Compliance

Controls we implement

• GDPR: Data export and erasure via API and in-app (see Data subject rights below).
• RBAC and RLS: Role-based access and row-level security so access is limited to authorized users and workspaces.
• Audit trail: Append-only activity and usage logs; exportable for internal and external audit.

Audit export

Authorized compliance or security teams can export audit data (activity and usage logs) for a date range. Export is available via the Audit export API using a dedicated compliance key. Format: JSON or CSV. See API reference for GET /api/compliance/audit-export (headers: X-Compliance-Key, query: from, to, format).

Data subject rights (GDPR / CCPA)

• Access: Users can export their data via GET /api/compliance/gdpr-export or in-app GDPR export.
• Erasure: Users can request deletion via POST /api/compliance/gdpr-delete (body: { "confirm": true }) or by contacting support. See GDPR delete workflow for the account deletion → data deletion process.
• Correction: Profile and account data can be updated in settings; for other corrections, contact support.

Data handling and subprocessors

Where we store data, how long we retain it, and who can access it are described in Data handling. A list of third-party providers (subprocessors) used by the application is in Subprocessor disclosure.

Related

• Security overview — Authentication, isolation, encryption (verifiable only).
• Data handling — Storage, retention, access.
• Subprocessors — Actual providers only.
• GDPR delete workflow — Account deletion → data deletion.
• Audit log export — Export activity and usage logs.
• Incident response — Internal response workflow.
• On-prem deployment — Run Orinel in your infrastructure.
• Data privacy & policy — Privacy notice.
• API reference — Compliance and audit endpoints.