WF-054: GDPR Data Export Flow
Priority: P0 (Critical) | Phase: Phase 1D - Security & Operations | Effort: 16 hours
Overview
GDPR Article 15 compliance: exports all user data, encrypts with AES-256, uploads to GCS with 7-day TTL, sends signed download link (24h expiry). Requires recent 2FA verification (< 5 min).
Trigger: POST /gdpr/export | Duration: ~30-45 seconds
Workflow Phases
Phase 1: Initialization
Set up prerequisites and validate inputs.
Phase 2: Processing
Execute the main workflow steps.
Phase 3: Verification
Validate outputs and confirm completion.
Phase 4: Finalization
Clean up and generate reports.
Flow
- Validate 2FA verified within last 5 minutes
- Query all user data (users, subscriptions, workstations, audit logs, billing)
- Compile into JSON
- Encrypt with AES-256-CBC (random key + IV)
- Upload to GCS bucket (7-day auto-delete lifecycle)
- Generate signed download URL (24h expiry)
- Email user with download link + decryption key
- Log export in compliance table
- Publish security event
Security
- 2FA Required: Recent authentication (< 5 min)
- Encryption: AES-256-CBC with random key
- Access Control: Signed URLs (24h TTL)
- Data Retention: Auto-delete after 7 days
- Audit Trail: All exports logged
Compliance
- GDPR Article 15: Right to access personal data
- Format: Machine-readable JSON
- Timeframe: Delivered within 1 month (instant via email)
- Free of Charge: No cost to user
Testing
- 2FA validation works
- All user data tables included
- Encryption/decryption works
- Download link expires after 24h
- File auto-deletes after 7 days
- Export logged correctly
Status: ✅ Ready for Implementation