace identity store, then:
The response is a single JSON bundle containing every row from the four tables that carry data_subject_id (the three data tables below plus gdpr_actions, the audit history — see “What’s NOT in the export” for the boundary):
The handler returns 500 Internal Server Error on ANY query failure — even if a partial bundle was assembled from successful queries — to prevent an incomplete export from being handed to the subject as if it were authoritative. The audit row is still written with status='failed' so the attempt is recorded; the operator retries after investigating the underlying failure. The export is the canonical artefact the operator hands the subject. The format is JSON because it’s machine-readable for downstream redaction tooling; the operator is responsible for translating it into whatever the subject requested (PDF, CSV, etc.) if a specific format was named.

What’s NOT in the export

The export only covers tables that carry a data_subject_id foreign key:
  • peer_cards — agent-authored peer cards mentioning the subject
  • memory_versions — versioned memory blobs the agent wrote about the subject
  • inbox_items — inbox rows whose payload references the subject (e.g. persona-suggestion proposals about the subject)
  • gdpr_actions — the audit history itself (always included)
Content the operator may also need to surface manually:
  • lessons.md entries that mention the subject by user_slug — agents append to a per-crew lessons file with free-form text; the cascade logs a warning naming the subject when its slug is found in any lessons.md but does not modify the file. Operators are responsible for redacting if the lesson text contains personal data. See Lessons memory tier.
  • Chat conversation history — the chats table is workspace-scoped not subject-scoped; if the subject’s user_id is user_id on a chat row, the operator filters those rows separately. Covered by Chat sessions retention.
  • Audit logs from internal/journal — operator-facing operations the subject performed are tracked in the journal; the operator queries by actor_user_id rather than data_subject_id because the journal is for what the operator did, not what was done to a subject.

Article 17 — cascade delete

A data subject requests deletion of all personal data (“right to be forgotten”). The operator runs:
reason is REQUIRED. The handler rejects an empty or whitespace-only reason with 400 Bad Request, and the underlying gdpr_actions CHECK constraint rejects the same at the DB layer (defense-in-depth — even a future admin SQL bypass that skips the handler can’t land an unjustified delete row). Whitespace-only reasons like " " or "\n" are also rejected because they’re functionally blank for audit purposes.

What the cascade touches

The response confirms what landed:

Idempotency

Running the cascade twice for the same subject is safe:
  • Already-deleted rows are silently skipped (cascade is row-set based, not snapshot-based)
  • Each invocation creates a new gdpr_actions row, so the audit trail records BOTH attempts (operators sometimes re-run a cascade weeks after the first attempt to verify completeness — both runs land in the audit)
  • The action_id returned in the response is the audit row id, not a transaction id — quoting it back to the operator’s ticketing system gives a stable handle
This matters because regulators sometimes ask “did you delete this subject’s data on 2026-03-14 AND again on 2026-04-02 in response to two separate confirmation requests?” — the answer comes from SELECT * FROM gdpr_actions WHERE data_subject_id = ? AND action = 'delete' ORDER BY initiated_at and shows both runs without ambiguity.

Verifying a cascade landed

After running the cascade, the operator verifies completeness by re-running the export:
A successful cascade returns:
…with all scope counts at zero. If any non-zero remains, the cascade either had a partial failure (check the previous gdpr_actions row’s status and error columns) or there’s data without a data_subject_id foreign key that won’t be reached by the cascade (escalate to engineering — likely a column added since the v107 migration).

Audit table reference

gdpr_actions schema (added in migration v107): Indexes:
  • idx_gdpr_actions_subject (workspace_id, data_subject_id) — fast SAR lookup
  • idx_gdpr_actions_initiated (initiated_at) — chronological browse

Querying the audit

Every Article 15 + Article 17 attempt for a subject:
All cascade deletes performed by an admin in the last 90 days:
Failed exports the operator should retry:

UI surface

The GET and DELETE endpoints are reachable from the workspace Settings → GDPR Actions panel (Settings → Admin → GDPR Actions for operators who haven’t reorganised the nav). The UI:
  1. Lets the admin search a user by email or paste a user_id
  2. Exposes two buttons — Export user data (JSON) + Delete user data (cascade)
  3. The delete button opens a confirmation dialog with a required reason field + an “I understand this is irreversible” checkbox
  4. The dialog stays open during the async DELETE (no auto-close) — a failed call surfaces the error toast without wiping the operator’s input, so they can retry without re-typing
The reason field is the same one that lands in gdpr_actions.reason — operators are encouraged to paste their ticketing system’s identifier (“SAR ticket #1234”) rather than free-form text, so the audit query reads naturally.

What’s NOT exposed

Crewship intentionally does NOT provide:
  • A self-service deletion endpoint for end users — Article 17 requests are mediated by the operator because the cascade affects content the operator owns (agent decisions, audit records that have to survive operator’s own retention obligations)
  • A bulk delete endpoint (“delete every user matching this filter”) — every cascade is one subject at a time, by design, because each gdpr_actions row needs a justification specific to that subject
  • Auto-deletion on user account close — closing a Crewship user account doesn’t trigger Article 17 (the user might have other obligations to a different workspace tenant within the same Crewship instance); the explicit cascade endpoint is the only path

Cross-references