> ## Documentation Index
> Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# GDPR & CCPA

> Data subject rights, DSAR processing, legal holds, and e-discovery in Toktra.

## Data Protection Impact Assessment

Toktra has completed a **Data Protection Impact Assessment (DPIA)** for all personal data processing activities on the platform. The DPIA covers the nature of the data collected (usage metadata — never content), the legal basis for processing (legitimate interests under GDPR Article 6(1)(f)), risk assessment, and the technical and organizational safeguards in place.

Key findings from the DPIA:

* All residual risks reduced to Low or Medium level after applying controls
* No prior supervisory authority consultation required (no High residual risks)
* Privacy-by-design architecture confirmed: metadata only, no prompt or response capture

You can request a copy of the Toktra DPIA for your own compliance documentation. Contact **[legal@toktra.io](mailto:legal@toktra.io)**.

## Employee notice templates

Before deploying Toktra monitoring in your organization, you are required to inform your employees. Toktra provides **ready-to-use notice templates** for the following jurisdictions:

| Template               | Jurisdiction             |
| ---------------------- | ------------------------ |
| `notice-eu-gdpr.md`    | EU / EEA (GDPR)          |
| `notice-uk.md`         | United Kingdom (UK GDPR) |
| `notice-us-ca.md`      | California (CCPA / CPRA) |
| `notice-us-general.md` | United States (general)  |

<Tip>
  For EU/EEA deployments, issue employee notices at least **30 days** before monitoring begins. In Germany, works council co-determination (Betriebsverfassungsgesetz §87(1)(6)) may require a Betriebsvereinbarung before deployment. Consult local legal counsel for jurisdiction-specific requirements.
</Tip>

Contact **[legal@toktra.io](mailto:legal@toktra.io)** to request the notice templates for your organization.

## Data Subject Access Requests (DSAR)

Employees can request a copy of their personal data held by Toktra. Toktra's DSAR pipeline supports both self-service access via the dashboard and programmatic submission via the API.

### Regulation-aware deadlines

| Regulation        | Response deadline                                                                              |
| ----------------- | ---------------------------------------------------------------------------------------------- |
| GDPR (EU/EEA/UK)  | 30 calendar days from receipt of verified request (extendable by 60 days for complex requests) |
| CCPA (California) | 45 calendar days from receipt of verified request                                              |

### Submitting a DSAR

<Steps>
  <Step title="Submit via dashboard">
    Employees can log in to the Toktra Employee Self-Service Portal using their organization's SSO credentials and navigate to **My Data → Download My Data** for immediate self-service export in JSON or CSV format.
  </Step>

  <Step title="Submit via API">
    Admins can submit a formal DSAR on behalf of an employee using the API:

    ```bash theme={null}
    POST /v1/legal/dsar
    ```

    ```json theme={null}
    {
      "employee_id": "usr_abc123",
      "format": "json",
      "regulation": "gdpr",
      "include_sections": [
        "usage_telemetry",
        "device_enrollment",
        "alert_history",
        "policy_violations",
        "access_audit_log",
        "account_metadata"
      ]
    }
    ```
  </Step>

  <Step title="Track the request">
    Poll for completion using the request ID returned in the response:

    ```bash theme={null}
    GET /v1/legal/dsar/{request_id}
    ```

    The response includes status, a signed download URL (when complete), and the data package size.
  </Step>

  <Step title="Deliver the data package">
    Once the status is `complete`, download the ZIP archive from the signed URL and deliver it to the employee via a secure channel. The package contains all personal data sections requested.
  </Step>
</Steps>

### DSAR status tracking

List all DSAR requests for your organization, with filtering by status and date range:

```bash theme={null}
GET /v1/legal/dsar?status=in_progress&regulation=gdpr
```

The dashboard provides a DSAR management view under **Compliance → DSAR Management**.

## Right to erasure

Employees have the right to request deletion of their personal data. Toktra's erasure workflow deletes all individual-level data while preserving:

* Anonymized aggregate statistics (team/org level, no individual attribution)
* Audit logs under WORM retention (employee identifiers are pseudonymized, not physically deleted, during the Object Lock retention period)
* The erasure request record itself (retained 3 years as compliance evidence)

### Submitting an erasure request

```bash theme={null}
POST /v1/legal/dsar
```

```json theme={null}
{
  "employee_id": "usr_abc123",
  "request_type": "erasure",
  "regulation": "gdpr",
  "retain_anonymized_aggregates": true
}
```

<Warning>
  Before executing erasure, the system automatically checks for active legal holds. If the employee's data is subject to a hold, the erasure request is blocked for held data and Legal Counsel must be consulted. You can still process erasure for data not covered by the hold.
</Warning>

Upon completion, you receive a **deletion receipt** containing a SHA-256 verification hash, a count of deleted records, and a list of any records retained under exemptions. The employee is notified by email with the receipt ID.

### Tracking erasure status

```bash theme={null}
GET /v1/legal/dsar/{request_id}
```

The response includes `deletion_receipt` with the verification hash and records processed per data store.

## E-discovery

Toktra integrates with **Relativity** and **Logikcull** for litigation support. You configure e-discovery connectors and trigger exports per legal hold from the API or the dashboard under **Legal → E-Discovery**.

### Configure an e-discovery connector

```bash theme={null}
POST /v1/legal/ediscovery/configs
```

```json theme={null}
{
  "provider": "relativity",
  "workspace_id": "1234567",
  "username": "your-relativity-username",
  "password_secret_arn": "arn:aws:secretsmanager:us-east-1:...",
  "base_url": "https://your-instance.relativity.one"
}
```

```bash theme={null}
POST /v1/legal/ediscovery/configs
```

```json theme={null}
{
  "provider": "logikcull",
  "api_key_secret_arn": "arn:aws:secretsmanager:us-east-1:..."
}
```

Once a connector is configured, you can trigger an export scoped to a specific legal hold:

```bash theme={null}
POST /v1/legal/ediscovery/configs/{config_id}/exports
Content-Type: application/json

{
  "legal_hold_id": "hold_xyz789"
}
```

## Legal holds

Legal holds preserve relevant employee data and prevent it from being deleted by the automated retention worker. Toktra supports both manual holds and **automated preservation rules** that trigger holds based on configurable conditions.

### Managing automated hold rules

```bash theme={null}
GET  /v1/legal/holds/automations
POST /v1/legal/holds/automations
PUT  /v1/legal/holds/automations/{automation_id}
DELETE /v1/legal/holds/automations/{automation_id}
```

Example — create an automation that places a hold when a policy violation of high severity is created:

```bash theme={null}
POST /v1/legal/holds/automations
```

```json theme={null}
{
  "name": "Hold on high-severity policy violations",
  "trigger": {
    "event_type": "policy_violation",
    "conditions": {
      "severity": "high"
    }
  },
  "hold_scope": "user",
  "notify_email": "legal@yourcompany.com"
}
```

<Note>
  Hold automations use the same append-only chain-of-custody DAG as manual holds. Every preservation action is timestamped with an RFC 3161 timestamp from a trusted timestamp authority (DigiCert), providing tamper-proof evidence for litigation.
</Note>

Legal hold management is also available in the dashboard at **Legal → Legal Holds**.

## Data residency

You select your data residency region during onboarding, and all personal data is stored exclusively in that region.

| Region         | AWS region       | Suitability                 |
| -------------- | ---------------- | --------------------------- |
| United States  | `us-east-1`      | Default                     |
| European Union | `eu-west-1`      | GDPR-compliant              |
| Australia      | `ap-southeast-2` | Australian data sovereignty |
| Canada         | `ca-central-1`   | Canadian data residency     |

To view or update your residency configuration:

```bash theme={null}
GET /v1/data-residency
```

For EU customers, the `eu-west-1` region is configured with GDPR-compliant data handling. Standard Contractual Clauses (SCCs) are executed for any transfers outside the EEA. Contact **[legal@toktra.io](mailto:legal@toktra.io)** to request the SCCs or a Transfer Impact Assessment.

## Processing agreement

You can request a **Data Processing Agreement (DPA)** from Toktra that covers:

* Processing only on your documented instructions
* Confidentiality obligations for all Toktra personnel with data access
* Technical and organizational security measures
* Sub-processor list and notification of changes (30-day advance notice)
* Assistance with data subject requests
* Deletion or return of data upon contract termination
* Audit rights

To request a DPA, contact **[legal@toktra.io](mailto:legal@toktra.io)** with your organization name and the jurisdiction(s) applicable to your deployment.

<AccordionGroup>
  <Accordion title="Does Toktra act as a data controller or data processor?">
    Toktra acts as a **data processor** on behalf of your organization (the data controller). Your organization determines the purposes and means of processing. The DPA formalizes this relationship and specifies Toktra's obligations under GDPR Article 28.
  </Accordion>

  <Accordion title="How do I handle a DSAR from a former employee?">
    Former employees' individual-level telemetry is retained for 90 days after their account is deactivated. After that, data is aggregated and anonymized. You can still submit a DSAR using the former employee's historical `employee_id` — the API returns whatever individual-level data remains within the retention window, along with a statement of what has been aggregated.
  </Accordion>

  <Accordion title="Can an employee object to being monitored?">
    Yes. Under GDPR Article 21, employees can formally object to processing. Submit the objection in writing to your organization's DPO. Your DPO assesses whether the organization's compelling legitimate grounds override the employee's interests. During the assessment period, you can apply a processing restriction via `POST /v1/legal/dsar` with `request_type: restriction`. If the objection is upheld, the employee's monitoring is suspended and existing data is erased following the erasure workflow.
  </Accordion>

  <Accordion title="What personal data is included in a DSAR data package?">
    The DSAR package is a ZIP archive containing: all individual usage telemetry (token counts, provider hostnames, model identifiers, timestamps, application context), device enrollment records, alert and policy violation history, access audit log (who viewed the employee's data), and account metadata. Prompt and response content is never captured, so it is never included.
  </Accordion>

  <Accordion title="Does Toktra support California CCPA rights?">
    Yes. Toktra supports CCPA rights including the right to know (access), right to delete, and right to opt out of sale (Toktra does not sell personal data). The DSAR API accepts a `regulation: ccpa` parameter and enforces the 45-day deadline. Contact **[legal@toktra.io](mailto:legal@toktra.io)** for CCPA-specific DPA addenda.
  </Accordion>
</AccordionGroup>
