Skip to main content
Skip to content

Last updated on 4 June 2026

Compliance Scaffold - UK / EU / US

This template ships the wiring buyers need to operate an internal admin dashboard under UK GDPR, EU GDPR, US state privacy laws, and adjacent rules. It is not legal advice, and the buyer remains the compliant party.

What Ships

AreaWhereIncluded scaffold
Legal pages/privacy, /terms, /cookie-policy, /accessibility, /dmca, /do-not-sellStructurally complete starter copy, region-aware US pages, GDPR rights enumeration.
Footersrc/components/landing/footer.tsxRegistered legal entity block and region-aware legal links from SITE_CONFIG.legalEntity.
Cookie consentsrc/components/ui/cookie-consent.tsxAccept all and Reject all parity, client GPC detection, and server-side consent mirroring.
Server GPCsrc/proxy.ts, src/lib/compliance/consent.tsSec-GPC: 1 is honoured before route handlers run.
DSAR exportPOST /api/account/exportAuthenticated JSON export of user-owned personal data, including audit trail and webhook records.
ErasurePOST /api/account/deleteImmediate PII anonymisation, session revocation, 30-day grace window, scheduled hard delete, optional deletion webhook.
Audit logInitial migrationAdmin actions, authentication events, data exports, consent changes, and deletion milestones are recorded.
Data-at-rest patternWEBHOOK_ENCRYPTION_KEYUser webhook secrets are encrypted separately from JWT signing keys.
Payment postureSource treeTL02 does not process card data or ship checkout code. Buyers adding money movement must complete their own provider, tax, refund, and PCI review.

Buyer Responsibilities

  • Replace scaffold legal copy with wording for the real organisation, data flows, retention windows, and sub-processors.
  • Sign DPAs with every hosted service provider.
  • Complete a DPIA for high-risk processing.
  • Appoint a DPO where required.
  • Complete UK ICO registration where required.
  • Configure moderation and reporting processes if user-generated content is added later.
  • Keep evidence of DSAR, erasure, consent, and security events.

Pre-launch Checklist

  1. Fill SITE_CONFIG.legalEntity with company name, company number, registration place, registered address, jurisdiction, and VAT number where applicable.
  2. Set SITE_CONFIG.regions to the regions the buyer actually serves.
  3. Fill SITE_CONFIG.compliance.dmca.* if regions.us is enabled.
  4. Set SITE_CONFIG.compliance.modernSlaveryStatementUrl if required.
  5. Replace SITE_CONFIG.contact.privacy with a monitored mailbox.
  6. Bump SITE_CONFIG.legalEffectiveDate to the launch date.
  7. Review every legal page and this file with counsel.
  8. Configure a daily job for pnpm db:cleanup.
  9. Set DELETION_WEBHOOK_URL if external tools need erasure notices.
  10. Set WEBHOOK_ENCRYPTION_KEY in production.
  11. Review SITE_CONFIG.compliance.auditLogRetentionDays and SITE_CONFIG.compliance.deletionGraceDays.

Subject-rights Runbook

  • Access request: ask the user to run the data export from Settings -> Privacy, or call POST /api/account/export using their authenticated session.
  • Erasure request: ask the user to submit account deletion from settings, or call POST /api/account/delete using their authenticated session.
  • Rectification: update the incorrect row and add an audit-log note.
  • Restriction or objection: disable the relevant notification preference or deactivate the account while the request is assessed.

Auditor Queries

sql
-- Outstanding deletion requests
SELECT id, deleted_at, deleted_at + INTERVAL '30 days' AS hard_delete_at
FROM users
WHERE deleted_at IS NOT NULL
ORDER BY deleted_at;

-- Recent consent changes
SELECT user_id, action, details, created_at
FROM audit_log
WHERE action = 'consent.updated'
ORDER BY created_at DESC
LIMIT 50;

-- DSAR requests in the last 90 days
SELECT user_id, created_at
FROM audit_log
WHERE action = 'data_export.requested'
  AND created_at > NOW() - INTERVAL '90 days'
ORDER BY created_at DESC;

Last reviewed against: UK GDPR, EU GDPR, UK PECR, UK Companies Act, UK Data (Use and Access) Act, CCPA/CPRA, US state privacy laws, ADA Title III, DMCA, and the EU Accessibility Act.


See Template Empire's compliance standards for how every kit is held to — and audited against — these requirements.