feat(sdk): VVT master libraries, process templates, Loeschfristen profiling + document

VVT: Master library tables (7 catalogs), 500+ seed entries, process templates
with instantiation, library API endpoints + 18 tests.
Loeschfristen: Baseline catalog, compliance checks, profiling engine, HTML document
generator, MkDocs documentation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend-compliance/migrations/067_vvt_process_templates_seed.sql

@@ -0,0 +1,305 @@
+-- Migration 067: VVT Process Templates Seed — 18 templates from vvt-baseline-catalog
+-- All content self-authored, MIT-compatible.
+
+BEGIN;
+
+INSERT INTO vvt_process_templates (id, name, description, business_function, purpose_refs, legal_basis_refs, data_subject_refs, data_category_refs, recipient_refs, tom_refs, retention_rule_ref, typical_systems, protection_level, dpia_required, risk_score, tags, sort_order) VALUES
+
+-- HR Templates
+('hr-mitarbeiterverwaltung',
+ 'Mitarbeiterverwaltung',
+ 'Verwaltung des Beschaeftigungsverhaeltnisses inkl. Personalakte, Urlaub, Krankmeldungen',
+ 'hr',
+ '["EMPLOYMENT_ADMIN", "PAYROLL"]',
+ '["BDSG_26", "ART6_1B"]',
+ '["EMPLOYEES"]',
+ '["NAME", "DOB", "ADDRESS", "CONTACT", "SOCIAL_SECURITY", "BANK_ACCOUNT", "EMPLOYMENT_DATA", "HEALTH_DATA"]',
+ '["INTERNAL_HR", "INTERNAL_FINANCE", "PROCESSOR_PAYROLL", "AUTHORITY_SOZIALVERSICHERUNG", "AUTHORITY_KRANKENKASSE"]',
+ '["AC_RBAC", "AC_NEED_TO_KNOW", "CONF_ENCRYPTION_REST", "CONF_ENCRYPTION_TRANSIT", "INT_AUDIT_LOG", "SEP_TENANT_ISOLATION"]',
+ 'HGB_257_10Y',
+ '["HR-Software", "Personalakte (digital)"]',
+ 'HIGH', TRUE, 3,
+ '["personal", "pflicht"]',
+ 1),
+
+('hr-gehaltsabrechnung',
+ 'Gehaltsabrechnung',
+ 'Monatliche Lohn- und Gehaltsabrechnung inkl. Steuer- und Sozialversicherungsmeldungen',
+ 'hr',
+ '["PAYROLL"]',
+ '["BDSG_26", "ART6_1C"]',
+ '["EMPLOYEES"]',
+ '["NAME", "ADDRESS", "SOCIAL_SECURITY", "TAX_ID", "BANK_ACCOUNT", "SALARY_DATA"]',
+ '["INTERNAL_HR", "INTERNAL_FINANCE", "PROCESSOR_PAYROLL", "AUTHORITY_FINANZAMT", "AUTHORITY_SOZIALVERSICHERUNG"]',
+ '["AC_RBAC", "AC_NEED_TO_KNOW", "CONF_ENCRYPTION_REST", "CONF_ENCRYPTION_TRANSIT", "INT_AUDIT_LOG", "INT_FOUR_EYES"]',
+ 'AO_147_10Y',
+ '["Lohnabrechnungssoftware", "DATEV"]',
+ 'HIGH', FALSE, 3,
+ '["personal", "finanzen", "pflicht"]',
+ 2),
+
+('hr-bewerbermanagement',
+ 'Bewerbermanagement',
+ 'Durchfuehrung von Bewerbungsverfahren vom Eingang bis zur Zu-/Absage',
+ 'hr',
+ '["RECRUITING"]',
+ '["BDSG_26", "ART6_1B"]',
+ '["APPLICANTS"]',
+ '["NAME", "DOB", "ADDRESS", "CONTACT", "EDUCATION_DATA", "PHOTO_VIDEO"]',
+ '["INTERNAL_HR", "INTERNAL_MANAGEMENT"]',
+ '["AC_RBAC", "AC_NEED_TO_KNOW", "CONF_ENCRYPTION_REST", "CONF_NDA"]',
