Compliance-Ready Deployment
Deploy Open Astra with full audit compliance, GDPR data erasure, consent management, and data residency controls — out of the box. No third-party compliance add-ons, no extra infrastructure. Everything an auditor needs is built into the core platform.
What you'll have
- SHA-256 hash-chained audit logs with tamper detection
- One-click GDPR data erasure across all 15 data tiers
- User consent tracking with expiration and revocation
- Data residency and provider restrictions per workspace
- IP allowlisting, intrusion detection, and session replay auditing
Step 1: Audit logging (automatic)
Every tool execution, memory write, inference request, and security event is automatically logged with a SHA-256 hash chain. No configuration needed — it's on by default.
bash
# 1. Verify your audit chain is intact (tamper detection)
curl http://localhost:3000/audit/verify \
-H "Authorization: Bearer ${JWT_TOKEN}"
# → { "valid": true, "checkedCount": 4821 }
# 2. Export audit logs for your compliance team
curl "http://localhost:3000/audit/export.csv?from=2026-01-01&to=2026-03-31" \
-H "Authorization: Bearer ${JWT_TOKEN}" > q1-audit.csv
# 3. Stream audit events in real-time to your SIEM
curl -N http://localhost:3000/audit/stream \
-H "Authorization: Bearer ${JWT_TOKEN}"Step 2: GDPR data erasure
When a user requests data deletion, one API call purges everything — conversation history, memory, embeddings, tokens, traces, and billing records.
bash
# GDPR Right to Erasure — one call purges all 15 data tiers
curl -X DELETE http://localhost:3000/memory/user/uid_requesting_user \
-H "Authorization: Bearer ${JWT_TOKEN}"
# → { "purged": true, "tiers": ["session_messages", "sessions", ...15 tables] }Step 3: Data policies and consent
bash
# Restrict data processing to EU regions and specific providers
curl -X PUT http://localhost:3000/data-policies \
-H "Authorization: Bearer ${JWT_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"allowedRegions": ["eu-west-1", "eu-central-1"],
"allowedProviders": ["claude", "ollama"]
}'
# Record user consent with expiration
curl -X POST http://localhost:3000/security/consent \
-H "Authorization: Bearer ${JWT_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"consentType": "data_processing",
"granted": true,
"expiresAt": "2027-01-01T00:00:00.000Z"
}'Step 4: Network security
bash
# Restrict API access to office IPs
curl -X PUT http://localhost:3000/security/ip-allowlist \
-H "Authorization: Bearer ${JWT_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"allowedCidrs": ["203.0.113.0/24", "198.51.100.0/24"]
}'Compliance checklist
| Requirement | Open Astra feature | Status |
|---|---|---|
| Audit trail | SHA-256 hash-chained audit log with CSV export | Built-in |
| Tamper detection | GET /audit/verify — hash chain integrity check | Built-in |
| Data erasure (GDPR Art. 17) | DELETE /memory/user/:uid — 15 tier purge | Built-in |
| Consent management | Record, expire, revoke consent per user | Built-in |
| Data residency | Restrict regions and providers per workspace | Built-in |
| Access control | IP allowlist, RBAC, JWT with key rotation | Built-in |
| Intrusion detection | 7 threat categories with 10-minute sliding window | Built-in |
| Session replay audit | Logged, redacted transcripts with reason tracking | Built-in |
| Secret management | Vault KV v2, AWS Secrets Manager, or env | Built-in |