Quickstart API Reference Blog

GDPR Compliance

Learn how to use Anchora while maintaining compliance with the General Data Protection Regulation (GDPR). Understand data handling, retention, and deletion capabilities.

Overview

Anchora is designed to help you maintain GDPR compliance while leveraging blockchain technology for data integrity. This guide explains how Anchora handles personal data and provides tools to meet your regulatory obligations.

Disclaimer: This guide provides technical information about Anchora's GDPR-friendly features. It does not constitute legal advice. Consult with legal counsel for compliance decisions.

GDPR Key Concepts

Understanding these GDPR concepts is essential when using Anchora:

Concept Description Anchora Support
Right to Erasure Users can request deletion of personal data Soft/hard delete, data separation
Data Portability Users can export their data Full data export API
Data Minimization Collect only necessary data Hash-only mode available
Storage Limitation Retain data only as long as needed Auto-expiry, retention policies

Data Architecture for GDPR

Anchora uses a separation of concerns architecture that allows you to delete personal data while maintaining proof of integrity.

The Hash-Only Approach

Instead of storing personal data with Anchora, store only the cryptographic hash. This approach provides:

  • Blockchain proof that data existed at a specific time
  • No personal data stored on our servers or the blockchain
  • Full ability to delete the source data on your systems
Hash-only anchoring (GDPR-safe) 
const crypto = require('crypto');

// Hash the personal data locally
const userData = {
  name: 'John Doe',
  email: 'john@example.com',
  dateOfBirth: '1990-01-15'
};

const hash = crypto
  .createHash('sha256')
  .update(JSON.stringify(userData))
  .digest('hex');

// Send only the hash to Anchora
const response = await fetch('https://api.anchora.io/v1/anchor', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    hash: hash,
    metadata: {
      type: 'user_consent',
      userId: 'internal_ref_123'  // Non-PII reference
    }
  })
});

Right to Erasure Implementation

When a user requests deletion, you need to handle both your internal data and Anchora records.

Soft Delete

Soft delete marks the record as deleted but preserves the blockchain proof. The data payload is removed, but the hash remains.

Soft delete a record 
curl -X DELETE https://api.anchora.io/v1/records/rec_abc123xyz789 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "X-Delete-Mode: soft"

Hard Delete

Hard delete removes all record data from Anchora's servers. The blockchain transaction remains (hashes only, no personal data).

Hard delete a record 
curl -X DELETE https://api.anchora.io/v1/records/rec_abc123xyz789 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "X-Delete-Mode: hard"
Important: Hard deletes are irreversible. The data cannot be recovered after deletion. Ensure you have backups if needed for legitimate business purposes.

Data Retention Policies

Configure automatic data expiry to comply with storage limitation principles.

Create record with expiry 
curl -X POST https://api.anchora.io/v1/anchor \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "consentGiven": true,
      "purpose": "marketing"
    },
    "retention": {
      "expiresAt": "2025-01-31T00:00:00Z",
      "autoDelete": "soft"
    }
  }'

Data Export for Portability

Export all records associated with a user to fulfill data portability requests.

Export user data 
curl -X POST https://api.anchora.io/v1/export \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "filter": {
      "metadata.userId": "user_12345"
    },
    "format": "json",
    "includeProofs": true
  }'

Export Response

Export response 
{
  "exportId": "exp_xyz789",
  "status": "processing",
  "recordCount": 47,
  "downloadUrl": null,
  "expiresAt": "2024-02-01T10:00:00Z"
}

Processing Records

Maintain a record of processing activities using Anchora.

Record consent with audit trail 
curl -X POST https://api.anchora.io/v1/anchor \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "action": "consent_given",
      "purposes": ["marketing", "analytics"],
      "method": "web_form",
      "ipHash": "a1b2c3...",
      "timestamp": "2024-01-31T10:30:00Z"
    },
    "metadata": {
      "userId": "user_12345",
      "type": "gdpr_consent"
    }
  }'

Data Processing Agreement

Anchora acts as a data processor under GDPR. Key provisions in our DPA include:

  • Purpose limitation: Data processed only for anchoring services
  • Sub-processors: AWS (EU region), Polygon blockchain
  • Security measures: Encryption at rest and in transit
  • Breach notification: Within 24 hours of discovery
  • Data location: EU data centers available on Enterprise plans
DPA Available: Contact sales@anchora.co.in to request a signed Data Processing Agreement for your organization.

Best Practices

  • Use hash-only mode: When possible, hash data locally and only send hashes to Anchora
  • Implement retention policies: Set automatic expiry on all records containing personal data
  • Document your processing: Anchor consent records and processing activities
  • Plan for deletion: Design your data model to support granular deletion
  • Use pseudonymization: Replace direct identifiers with internal references
  • Encrypt sensitive data: Use client-side encryption for additional protection

Compliance Checklist

Requirement Anchora Feature Status
Right to Erasure (Art. 17) Soft/hard delete APIs Available
Data Portability (Art. 20) Export API with proofs Available
Storage Limitation (Art. 5) Retention policies, auto-expiry Available
Security (Art. 32) Encryption, access controls Available
Records of Processing (Art. 30) Immutable audit logs Available
Data Minimization (Art. 5) Hash-only anchoring Available