Archived spec & plan — status: partially shipped (audited 2026-07-03).
Status: Partially shipped — verified against the codebase on 2026-07-03 by an automated audit.
The GDPR Data Erasure SOP spec has partial implementation. The request-handling infrastructure (contract, API, MCP, UI, database, immediate session revocation, audit logging) is shipped. However, the CLI tool mentioned in section 6 was deleted during a refactor, and the Inngest hard-delete cascade function explicitly refuses to complete erasures because the full cascade (OXA-1721) is not yet implemented—the system intentionally fails loudly to avoid falsely claiming erasure while data remains.
Implementation evidence
/Users/macanderson/Workspaces/oxagen-platform/packages/oxagen/src/contracts/privacy.data.erase.ts — contract definition with api/mcp/agent surfaces
Document ID: SOP-GDPR-001 Version: 1.0 Effective date: 2026-06-09 Owner: Oxagen Privacy Team Review cadence: Annually, or after any material change to data processing systems
Immediate session revocation; hard-delete within the configurable grace period (default 30 days; set PRIVACY_ERASURE_GRACE_DAYS).
Notify data processors
privacy/erasure.execute Inngest event is the signal — subscribe downstream processors via webhook.
Retain audit trail
security.security_events records the privacy.erasure_requested event permanently (immutable append-only table). The audit record is retained even after data erasure.
Cannot fulfill if legal hold
Not yet implemented — contact privacy@oxagen.ai to freeze an erasure request. Track in Linear.
When a request is received by email or via another channel:
Verify identity. Confirm the requester is the data subject or their authorized representative. For account holders: verify via the email address on file. For org-scope: verify Owner role.
Check for active account. Query auth.users for the email. If account exists, proceed to step 3. If deleted/anonymised already, provide confirmation.
Initiate erasure via CLI:
# User scopeoxagen privacy erase --scope user --yes# Org scope (requires org Owner API key)oxagen privacy erase --scope org --org-id <uuid> --yes
The privacy/erasure.execute Inngest event is the official signal for all downstream processors. Each subscribed system must handle this event and confirm deletion. Current integrations:
System
Hookup status
PostHog (analytics)
Subscribe via webhook — pending
Linear (internal tickets)
Manual anonymisation by support — pending automation
Stripe (billing)
Customer data retained per Stripe legal obligations; PII anonymised in Postgres only
Vercel Blob (file storage)
Cascade delete on generated_assets rows triggers storage cleanup — pending