Moonborn — Developers

Audit + compliance

GDPR DSARs, account deletion, retention policies, data residency, hash-chained audit log. The compliance surface Moonborn ships out of the box.

Procurement reviews and security questionnaires share a small set of questions: who can access the data, how long it lives, what happens when a user asks for export, what happens when they ask for deletion. Moonborn ships answers to each.

When this fits

Procurement reviews of Moonborn as a vendor.
Compliance teams documenting controls for SOC 2, GDPR, HIPAA (Enterprise on request), or industry-specific frameworks.
Privacy teams responding to data-subject access requests (DSARs) or right-to-erasure requests.
Audit prep — pulling a clean, hash-chained log of who did what.

What ships

Privacy operations

DSARs: POST /v1/privacy/export initiates a Data Subject Access Request. Output is a signed envelope (JSON or YAML) covering every record tied to the requesting user. Available via API or product UI.
Account deletion: POST /v1/privacy/delete enters a 30-day grace period (configurable per privacy.retention.account_deletion_grace_days). After grace, data is hard-deleted with cryptographic confirmation.
Per-resource deletion: POST /v1/privacy/delete/{resource_type}/{id} lets users delete a specific persona, chat session, or memory chunk without nuking the whole account.
Retention policies: configurable per resource via privacy.retention.*. Defaults vary by tier; Enterprise can override within plan limits.
DPA: signed Data Processing Agreement available via GET /v1/privacy/dpa, acceptance recorded.

Audit log

Immutable: every write to audit_log is hash-chained — the row contains a hash of the previous row's hash + its own payload, so tampering is detectable.
Comprehensive: persona mutations, chat sessions, member changes, config edits, API key rotations, webhook deliveries, billing events.
Retention: 1 year (Pro/Team), 7 years (Enterprise). Per-workspace override within plan limits.
Exportable: POST /v1/audit/export (Team+) produces a signed archive for archival in your own retention system.

Data residency (Enterprise)

US + EU regions. Picked at org signup, locked thereafter (ADR 0011).
Cross-region read blocked at the database boundary — not a policy check, a physical isolation.
Migration requires export + new-org-in-new-region + import (no in-flight migration).

Compliance status

GDPR: full lifecycle support — consent, access, portability, erasure. Default tier.
SOC 2 Type II: in progress (we publish when ready).
HIPAA: available on Enterprise BAA, on request.
Industry-specific (PCI DSS for billing-context customers): we pass through Stripe's PCI scope; we don't store card data.

How the audit chain works

event_n.hash = sha256(event_n.payload || event_{n-1}.hash)

The first event in a chain seeds from an org-bound secret. Any tamper attempt breaks the chain at the modification point — verifiable by re-hashing.

Export the log + a verification script via POST /v1/audit/export; your archival system can re-run the verification later to prove the log hasn't been touched.

What this use case is NOT

Not a SIEM. Audit log is a record, not a real-time monitoring surface. Pair with Datadog, Splunk, etc. for SOC-style monitoring.
Not a compliance certifier. Moonborn provides the controls; your auditor certifies your use.
Not a substitute for your own DPIA. Data Protection Impact Assessments are still on you.

Tier

GDPR + DSAR + retention: every tier.
Audit log: every tier (retention varies).
Audit export: Team and up.
Data residency lock + cross-region prevention + 7-year retention: Enterprise.

Identity stack: Enterprise RBAC + SSO use case.
Audit export workflow: Audit log export guide.
Residency configuration: Data residency config guide.
API surface: Privacy + Audit API references.