Web application for managing a GDPR/RGPD processing activities register (Article 30).
The data model is Article 30 turned into code - a typed schema, DPO validation workflow, tamper-evident audit log, and structured links between the register and the operational surfaces (DSR intake, vendor DPAs, breach log, DPIA screening) that exercise it. See Project overview for the full framing and Article 30 mapping.
- Processing Register - Create, import, edit, validate, and export GDPR Article 30 treatment records
- DSR Management - Intake and track Data Subject Requests with deadlines
- Violation Tracking - Log data breaches with severity, CNIL notification status, and remediation
- Vendor Register - Manage processors/sub-processors with DPA status and risk assessments
- Per-treatment checklist - Guided screening on a single treatment yielding a compliance verdict
- Governance posture - Organization-wide self-assessment across breach, governance, transfers and records
- Regulatory Watch - Ingest RSS feeds (CNIL, EDPB by default) and track regulatory updates
- Document Library - Upload policies, DPAs, and evidence to S3-compatible storage (presigned URLs)
- Alerts - Surface upcoming deadlines (DSR response, treatment reviews, notifications)
- Regulation Reference - Browse GDPR recitals and articles in 5 languages (FR, EN, ES, DE, IT)
- Glossary - 86 RGPD acronyms, concepts, roles, processes, and adjacent compliance frameworks
- Audit Log - Tamper-evident hash-chained trail of every mutation with old/new values
- User Management - Invite-only auth with role-based access (5 roles)
- Organization Settings - Company, representative, and DPO information
- Bilingual UI - French and English (per-browser preference, cross-tab sync)
git clone git@github.com:ipsec-dev/Article30.git
cd article30
cp .env.prod.example .env.prod
# Edit .env.prod
docker compose --env-file .env.prod up -d
docker compose --env-file .env.prod --profile admin run --rm -e ALLOW_SEED=1 backend-tools seed # first run onlyReclaim disk after seeding.
backend-toolsis ~1.25 GB and only needed for one-off admin scripts (seed, password reset, backfills). If you don't anticipate needing it, you can remove it; Docker will re-pull it next time youcompose run backend-tools.docker image rm ghcr.io/ipsec-dev/article30/backend-tools:${ARTICLE30_VERSION:-latest}
| Service | URL |
|---|---|
| Frontend | http://localhost:3000 |
| Backend API | http://localhost:3001 |
For more details on the production setup, see Production.
git clone git@github.com:ipsec-dev/Article30.git
cd article30
pnpm install
cp .env.dev.example .env.dev
ln -s ../.env.dev backend/.env # so Prisma & Nest find env vars from backend/
docker compose -f docker-compose.yml -f build/dev.compose.yml --env-file .env.dev up -d postgres redis rustfs mailpit
pnpm db:migrate && pnpm seed
pnpm dev| Service | URL |
|---|---|
| Frontend | http://localhost:3000 |
| Backend API | http://localhost:3001 |
| Swagger docs | http://localhost:3001/api/docs |
| RustFS console | http://localhost:9001 |
| MailPit inbox | http://localhost:8025 |
The first user to sign up automatically gets the Admin role.
For an explained walkthrough of each step, see Local Development.
| Layer | Technology |
|---|---|
| Monorepo | pnpm workspaces |
| Backend | NestJS (TypeScript) |
| Frontend | Next.js (App Router) |
| Database | PostgreSQL 18 |
| ORM | Prisma |
| Sessions | Redis 8 |
| Object store | RustFS |
| API | REST + OpenAPI (generated client) |
| UI | Tailwind CSS + shadcn/ui |
| Deployment | Docker Compose (per-service images) |
- Home - project overview + GDPR Article 30 mapping
- Development - manual setup, dockerized-dev alternative, seed data, project structure
- Production - required hardening, known gaps, password recovery
- Authentication - signup, invite, login, forgotten-password (SMTP-on/off), role/permission matrix
- Business - workflow constraints, audit logging
- Logging - JSON format, request correlation, redaction, env knobs
- Contributing - Dependabot rhythm, Conventional Commits, release-please flow