Business

Business Rules

User-management rules (signup, invite, login, role matrix, self-management restrictions) live in Authentication. This page covers workflow constraints on the data the app manages.

Treatment Workflow

Treatments start as draft
Only a DPO can validate (sets validated_by and validated_at) or invalidate back to draft
Admin or DPO can delete treatments
Admin, DPO, and editor can edit; auditors are read-only
Per-row actions on /register (edit, export PDF, mark reviewed, delete) use an in-app confirmation dialog (Radix), not browser window.confirm()

Checklist

One response per item (upsert on item_id)
Optional non-conformity reason when response is no
Tracks who responded and when

Violations

notified_to_cnil tracks 72-hour GDPR breach notification
notified_to_persons tracks data subject notification

Audit Logging

All mutations logged with old_value / new_value as JSONB
Hash-chained (HMAC over the previous row + current payload, keyed by AUDIT_HMAC_SECRET) for tamper evidence
Application-enforced append-only - DB-level INSERT-only role split is deferred

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Business

Business Rules

Treatment Workflow

Checklist

Violations

Audit Logging

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally