@aimf/compliance
v0.1.1
Published
GDPR Compliance, Data Retention, and Audit Logging
Readme
@aimf/compliance
GDPR Compliance, Data Retention, and Audit Logging module for the AI-MCP Framework (AIMF).
Features
- Audit Logger: Immutable, signed audit trail for all data operations
- Consent Manager: GDPR-compliant consent management with versioning
- DSR Handler: Data Subject Rights handling (access, erasure, portability, rectification)
- Retention Manager: Automated data lifecycle and retention policy enforcement
Installation
pnpm add @aimf/complianceQuick Start
Audit Logger
import { createAuditLogger } from "@aimf/compliance";
const logger = createAuditLogger({
signEntries: true,
hashSensitiveData: true,
});
// Log data access
await logger.logAccess(
{ type: "user", id: "user-123", ip: "192.168.1.1" },
{ type: "document", id: "doc-456", category: "personal" },
true // success
);
// Query audit trail
const entries = logger.query({
action: "read",
actorId: "user-123",
startTime: Date.now() - 86400000, // Last 24 hours
});
// Export for compliance
const report = logger.export("csv");Consent Manager
import { createConsentManager } from "@aimf/compliance";
const manager = createConsentManager({
requireExplicit: true,
consentVersioning: true,
});
// Register consent purposes
manager.registerPurpose({
id: "marketing",
name: "Marketing Communications",
description: "Receive marketing emails and newsletters",
required: false,
legalBasis: "consent",
});
// Grant consent
await manager.grantConsent("user-123", ["marketing"], {
proof: "checkbox-clicked",
});
// Check consent
if (manager.hasConsent("user-123", "marketing")) {
// Process marketing data
}
// Revoke consent
await manager.revokeConsent("user-123", ["marketing"]);Data Subject Rights (DSR) Handler
import { createDSRHandler } from "@aimf/compliance";
const handler = createDSRHandler({
responseDeadlineDays: 30, // GDPR requirement
});
// Submit access request
const request = await handler.submitRequest(
"access",
"user-123",
{ type: "user", id: "user-123" }
);
// Process access request
const { data } = await handler.processAccessRequest(
request.id,
async () => ({
personalData: { name: "John Doe", email: "[email protected]" },
activityLog: [...],
})
);
// Check for overdue requests
const overdue = handler.getOverdueRequests();Retention Manager
import { createRetentionManager } from "@aimf/compliance";
const manager = createRetentionManager({
defaultRetentionDays: 365,
gracePeriodDays: 30,
});
// Register retention policy
manager.registerPolicy({
id: "personal-30",
name: "Personal Data - 30 days",
dataCategory: "personal",
retentionDays: 30,
archivePolicy: "delete",
enabled: true,
});
// Track data
manager.trackData("doc-123", "personal");
// Check retention status
const status = manager.getRetentionStatus("doc-123");
console.log(`Days remaining: ${status.daysRemaining}`);
// Start auto enforcement
manager.startAutoEnforcement(24); // Check every 24 hours
// Generate compliance report
const report = manager.generateReport();Integration Example
import {
createAuditLogger,
createConsentManager,
createDSRHandler,
createRetentionManager,
} from "@aimf/compliance";
// Create integrated compliance stack
const auditLogger = createAuditLogger({ signEntries: true });
const consentManager = createConsentManager();
const dsrHandler = createDSRHandler({}, undefined, auditLogger);
const retentionManager = createRetentionManager();
// Complete data subject workflow
async function handleUserDataRequest(userId: string) {
// 1. Check consent
if (!consentManager.hasLegalBasis(userId, "data-processing").valid) {
throw new Error("No legal basis for processing");
}
// 2. Log the access
await auditLogger.logAccess(
{ type: "system", id: "api-server" },
{ type: "user-data", id: userId, category: "personal" },
true
);
// 3. Submit access request
const request = await dsrHandler.submitRequest(
"access",
userId,
{ type: "user", id: userId }
);
// 4. Process and return data
return dsrHandler.processAccessRequest(request.id, async () => ({
consents: consentManager.exportConsents(userId),
auditTrail: auditLogger.getActorAuditTrail(userId),
}));
}GDPR Compliance Features
- Article 7: Consent management with proof of consent
- Article 15: Right of access (access requests)
- Article 16: Right to rectification (rectification requests)
- Article 17: Right to erasure (erasure requests)
- Article 20: Right to data portability (portability requests)
- Article 30: Records of processing activities (audit log)
API Reference
AuditLogger
| Method | Description |
|--------|-------------|
| log() | Create an audit entry |
| logAccess() | Log data access |
| logModification() | Log data modification |
| logConsentChange() | Log consent change |
| logSubjectRequest() | Log DSR submission |
| query() | Query audit entries |
| export() | Export audit log |
| verifyEntry() | Verify entry signature |
ConsentManager
| Method | Description |
|--------|-------------|
| registerPurpose() | Register consent purpose |
| grantConsent() | Grant consent |
| revokeConsent() | Revoke consent |
| hasConsent() | Check consent validity |
| hasLegalBasis() | Check legal basis |
| exportConsents() | Export consent data |
DSRHandler
| Method | Description |
|--------|-------------|
| submitRequest() | Submit new request |
| startProcessing() | Mark as processing |
| completeRequest() | Complete request |
| rejectRequest() | Reject request |
| processAccessRequest() | Process access request |
| processErasureRequest() | Process erasure request |
| processPortabilityRequest() | Process portability request |
RetentionManager
| Method | Description |
|--------|-------------|
| registerPolicy() | Register retention policy |
| trackData() | Start tracking data |
| getRetentionStatus() | Get data status |
| enforceRetention() | Run enforcement |
| startAutoEnforcement() | Start scheduled checks |
| generateReport() | Generate compliance report |
License
MIT