Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

Add DSGVO-required audit logging for all data access and mutation routes #16

New Issue
Open
opened 2026-04-20 09:36:29 +00:00 by sharang · 0 comments
sharang commented 2026-04-20 09:36:29 +00:00
Owner
Copy Link
Copy Source

Problem

DSGVO Articles 5(2), 17, and 20 require a demonstrable audit trail of who accessed or modified personal data and when. This is currently absent:

  • company_profile_routes.py — DELETE has no audit log
  • dsr_routes.py — DSR request handling (Art. 17 deletion, Art. 20 portability) is not logged
  • Compliance control changes, evidence uploads, and VVT modifications are unlogged

As a DSGVO compliance platform, this is a fundamental requirement — and an embarrassing gap.

Required Actions

  1. Create compliance/services/audit_service.py with an AuditLogger that writes to a dedicated compliance_audit_log table (append-only, no deletes)
  2. Required fields: tenant_id, user_id, action, resource_type, resource_id, legal_basis, timestamp, ip_address
  3. Wire AuditLogger into every route that:
    • Reads personal data (Art. 15 — access)
    • Modifies personal data (Art. 16 — rectification)
    • Deletes personal data (Art. 17 — erasure)
    • Exports personal data (Art. 20 — portability)
  4. The audit log table must be immutable: no UPDATE or DELETE permitted, only INSERT
  5. Expose a GET /api/v1/audit-log endpoint for compliance officers to retrieve the trail (itself audited)

Acceptance Criteria

  • Every DSR request handling event appears in compliance_audit_log
  • Company profile deletion generates an audit entry with action=delete, legal_basis, user_id
  • Depends on: #15 (structlog), #4 (JWT middleware for user_id)
## Problem DSGVO Articles 5(2), 17, and 20 require a demonstrable audit trail of who accessed or modified personal data and when. This is currently absent: - `company_profile_routes.py` — DELETE has no audit log - `dsr_routes.py` — DSR request handling (Art. 17 deletion, Art. 20 portability) is not logged - Compliance control changes, evidence uploads, and VVT modifications are unlogged As a DSGVO compliance platform, this is a fundamental requirement — and an embarrassing gap. ## Required Actions 1. Create `compliance/services/audit_service.py` with an `AuditLogger` that writes to a dedicated `compliance_audit_log` table (append-only, no deletes) 2. Required fields: `tenant_id`, `user_id`, `action`, `resource_type`, `resource_id`, `legal_basis`, `timestamp`, `ip_address` 3. Wire `AuditLogger` into every route that: - Reads personal data (Art. 15 — access) - Modifies personal data (Art. 16 — rectification) - Deletes personal data (Art. 17 — erasure) - Exports personal data (Art. 20 — portability) 4. The audit log table must be immutable: no UPDATE or DELETE permitted, only INSERT 5. Expose a `GET /api/v1/audit-log` endpoint for compliance officers to retrieve the trail (itself audited) ## Acceptance Criteria - Every DSR request handling event appears in `compliance_audit_log` - Company profile deletion generates an audit entry with `action=delete`, `legal_basis`, `user_id` - Depends on: #15 (structlog), #4 (JWT middleware for user_id)
sharang added this to the M3: Observability & Audit Logging milestone 2026-04-20 09:36:29 +00:00
sharang added the securityseverity: highobservability labels 2026-04-20 09:36:29 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
config
Env vars, secrets management, startup validation
 data-integrity
Transactions, indexes, pagination
 frontend
Next.js, client-side concerns
 observability
Logging, audit trails, health checks
 reliability
Error handling, retries, circuit breakers
 security
Auth, secrets, injection, tenant isolation
 severity: critical
System-level risk, data breach or full outage
 severity: high
Significant risk, must fix before go-live
 severity: medium
Important but not blocking go-live
 testing
Test coverage, integration tests
No Label observability security severity: high
Milestone
No items
No Milestone M3: Observability & Audit Logging
Projects
Clear projects
No project
Assignees
Clear assignees
sharang (Sharang Parnerkar) Benjamin_Boenisch
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Boenisch/breakpilot-compliance#16
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?