GDPR Compliance - Anchora Documentation

Overview

Anchora is designed to help you maintain GDPR compliance while leveraging blockchain technology for data integrity. This guide explains how Anchora handles personal data and provides tools to meet your regulatory obligations.

Disclaimer: This guide provides technical information about Anchora's GDPR-friendly features. It does not constitute legal advice. Consult with legal counsel for compliance decisions.

GDPR Key Concepts

Understanding these GDPR concepts is essential when using Anchora:

Concept	Description	Anchora Support
Right to Erasure	Users can request deletion of personal data	Soft/hard delete, data separation
Data Portability	Users can export their data	Record search and retrieval APIs
Data Minimization	Collect only necessary data	Hash-only mode available
Storage Limitation	Retain data only as long as needed	Soft/hard/crypto delete modes

Data Architecture for GDPR

Anchora uses a separation of concerns architecture that allows you to delete personal data while maintaining proof of integrity.

The Hash-Only Approach

Instead of storing personal data with Anchora, store only the cryptographic hash. This approach provides:

Blockchain proof that data existed at a specific time
No personal data stored on our servers or the blockchain
Full ability to delete the source data on your systems

Hash-only anchoring (GDPR-safe)

const crypto = require('crypto');

// Hash the personal data locally
const userData = {
  name: 'John Doe',
  email: 'john@example.com',
  dateOfBirth: '1990-01-15'
};

const hash = crypto
  .createHash('sha256')
  .update(JSON.stringify(userData))
  .digest('hex');

// Send data to hash-only endpoint (data is hashed and discarded)
const response = await fetch('https://api.anchora.co.in/v1/anchor/hash', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    data: userData,
    metadata: {
      type: 'user_consent',
      userId: 'internal_ref_123'  // Non-PII reference
    }
  })
});

Right to Erasure Implementation

When a user requests deletion, you need to handle both your internal data and Anchora records.

Soft Delete

Soft delete marks the record as deleted but preserves the blockchain proof. The data payload is removed, but the hash remains.

Soft delete a record

curl -X DELETE https://api.anchora.co.in/v1/records/507f1f77bcf86cd799439011 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "soft"
  }'

Hard Delete

Hard delete removes all record data from Anchora's servers. The blockchain transaction remains (hashes only, no personal data).

Hard delete a record (GDPR "right to be forgotten")

curl -X DELETE https://api.anchora.co.in/v1/records/507f1f77bcf86cd799439011 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "hard",
    "encryptionKey": "your-32-char-minimum-encryption-key-here"
  }'

Important: Hard deletes are irreversible. The data cannot be recovered after deletion. Ensure you have backups if needed for legitimate business purposes.

Data Portability with Search

Use the search API to find all records associated with a user to fulfill data portability requests.

Search records by user

curl -X POST https://api.anchora.co.in/v1/records/search \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "field": "email",
    "value": "john@example.com",
    "page": 1,
    "limit": 50
  }'

Search Response

Search response

{
  "success": true,
  "records": [
    {
      "recordId": "507f1f77bcf86cd799439011",
      "hash": "a1b2c3d4e5f6...64chars",
      "status": "ANCHORED",
      "createdAt": "2025-12-03T10:00:00.000Z",
      "anchoredAt": "2025-12-03T10:01:30.000Z"
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 50,
    "totalRecords": 1,
    "totalPages": 1,
    "hasNextPage": false
  }
}

Processing Records

Maintain a record of processing activities using Anchora.

Record consent with audit trail

curl -X POST https://api.anchora.co.in/v1/anchor \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "action": "consent_given",
      "purposes": ["marketing", "analytics"],
      "method": "web_form",
      "ipHash": "a1b2c3...",
      "timestamp": "2024-01-31T10:30:00Z"
    },
    "metadata": {
      "userId": "user_12345",
      "type": "gdpr_consent"
    }
  }'

Data Processing Agreement

Anchora acts as a data processor under GDPR. Key provisions in our DPA include:

Purpose limitation: Data processed only for anchoring services
Sub-processors: AWS (EU region), Polygon blockchain
Security measures: Encryption at rest and in transit
Breach notification: Within 24 hours of discovery
Data location: EU data centers available on Enterprise plans

DPA Available: Contact sales@anchora.co.in to request a signed Data Processing Agreement for your organization.

Best Practices

Use hash-only mode: When possible, hash data locally and only send hashes to Anchora
Implement retention policies: Set automatic expiry on all records containing personal data
Document your processing: Anchor consent records and processing activities
Plan for deletion: Design your data model to support granular deletion
Use pseudonymization: Replace direct identifiers with internal references
Encrypt sensitive data: Use client-side encryption for additional protection

Compliance Checklist

Requirement	Anchora Feature	Status
Right to Erasure (Art. 17)	Soft/hard delete APIs	`Available`
Data Portability (Art. 20)	Record search and retrieval APIs	`Available`
Storage Limitation (Art. 5)	Soft/hard/crypto delete modes	`Available`
Security (Art. 32)	Encryption, access controls	`Available`
Records of Processing (Art. 30)	Immutable audit logs	`Available`
Data Minimization (Art. 5)	Hash-only anchoring	`Available`