+ 'AGG_15_6M',
+ '["Bewerbermanagement-Software", "E-Mail"]',
+ 'MEDIUM', FALSE, 2,
+ '["personal", "recruiting"]',
+ 3),
+
+('hr-zeiterfassung',
+ 'Zeiterfassung',
+ 'Erfassung und Verwaltung von Arbeitszeiten gemaess ArbZG',
+ 'hr',
+ '["TIME_TRACKING"]',
+ '["ART6_1C", "BDSG_26"]',
+ '["EMPLOYEES"]',
+ '["NAME", "EMPLOYMENT_DATA"]',
+ '["INTERNAL_HR", "INTERNAL_MANAGEMENT"]',
+ '["AC_RBAC", "INT_AUDIT_LOG", "CONF_ENCRYPTION_TRANSIT"]',
+ 'ARBZG_16_2Y',
+ '["Zeiterfassungssystem", "Stempeluhr"]',
+ 'LOW', FALSE, 1,
+ '["personal", "pflicht"]',
+ 4),
+
+-- Finance Templates
+('finance-buchhaltung',
+ 'Buchhaltung',
+ 'Fuehrung der Handelsbuecher und steuerrechtliche Dokumentation',
+ 'finance',
+ '["ACCOUNTING", "INVOICING"]',
+ '["ART6_1C", "ART6_1B"]',
+ '["CUSTOMERS", "SUPPLIERS", "EMPLOYEES"]',
+ '["NAME", "ADDRESS", "CONTACT", "BANK_ACCOUNT", "PAYMENT_DATA", "CONTRACT_DATA", "TAX_ID"]',
+ '["INTERNAL_FINANCE", "AUTHORITY_FINANZAMT", "PROCESSOR_HOSTING"]',
+ '["AC_RBAC", "INT_AUDIT_LOG", "INT_FOUR_EYES", "CONF_ENCRYPTION_REST", "AVAIL_BACKUP"]',
+ 'HGB_257_10Y',
+ '["Buchhaltungssoftware", "DATEV", "ERP-System"]',
+ 'HIGH', FALSE, 2,
+ '["finanzen", "pflicht"]',
+ 5),
+
+('finance-zahlungsverkehr',
+ 'Zahlungsverkehr',
+ 'Verarbeitung und Abwicklung von ein- und ausgehenden Zahlungen',
+ 'finance',
+ '["PAYMENT_PROCESSING"]',
+ '["ART6_1B", "ART6_1C"]',
+ '["CUSTOMERS", "SUPPLIERS"]',
+ '["NAME", "BANK_ACCOUNT", "PAYMENT_DATA", "CONTRACT_DATA"]',
+ '["INTERNAL_FINANCE", "PROCESSOR_HOSTING"]',
+ '["AC_RBAC", "AC_MFA", "CONF_ENCRYPTION_REST", "CONF_ENCRYPTION_TRANSIT", "INT_AUDIT_LOG"]',
+ 'HGB_257_10Y',
+ '["Online-Banking", "Payment-Gateway"]',
+ 'HIGH', FALSE, 3,
+ '["finanzen"]',
+ 6),
+
+-- Sales/CRM Templates
+('sales-kundenverwaltung',
+ 'Kundenverwaltung',
+ 'Verwaltung und Pflege der Kundenbeziehungen im CRM-System',
+ 'sales_crm',
+ '["CRM"]',
+ '["ART6_1B", "ART6_1F"]',
+ '["CUSTOMERS", "PROSPECTIVE_CUSTOMERS"]',
+ '["NAME", "ADDRESS", "CONTACT", "CONTRACT_DATA", "COMMUNICATION_DATA"]',
+ '["INTERNAL_MARKETING", "INTERNAL_SUPPORT", "PROCESSOR_HOSTING"]',
+ '["AC_RBAC", "CONF_ENCRYPTION_REST", "CONF_ENCRYPTION_TRANSIT", "INT_AUDIT_LOG", "SEP_TENANT_ISOLATION"]',
+ 'BGB_195_3Y',
+ '["CRM-System", "E-Mail-Client"]',
+ 'MEDIUM', FALSE, 2,
+ '["vertrieb", "kunden"]',
+ 7),
+
+('sales-vertriebssteuerung',
+ 'Vertriebssteuerung',
+ 'Vertriebsanalysen, Forecasting und Berichterstattung',
+ 'sales_crm',
+ '["SALES_REPORTING"]',
+ '["ART6_1F"]',
+ '["CUSTOMERS", "PROSPECTIVE_CUSTOMERS"]',
+ '["NAME", "CONTACT", "CONTRACT_DATA"]',
+ '["INTERNAL_MANAGEMENT", "INTERNAL_MARKETING"]',
+ '["AC_RBAC", "AC_NEED_TO_KNOW", "CONF_PSEUDONYMIZATION"]',
