Skip to main content

Compliance

Locker's retention system is built to support GDPR, CCPA, and other regulatory requirements. Every lifecycle action is recorded in an immutable audit trail you can export at any time.

GDPR

Data Subject Erasure (Right to Be Forgotten)

A verified erasure request under GDPR Article 17 overrides any active retention policy and triggers immediate deletion, unless a legal hold or a statutory obligation blocks it.

When deletion proceeds: The document is permanently deleted, the retention policy is overridden, and the event is recorded in the Audit Log.

When deletion is blocked:

SituationWhat Locker does
Statutory obligation applies (e.g., tax or financial records law)Restricts processing, document is retained but not actively used; legal basis is recorded
An active Legal Hold is in placeDeletion blocked until the hold is removed

When a request is blocked, Locker records the legal basis and notifies the requestor that processing is restricted. The decision is permanently recorded in the Audit Log.

Submitting a Data Subject Request (DSR)

DSRs are managed by organization admins at Organization → DSR. Supported request types: erasure, access, portability, rectification, restriction, and objection.

Coming Soon

Screenshot: locker-dsr-page, the Organization → DSR page showing open requests and their status

note

Data residency and GDPR are separate settings. Residency controls where data is physically stored (Global or EU) and is set by Propper admins. DSR controls are available to organization admins regardless of residency setting.

CCPA

CCPA deletion and access requests are handled through the same DSR workflow at Organization → DSR.

Audit Log

Every retention action generates a permanent, immutable event in the Audit Log:

  • Document archived or unarchived
  • Legal hold placed or removed
  • Document deleted
  • Policy created, modified, or overridden
  • DSR submitted and completed

To export your audit log:

  1. Go to Organization → Audit Logs.
  2. Apply any filters (e.g., Action = Deleted) and set a date range.
  3. Click Export.
tip

Export your deletion log before any compliance review. Filter by Action = Deleted to get a clean record of all purged documents, including actor and timestamp.

Coming Soon

Screenshot: locker-compliance-audit-export, the Audit Logs export panel with filters applied and the Export button visible

  • Retention Policies: Align retention periods with your regulatory requirements
  • Legal Hold: Preserve documents during investigations and when erasure requests conflict with statutory obligations
  • API Integration: Manage retention and holds programmatically