Compliance Scaffold - UK / EU / US
This template ships the wiring buyers need to operate an internal admin dashboard under UK GDPR, EU GDPR, US state privacy laws, and adjacent rules. It is not legal advice, and the buyer remains the compliant party.
What Ships
| Area | Where | Included scaffold |
|---|---|---|
| Legal pages | /privacy, /terms, /cookie-policy, /accessibility, /dmca, /do-not-sell | Structurally complete starter copy, region-aware US pages, GDPR rights enumeration. |
| Footer | src/components/landing/footer.tsx | Registered legal entity block and region-aware legal links from SITE_CONFIG.legalEntity. |
| Cookie consent | src/components/ui/cookie-consent.tsx | Accept all and Reject all parity, client GPC detection, and server-side consent mirroring. |
| Server GPC | src/proxy.ts, src/lib/compliance/consent.ts | Sec-GPC: 1 is honoured before route handlers run. |
| DSAR export | POST /api/account/export | Authenticated JSON export of user-owned personal data, including audit trail and webhook records. |
| Erasure | POST /api/account/delete | Immediate PII anonymisation, session revocation, 30-day grace window, scheduled hard delete, optional deletion webhook. |
| Audit log | Initial migration | Admin actions, authentication events, data exports, consent changes, and deletion milestones are recorded. |
| Data-at-rest pattern | WEBHOOK_ENCRYPTION_KEY | User webhook secrets are encrypted separately from JWT signing keys. |
| Payment posture | Source tree | TL02 does not process card data or ship checkout code. Buyers adding money movement must complete their own provider, tax, refund, and PCI review. |
Buyer Responsibilities
- Replace scaffold legal copy with wording for the real organisation, data flows, retention windows, and sub-processors.
- Sign DPAs with every hosted service provider.
- Complete a DPIA for high-risk processing.
- Appoint a DPO where required.
- Complete UK ICO registration where required.
- Configure moderation and reporting processes if user-generated content is added later.
- Keep evidence of DSAR, erasure, consent, and security events.
Pre-launch Checklist
- Fill
SITE_CONFIG.legalEntitywith company name, company number, registration place, registered address, jurisdiction, and VAT number where applicable. - Set
SITE_CONFIG.regionsto the regions the buyer actually serves. - Fill
SITE_CONFIG.compliance.dmca.*ifregions.usis enabled. - Set
SITE_CONFIG.compliance.modernSlaveryStatementUrlif required. - Replace
SITE_CONFIG.contact.privacywith a monitored mailbox. - Bump
SITE_CONFIG.legalEffectiveDateto the launch date. - Review every legal page and this file with counsel.
- Configure a daily job for
pnpm db:cleanup. - Set
DELETION_WEBHOOK_URLif external tools need erasure notices. - Set
WEBHOOK_ENCRYPTION_KEYin production. - Review
SITE_CONFIG.compliance.auditLogRetentionDaysandSITE_CONFIG.compliance.deletionGraceDays.
Subject-rights Runbook
- Access request: ask the user to run the data export from Settings -> Privacy, or
call
POST /api/account/exportusing their authenticated session. - Erasure request: ask the user to submit account deletion from settings, or
call
POST /api/account/deleteusing their authenticated session. - Rectification: update the incorrect row and add an audit-log note.
- Restriction or objection: disable the relevant notification preference or deactivate the account while the request is assessed.
Auditor Queries
sql
-- Outstanding deletion requests
SELECT id, deleted_at, deleted_at + INTERVAL '30 days' AS hard_delete_at
FROM users
WHERE deleted_at IS NOT NULL
ORDER BY deleted_at;
-- Recent consent changes
SELECT user_id, action, details, created_at
FROM audit_log
WHERE action = 'consent.updated'
ORDER BY created_at DESC
LIMIT 50;
-- DSAR requests in the last 90 days
SELECT user_id, created_at
FROM audit_log
WHERE action = 'data_export.requested'
AND created_at > NOW() - INTERVAL '90 days'
ORDER BY created_at DESC;
Last reviewed against: UK GDPR, EU GDPR, UK PECR, UK Companies Act, UK Data (Use and Access) Act, CCPA/CPRA, US state privacy laws, ADA Title III, DMCA, and the EU Accessibility Act.
See Template Empire's compliance standards for how every kit is held to — and audited against — these requirements.