+ 'BGB_195_3Y',
+ '["CRM-System", "BI-Tool"]',
+ 'LOW', FALSE, 1,
+ '["vertrieb", "reporting"]',
+ 8),
+
+-- Marketing Templates
+('marketing-newsletter',
+ 'Newsletter-Versand',
+ 'Versand von Newslettern und Werbemails an Abonnenten',
+ 'marketing',
+ '["DIRECT_MARKETING"]',
+ '["ART6_1A", "UWG_7"]',
+ '["NEWSLETTER_SUBSCRIBERS", "CUSTOMERS"]',
+ '["NAME", "CONTACT", "USAGE_DATA"]',
+ '["INTERNAL_MARKETING", "PROCESSOR_EMAIL"]',
+ '["AC_RBAC", "CONF_ENCRYPTION_TRANSIT", "SEP_DATA_SEPARATION"]',
+ 'CONSENT_REVOKE',
+ '["Newsletter-Tool", "E-Mail-Marketing-Plattform"]',
+ 'LOW', FALSE, 1,
+ '["marketing", "einwilligung"]',
+ 9),
+
+('marketing-website-analytics',
+ 'Website-Analyse',
+ 'Analyse des Nutzerverhaltens auf der Unternehmenswebsite',
+ 'marketing',
+ '["WEBSITE_ANALYTICS"]',
+ '["ART6_1A"]',
+ '["WEBSITE_USERS"]',
+ '["IP_ADDRESS", "DEVICE_ID", "USAGE_DATA"]',
+ '["INTERNAL_MARKETING", "PROCESSOR_ANALYTICS"]',
+ '["CONF_PSEUDONYMIZATION", "CONF_ENCRYPTION_TRANSIT", "SEP_DATA_SEPARATION"]',
+ 'CUSTOM_14M',
+ '["Web-Analytics-Tool", "Tag-Manager"]',
+ 'LOW', FALSE, 1,
+ '["marketing", "einwilligung", "tracking"]',
+ 10),
+
+('marketing-social-media',
+ 'Social-Media-Marketing',
+ 'Betrieb und Verwaltung von Social-Media-Praesenzen',
+ 'marketing',
+ '["SOCIAL_MEDIA"]',
+ '["ART6_1A", "ART6_1F"]',
+ '["WEBSITE_USERS", "CUSTOMERS"]',
+ '["NAME", "CONTACT", "USAGE_DATA", "PHOTO_VIDEO"]',
+ '["INTERNAL_MARKETING", "PROCESSOR_ANALYTICS"]',
+ '["AC_RBAC", "CONF_ENCRYPTION_TRANSIT"]',
+ 'PURPOSE_END',
+ '["Social-Media-Plattformen", "Social-Media-Management-Tool"]',
+ 'LOW', FALSE, 1,
+ '["marketing", "social-media"]',
+ 11),
+
+-- Support Templates
+('support-ticketsystem',
+ 'Ticketsystem / Kundenservice',
+ 'Bearbeitung von Kundenanfragen ueber das Ticketsystem',
+ 'support',
+ '["CUSTOMER_SUPPORT"]',
+ '["ART6_1B"]',
+ '["CUSTOMERS"]',
+ '["NAME", "CONTACT", "COMMUNICATION_DATA", "CONTRACT_DATA"]',
+ '["INTERNAL_SUPPORT", "PROCESSOR_HELPDESK"]',
+ '["AC_RBAC", "CONF_ENCRYPTION_TRANSIT", "INT_AUDIT_LOG"]',
+ 'BGB_195_3Y',
+ '["Ticketsystem", "Help-Desk-Software"]',
+ 'MEDIUM', FALSE, 1,
+ '["support", "kunden"]',
+ 12),
+
+-- IT Templates
+('it-systemadministration',
+ 'IT-Systemadministration',
+ 'Verwaltung der IT-Infrastruktur, Benutzerkonten und Berechtigungen',
+ 'it_operations',
+ '["IT_ADMIN"]',
+ '["ART6_1F", "ART6_1B"]',
+ '["EMPLOYEES"]',
+ '["NAME", "LOGIN_DATA", "IP_ADDRESS", "DEVICE_ID"]',
+ '["INTERNAL_IT", "PROCESSOR_HOSTING"]',
+ '["AC_RBAC", "AC_MFA", "AC_PAM", "CONF_ENCRYPTION_REST", "CONF_ENCRYPTION_TRANSIT", "INT_AUDIT_LOG", "SEP_NETWORK_SEG", "SEP_ENV_SEPARATION"]',
+ 'CUSTOM_90D',
