DSAR Procedure

This runbook defines the default VaultCrux process for handling Data Subject Access Requests (DSARs).

Intake and validation

1. Receive request through approved support/commercial channel.
2. Log request timestamp, requestor identity details, and claimed relationship.
3. Verify identity before releasing any data.
4. Confirm requested scope (access, correction, deletion, portability, objection).

Response timeline

• Target initial acknowledgment: 3 business days.
• Standard fulfillment target: within 30 days of validated request.
• If extension is required, notify requestor with reason and revised date.

Data discovery checklist

• Seat/account records tied to requestor identifiers.
• Auth/session metadata required for security audit obligations.
• Tenant-scoped content and evidence records where requestor is a subject.
• Billing and support records required for legal/financial obligations.

Fulfillment steps

1. Produce scoped export in a structured, readable format.
2. Apply approved corrections/deletions where legally permitted.
3. Record actions performed, operator identity, and completion timestamp.
4. Send completion notice with summary of fulfilled actions.

Exceptions and escalation

• If request scope conflicts with legal retention obligations, return limited disclosure with rationale.
• Escalate ambiguous or high-risk requests to legal/security owner before fulfillment.
• Preserve incident trail if abuse or impersonation is suspected.

Evidence requirements

• Keep an immutable DSAR audit entry per request.
• Include verification method, search scope, output package checksum, and completion decision.

Related pages

• Compliance Summary
• Security Whitepaper
• Offboarding Runbook