Compliance & Data Privacy
Comprehensive compliance documentation for GDPR, POPIA, and other regulatory requirements.
Overview
The Monitoring Portal is designed with compliance and data privacy as core principles. This document outlines our compliance posture, data handling practices, and user rights implementation.
GDPR Compliance
Data Rights Implementation
Right to Access (Article 15)
Users can access their personal data through:
- Profile Page: View all stored personal information
- Data Export: Export personal data in JSON/CSV format (coming soon)
- API Access: Programmatic access to personal data via authenticated API endpoints
Right to Erasure (Article 17)
Users can request account deletion:
- Self-Service: Account deletion available in profile settings
- Administrative: System administrators can delete user accounts
- Data Retention: Deleted data is permanently removed within 30 days
Right to Portability (Article 20)
Data export functionality:
- Format: JSON and CSV formats supported
- Scope: All personal data, account settings, and activity logs
- Delivery: Secure download link or email delivery
Right to Rectification (Article 16)
Users can update their information:
- Profile Editing: Direct editing of name, contact information
- Account Settings: Update preferences and notification settings
- Audit Trail: All changes are logged for compliance
Data Processing Principles
Lawful Basis
- Contract Performance: Processing necessary for service delivery
- Legitimate Interest: Service improvement and security
- Consent: Explicit consent for marketing communications
Data Minimization
- Only collect data necessary for service delivery
- Regular data audits to remove unnecessary information
- Anonymization of analytics data
Purpose Limitation
- Data used only for stated purposes
- No secondary use without consent
- Clear purpose statements in privacy policy
Storage Limitation
- Data retained only as long as necessary
- Automatic deletion of expired data
- Retention policies documented per data type
POPIA Compliance (South Africa)
Information Officer
- Designated: Information Officer appointed per POPIA requirements
- Contact: Available in privacy policy and terms of service
Data Subject Rights
All POPIA rights are implemented consistent with GDPR:
- Access to personal information
- Correction of personal information
- Deletion of personal information
- Objection to processing
- Restriction of processing
- Data portability
Data Processing Conditions
- Consent: Obtained where required
- Legitimate Interest: Documented and justified
- Legal Obligation: Compliance with applicable laws
- Contract: Necessary for service delivery
Security Safeguards
- Encryption in transit (TLS 1.2+)
- Encryption at rest (database encryption)
- Access controls and authentication
- Regular security assessments
- Incident response procedures
Data Processing Agreements
Sub-Processors
We use the following sub-processors:
Supabase (Database & Authentication)
- Purpose: User authentication, database hosting
- Location: Configurable (US, EU, Asia Pacific)
- Certification: SOC 2 Type II certified
- DPA: Standard Supabase DPA applies
Hosting Providers
- Purpose: Application hosting and infrastructure
- Location: As specified in deployment configuration
- Security: Industry-standard security measures
Data Processing Agreements
- All sub-processors have signed DPAs
- Regular review of sub-processor security
- Notification of sub-processor changes
Data Retention Policies
User Data
- Active Accounts: Retained while account is active
- Inactive Accounts: Deleted after 2 years of inactivity
- Deleted Accounts: Permanently removed within 30 days
Logs and Analytics
- Access Logs: 90 days
- Error Logs: 30 days
- Analytics Data: Anonymized, retained for 2 years
- Audit Logs: 7 years (for compliance)
Monitoring Data
- Sensor Data: Retained per account configuration
- Historical Data: Configurable retention period
- Backup Data: 30 days retention
Breach Notification Procedures
Internal Procedures
- Detection: Automated monitoring and alerting
- Assessment: Immediate risk assessment
- Containment: Isolate affected systems
- Investigation: Root cause analysis
- Remediation: Fix vulnerabilities
- Notification: Notify affected users and authorities
Notification Timeline
- Internal: Immediate upon detection
- Authorities: Within 72 hours (GDPR) / as required by POPIA
- Users: Without undue delay if high risk
Notification Content
- Nature of the breach
- Categories and approximate number of affected data subjects
- Likely consequences
- Measures taken or proposed to address the breach
Privacy Controls
User Controls
- Privacy Settings: Granular privacy controls
- Data Sharing: Control over data sharing preferences
- Marketing Communications: Opt-in/opt-out controls
- Cookie Preferences: Manage cookie consent
Technical Controls
- Encryption: End-to-end encryption where applicable
- Access Controls: Role-based access control (RBAC)
- Audit Logging: Comprehensive audit trails
- Data Anonymization: Automatic anonymization of analytics
- Development Safeguards:
RELAX_CSPandRELAX_RATE_LIMITflags temporarily relax CSP/security headers and rate limiting for local development only (disabled in production)
Compliance Monitoring
Regular Audits
- Annual: Comprehensive compliance audit
- Quarterly: Security and privacy assessments
- Ongoing: Automated compliance monitoring
Documentation
- Policies: Regularly updated privacy and security policies
- Procedures: Documented data handling procedures
- Training: Regular staff training on compliance
Contact Information
For compliance inquiries:
- Email: privacy@example.com
- Information Officer: Available through support channels
- Data Protection Officer: As required by applicable law
Updates
This compliance documentation is reviewed and updated regularly. Last updated: [Current Date]