Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.enfinitos.com/llms.txt

Use this file to discover all available pages before exploring further.

EnfinitOS implements GDPR Article 15 (right of access) and Article 17 (right to erasure) as first-class platform endpoints rather than as bolt-on processes. Both endpoints are live in the sandbox today; they carry into the production tenant unchanged at the April 2027 launch.

Article 15 — Subject Access Request

A data subject’s tenant or operator submits a DSAR via: 
POST /v1/compliance/dsar
{
  "subjectIdentifier": { /* email, hashed identifier, etc. */ },
  "kind": "access"
}
The platform returns a structured export — every record about the subject, in JSON, with metadata indicating which controller / data map entry each record came from.

Article 17 — Right to erasure

Erasure is harder than access because of the audit / proof requirements: signed proof packs are immutable, so the platform cannot remove a subject’s data from a pack without invalidating its signature. The platform resolves this by:
  1. Pseudonymising the subject identifier in future packs.
  2. Marking the subject as erased in the data map so future processing skips them.
  3. Keeping the audit trail of the erasure itself as a first-class proof event — preserving the regulatory record while removing the data.
Past packs retain the subject’s data only in pseudonymised form; the mapping from pseudonym → subject is destroyed at erasure time, so the past packs can no longer be re-identified.

Data map

The platform maintains a data map listing every category of personal data it processes, the legal basis, the retention period, and the controllers / processors involved. The data map is reachable at: 
GET /v1/compliance/data-map
and is also packaged into the operator’s tenant-level documentation on the operator dashboard.

Where the proof shows up

Every DSAR submission, response, erasure, and data-map update produces signed proof events that flow into the tenant’s proof chain. So a regulator can verify (using the open-source auditor) that the operator’s GDPR processes happened as claimed.