+ '["Active Directory", "LDAP", "IT-Management-Tool"]',
+ 'HIGH', FALSE, 2,
+ '["it", "infrastruktur"]',
+ 13),
+
+('it-backup',
+ 'Datensicherung und Recovery',
+ 'Regelmaessige Backups und Wiederherstellungsverfahren',
+ 'it_operations',
+ '["BACKUP_RECOVERY"]',
+ '["ART6_1F"]',
+ '["EMPLOYEES", "CUSTOMERS"]',
+ '["NAME", "ADDRESS", "CONTACT", "CONTRACT_DATA", "LOGIN_DATA"]',
+ '["INTERNAL_IT", "PROCESSOR_HOSTING"]',
+ '["AVAIL_BACKUP", "AVAIL_321_RULE", "AVAIL_REDUNDANCY", "CONF_ENCRYPTION_REST", "INT_CHECKSUMS"]',
+ 'CUSTOM_90D',
+ '["Backup-Software", "Cloud-Backup", "NAS"]',
+ 'HIGH', FALSE, 2,
+ '["it", "verfuegbarkeit"]',
+ 14),
+
+('it-logging',
+ 'Logging und Sicherheitsueberwachung',
+ 'Protokollierung von System- und Sicherheitsereignissen',
+ 'it_operations',
+ '["SECURITY_MONITORING"]',
+ '["ART6_1F"]',
+ '["EMPLOYEES", "CUSTOMERS", "WEBSITE_USERS"]',
+ '["IP_ADDRESS", "LOGIN_DATA", "USAGE_DATA", "DEVICE_ID"]',
+ '["INTERNAL_IT"]',
+ '["CONF_ENCRYPTION_REST", "INT_AUDIT_LOG", "INT_CHECKSUMS", "AVAIL_MONITORING", "SEP_DATA_SEPARATION"]',
+ 'CUSTOM_90D',
+ '["SIEM-System", "Log-Management", "Monitoring-Tool"]',
+ 'MEDIUM', FALSE, 2,
+ '["it", "sicherheit"]',
+ 15),
+
+('it-iam',
+ 'Identitaets- und Zugriffsmanagement',
+ 'Verwaltung von Benutzeridentitaeten, Rollen und Berechtigungen',
+ 'it_operations',
+ '["IAM"]',
+ '["ART6_1F", "BDSG_26"]',
+ '["EMPLOYEES"]',
+ '["NAME", "LOGIN_DATA", "EMPLOYMENT_DATA"]',
+ '["INTERNAL_IT", "INTERNAL_HR"]',
+ '["AC_RBAC", "AC_MFA", "AC_PAM", "AC_NEED_TO_KNOW", "INT_AUDIT_LOG", "CONF_ENCRYPTION_REST"]',
+ 'AGG_15_6M',
+ '["IAM-System", "SSO-Provider", "Active Directory"]',
+ 'HIGH', FALSE, 2,
+ '["it", "sicherheit", "zugriffskontrolle"]',
+ 16),
+
+-- Other Templates
+('other-videokonferenz',
+ 'Videokonferenz',
+ 'Durchfuehrung von Online-Meetings und Videokonferenzen',
+ 'other',
+ '["VIDEO_CONFERENCING"]',
+ '["ART6_1B", "ART6_1F"]',
+ '["EMPLOYEES", "CUSTOMERS", "BUSINESS_PARTNERS"]',
+ '["NAME", "CONTACT", "PHOTO_VIDEO", "IP_ADDRESS"]',
+ '["INTERNAL_IT", "PROCESSOR_HOSTING"]',
+ '["CONF_ENCRYPTION_TRANSIT", "AC_RBAC"]',
+ 'PURPOSE_END',
+ '["Videokonferenz-Tool", "Webinar-Plattform"]',
+ 'LOW', FALSE, 1,
+ '["kommunikation"]',
+ 17),
+
+('other-besuchermanagement',
+ 'Besuchermanagement',
+ 'Erfassung und Verwaltung von Betriebsbesuchern',
+ 'other',
+ '["VISITOR_MANAGEMENT"]',
+ '["ART6_1F"]',
+ '["VISITORS"]',
+ '["NAME", "CONTACT", "PHOTO_VIDEO"]',
+ '["INTERNAL_MANAGEMENT"]',
+ '["AC_RBAC", "CONF_ENCRYPTION_REST"]',
+ 'CUSTOM_30D',
+ '["Besuchermanagement-System", "Empfangsterminal"]',
+ 'LOW', FALSE, 1,
+ '["sonstiges", "besucher"]',
+ 18)
+
+ON CONFLICT (id) DO NOTHING;
+
+COMMIT;