Privacy Controls

Each organization can track compliance against one or more regulatory frameworks (GDPR, CCPA, SOC 2, etc.). The framework system models compliance as a hierarchy:

A framework is considered compliant when all of its controls have status pass or not_applicable. Frameworks with at least one resolved control but not all resolved are marked in progress.

MemorySync implements the three DSR types required by GDPR and CCPA:

Each DSR follows a lifecycle: pending → in_progress → completed (or failed on error). Failed DSRs preserve the error message and can be retried.

Every DSR has an SLA deadline computed from configurable parameters:

• Default SLA. 30 days from request creation. The SLA window is a hosted-platform setting your organization can adjust through support.
• Overdue detection. The system automatically flags DSRs where the current time exceeds the SLA deadline and the request is not yet completed.
• Compliance overview. The compliance dashboard aggregates open and overdue DSR counts per organization in a single view.

For access and export DSR types, the system serializes all user-scoped data into a structured JSON document:

1. 1User profile. Core user fields: ID, public ID, email, name, role, status, and creation timestamp.
2. 2User metadata. Profile data including job title, department, timezone, and custom metadata.
3. 3Memories. All memories owned by the user: source, event type, metadata, creation/update/deletion timestamps.
4. 4Memory events. The full event history for each memory (created, updated, accessed, etc.).
5. 5Recall logs. Every query the user made and the memories that were recalled.
6. 6Audit logs. All audit entries associated with the user across the organization.

The serialized export is written to the configured export directory as a JSON file, keyed by DSR ID.

Delete-type DSRs execute a cascading deletion that removes all user data from the system. The deletion order is carefully sequenced to respect data dependencies:

1. 1Memories. All memory rows owned by the user are deleted.
2. 2Memory events. All event history for the user’s memories is deleted.
3. 3Recall logs. All query/recall records for the user are deleted.
4. 4Audit logs. All audit entries referencing the user (by internal ID, public ID, or actor ID) are deleted.
5. 5User record. The user row itself is deleted, completing the cascade.

After deletion, a final audit entry is created under the system actor to record that the deletion was executed.

Data export downloads are protected by HMAC-signed, time-expiring tokens:

• Token generation. When an export completes, a download token is generated using HMAC-SHA256 with the DSR ID and an expiration timestamp as the payload.
• Expiration. Tokens expire after a fixed window (default: 24 hours). Expired tokens are rejected on download.
• Verification. On download, the token is verified using constant-time comparison to prevent timing attacks.
• Single-use over a fixed window. Tokens are bound to a specific DSR and expiry; replaying a token after expiry, tampering with it, or sharing it across DSRs always fails verification.

The compliance dashboard provides a single-page snapshot of your organization’s posture: