GDPR Operations Guide

Last updated: 2025-09-19

Overview

This guide provides technical procedures for handling GDPR data requests in LeafLock. Our zero-knowledge architecture means most user data is encrypted client-side, but we still need processes for the limited server-side data we do store.

Architecture Summary

LeafLock uses a GDPR-compliant encryption system:

Email addresses: Encrypted with unique GDPR deletion keys
Email hashes: SHA-256 hashes for uniqueness constraints
Search hashes: Deterministic encryption for login lookups
GDPR keys: Separate table storing deletion keys for email recovery

Data Request Procedures

The system provides automated endpoints for common requests:

Data Export Request

curl -X POST https://your-domain.com/api/v1/gdpr/request \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com"}'

Response includes:

User ID
Account creation date
Confirmation message about encrypted notes

Account Deletion Request

curl -X DELETE https://your-domain.com/api/v1/gdpr/delete \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com"}'

Manual Administrative Procedures

Email Recovery for Support

If you need to recover a user’s email for legitimate support purposes:

Get the user’s email hash:

SELECT email_hash FROM users WHERE id = 'user-uuid-here';

Retrieve the GDPR deletion key:

SELECT deletion_key FROM gdpr_keys WHERE email_hash = 'hash-from-step-1';

Decrypt the email (Go code example):

// This should only be done by authorized administrators
encryptedEmail := getUserEncryptedEmail(userID)
deletionKey := getGDPRKey(emailHash)
email, err := crypto.DecryptWithGDPRKey(encryptedEmail, deletionKey)

Manual User Deletion

For manual deletion (if automated endpoint fails):

Verify user identity using the email verification process above
Start database transaction:

BEGIN;

Delete user (cascades to notes, sessions, etc.):

DELETE FROM users WHERE email_hash = 'verified-email-hash';

Delete GDPR key:

DELETE FROM gdpr_keys WHERE email_hash = 'verified-email-hash';

Commit transaction:

COMMIT;

Data Export for Legal Requests

For comprehensive data export:

Identify user using email recovery procedure
Extract account metadata:

SELECT
  id,
  created_at,
  updated_at,
  last_login,
  failed_attempts,
  mfa_enabled
FROM users
WHERE email_hash = 'verified-hash';

Get audit trail:

SELECT
  action,
  resource_type,
  created_at,
  -- Note: IP and user agent are encrypted
  ip_address_encrypted,
  user_agent_encrypted
FROM audit_log
WHERE user_id = 'user-uuid';

Session history:

SELECT
  created_at,
  expires_at,
  -- Note: IP and user agent are encrypted
  ip_address_encrypted,
  user_agent_encrypted
FROM sessions
WHERE user_id = 'user-uuid';

Security Considerations

Access Control

Principle of least privilege: Only authorized administrators should access GDPR procedures
Audit logging: All GDPR operations are logged
Two-person rule: Consider requiring two administrators for deletion operations

Email Decryption Guidelines

Only decrypt user emails when:

✅ User explicitly requests data export
✅ Legal requirement with proper documentation
✅ Legitimate support need with user consent
❌ Never for marketing or analytics
❌ Never for unauthorized access

Data Retention

After user deletion:

Immediate: User cannot log in
Within 24 hours: All user data removed from active database
Within 30 days: Backup cleanup completed
Audit logs: Deletion events are retained for compliance

Troubleshooting

Failed Deletion

If automated deletion fails:

Check for foreign key constraints:

SELECT
  table_name,
  constraint_name
FROM information_schema.table_constraints
WHERE constraint_type = 'FOREIGN KEY';

Manual cleanup of related data:

-- Notes and attachments (should cascade)
DELETE FROM notes WHERE created_by = 'user-uuid';
DELETE FROM attachments WHERE created_by = 'user-uuid';

-- Collaborations
DELETE FROM collaborations WHERE user_id = 'user-uuid';

-- User roles
DELETE FROM user_roles WHERE user_id = 'user-uuid';

If GDPR keys are corrupted:

User loses access to email recovery
Account can still be deleted by user ID
Document the incident for audit purposes

Database Migration Issues

When updating encryption:

Backup all GDPR keys before schema changes
Test migration on copy of production data
Verify email decryption works after migration
Update documentation if procedures change

Compliance Verification

Monthly Checks

Verify GDPR endpoints are functioning:

# Test data export (use test account)
curl -X POST https://your-domain.com/api/v1/gdpr/request \
  -H "Content-Type: application/json" \
  -d '{"email": "test@example.com"}'

Check deletion completeness:

-- Should return no results after deletion
SELECT COUNT(*) FROM users WHERE email_hash = 'deleted-user-hash';
SELECT COUNT(*) FROM gdpr_keys WHERE email_hash = 'deleted-user-hash';

Audit log review:

SELECT
  action,
  COUNT(*) as count
FROM audit_log
WHERE action LIKE '%gdpr%'
  AND created_at >= NOW() - INTERVAL '30 days'
GROUP BY action;

Emergency Procedures

Data Breach Response

If GDPR keys are compromised:

Immediate action: Disable GDPR endpoints
Assessment: Determine scope of key exposure
User notification: Contact affected users
Key rotation: Generate new GDPR keys for remaining users
Documentation: Full incident report

System Recovery

After system restore:

Verify GDPR key integrity
Test email decryption for sample accounts
Validate deletion procedures
Check audit log completeness

Contact Information

For GDPR operations support:

Technical issues: tech@leaflock.app
Legal questions: legal@leaflock.app
Emergency contact: emergency@leaflock.app