DSR Architecture
Qarion's Data Subject Request (DSR) system handles GDPR data export (Right to Access) and erasure (Right to be Forgotten) across all platform entities.
Processing Flow
Data Export Service
DataExportService collects all personal data associated with a user across platform entities:
| Entity | Data Collected |
|---|---|
| User profile | Name, email, preferences |
| Comments | All authored comments |
| Audit logs | Actions as actor |
| Access requests | Request history |
| Quality checks | Attributions |
| Meeting records | Participation records |
The export is assembled into a structured JSON or CSV archive.
Erasure Service
ErasureService performs cross-table anonymization:
- Dry-run — Preview affected record counts by category
- Execute — Requires explicit
confirm_irreversible: true - Anonymize — Replace PII with anonymized placeholders while preserving referential integrity
- Audit — Log the erasure event with before/after counts
OpenDSR Integration
The OpenDSR API (/opendsr/) provides a standards-compliant interface:
- Automatically creates DQTicket entries with DSR-specific metadata
- Supports custom DSR types linked to governance workflows
- DSR tickets flow through the standard issue resolution lifecycle
Key Files
| File | Purpose |
|---|---|
app/services/dsr/data_export_service.py | Personal data collection |
app/services/dsr/erasure_service.py | Cross-table anonymization |
app/api/endpoints/dsr.py | Admin DSR endpoints |
app/api/endpoints/opendsr.py | OpenDSR-compliant API |
app/schemas/opendsr.py | Request/response schemas |