DSAR runbook¶
Access / portability¶
- Admin authenticates with MFA (if required).
GET /api/admin/dsar/patients/{id}/export— JSON bundle.- Log action:
dsar.exportin audit trail.
Erasure¶
- Confirm legal basis and tenant authorization.
POST /api/admin/dsar/patients/{id}/erase— cascades DB + files.- Checklist:
- [ ] Patient row and documents
- [ ] DICOM studies and storage paths
- [ ] Predictions and jobs
- [ ] Backups (note: may retain until rotation — document in response)
- [ ] Chroma/RAG index entries
- [ ] SIEM copies (customer responsibility)
Response SLA¶
Target: 30 calendar days (GDPR Art. 12); expedite for HIPAA where BAA applies.