search
Ctrlk

GDPR / CCPA Compliance

This guide helps EDDI operators handle data subject requests and meet GDPR/CCPA requirements. For an overview of data processing, see PRIVACY.md.

hashtag
Handling Data Subject Requests

hashtag
1. Right to Erasure (GDPR Art. 17 / CCPA §1798.105)

When you receive an erasure request:

# Via REST API
curl -X DELETE https://your-eddi-instance/admin/gdpr/{userId} \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN"

The response includes per-store counts:

{
  "userId": "user-123",
  "memoriesDeleted": 15,
  "conversationsDeleted": 8,
  "conversationMappingsDeleted": 3,
  "logsPseudonymized": 42,
  "auditEntriesPseudonymized": 156,
  "completedAt": "2026-04-02T15:30:00Z"
}

Via MCP: Use the delete_user_data tool with confirmation="CONFIRM".

What happens:

  1. User memories — permanently deleted

  2. Conversation snapshots — permanently deleted

  3. Managed conversation mappings — permanently deleted

  4. Database logs — userId pseudonymized (SHA-256 hash)

  5. Audit ledger — userId pseudonymized (SHA-256 hash)

hashtag
2. Right of Access (GDPR Art. 15) / Data Portability (Art. 20) / Right to Know (CCPA §1798.100)

The export includes all user data in a structured, machine-readable JSON format:

  • All persistent user memories

  • All conversation transcripts (with full chat history)

  • All managed conversation mappings (intent→conversation bindings)

  • All audit processing records (capped at 10,000 entries)

Via MCP: Use the export_user_data tool.

hashtag
3. Right to Restriction of Processing (GDPR Art. 18 / LGPD Art. 18)

When a user disputes data accuracy or objects to processing, you can freeze their processing without deleting data:

What happens when restricted:

  • New conversation creation is blocked → returns 403 Forbidden

  • Message processing (say) is blocked → returns 403 Forbidden

  • Existing data is preserved (not deleted)

  • Restriction status is stored as a user memory entry

  • All restriction/unrestriction events are logged in the audit ledger

Use cases:

  • User disputes accuracy of stored data (Art. 18(1)(a))

  • Processing is unlawful but user requests restriction instead of erasure (Art. 18(1)(b))

  • User objects to processing pending verification (Art. 21)

hashtag
4. Response Timeline

Regulation
Initial Deadline
Extension

GDPR

30 days

Up to 90 days for complex requests

CCPA

45 days

Up to 90 days with notification

EDDI's erasure and export operations complete in seconds — the timeline constraint is your internal DSAR process, not the technical execution.

hashtag
Retention Configuration

Per-category retention allows different retention periods for:

  • Conversations — 365 days (default)

  • User memories — disabled by default (configure per-deployment)

  • Audit entries — disabled by default (retained for EU AI Act compliance)

Data minimization (Art. 5(1)(e)): Review the default retention periods and reduce them to the minimum necessary for your use case.

hashtag
Audit Ledger Legal Basis

The EDDI audit ledger is retained indefinitely under two legal bases:

  1. GDPR Art. 17(3)(e) — Compliance with a legal obligation

  2. EU AI Act Articles 17/19 — Immutable decision traceability for AI systems

Upon erasure requests, userId fields in audit entries are pseudonymized (replaced with a SHA-256 hash). The audit data structure, timestamps, and decision records remain intact for regulatory compliance.

hashtag
Controller Checklist

As the data controller, you must:

hashtag
LLM Provider Data Flow

EDDI sends conversation content to the LLM provider configured per agent. You choose the provider via the Manager UI or configuration files.

Provider
Data Location
Self-Hosted?

Ollama

Your infrastructure

✅ Yes

jlama

Your infrastructure

✅ Yes

Anthropic

US/EU (varies)

❌ No

OpenAI

US

❌ No

Google Gemini

US/EU (varies)

❌ No

Mistral

EU (France)

❌ No

Azure OpenAI

Your Azure region

Partially

AWS Bedrock

Your AWS region

Partially

Oracle GenAI

Your OCI region

Partially

Hugging Face

Varies by model host

Partially

For maximum data sovereignty, use Ollama or jlama with self-hosted models.

What is sent to LLM providers:

  • The current user message

  • Recent conversation history (windowed)

  • Agent system prompt

What is NOT sent:

  • User IDs or account metadata

  • Data from other conversations or agents

  • API keys (except the provider's own authentication key)

hashtag
CCPA-Specific Requirements

hashtag
Do Not Sell (§1798.120)

EDDI does not sell personal information and has no mechanism to do so. Document this in your CCPA privacy notice.

hashtag
Right to Know (§1798.100)

Use the export endpoint (GET /admin/gdpr/{userId}/export) to fulfill "right to know" requests. The response includes all categories of personal information collected.

hashtag
Right to Delete (§1798.105)

Use the erasure endpoint (DELETE /admin/gdpr/{userId}) to fulfill "right to delete" requests. The cascade covers all data stores.

hashtag
International Privacy Regulations

EDDI's GDPR/CCPA infrastructure covers the technical requirements of all major international privacy frameworks. Each regulation has a detailed feature mapping and deployer checklist in PRIVACY.md:

  • PIPEDA — Canada (10 Fair Information Principles)

  • LGPD — Brazil (Art. 18 data subject rights)

  • APPI — Japan (2022 amendments, EU adequacy)

  • POPIA — South Africa (8 processing conditions)

  • PDPA — Singapore, Thailand & Malaysia

  • PIPL — China (data localization, cross-border transfer)

The same erasure and export endpoints (DELETE /admin/gdpr/{userId}, GET /admin/gdpr/{userId}/export) work for all jurisdictions. EDDI provides the technical layer; deployer checklists cover organizational measures (consent, officer appointments, breach notification).

hashtag
See Also

PreviousAudit LedgerNextHIPAA Compliance

Last updated

Was this helpful?