Privacy Rights Manager (DSAR)
Manage data subject access requests end-to-end with configurable intake forms, identity verification, automated workflows, and audit logging.
Privacy Rights Manager (DSAR)
The Privacy Rights Manager provides a complete solution for handling Data Subject Access Requests (DSARs) under GDPR, CCPA, and other privacy regulations. It covers the full lifecycle from request intake through fulfillment, with configurable workflows, automated task assignment, and tamper-evident audit logging.
The DSAR module is part of neostra-core and exposes both public-facing endpoints (for data subjects) and internal endpoints (for your privacy team).
Request Lifecycle
The following diagram illustrates how a data subject request moves through the system from submission to completion.
Core Components
Intake Forms
No-code configurable forms for data subject request submission with conditional field visibility and versioning.
Identity Verification
Email verification combined with digital affidavit signing to confirm the requester's identity.
Workflows
Multi-stage configurable workflows with draft/publish cycles, auto-assignment rules, and stage transitions.
Task Queue
Auto-generated tasks from workflow stages with assignment, reminders, and due date tracking.
Response Templates
Pre-built templates for common response types such as data delivery, deletion confirmation, and denial notices.
Subject Portal
Data subject-facing portal for tracking request status, exchanging messages, and downloading files.
Getting Started
Configure Request Types
Define the types of requests your organization accepts. Common types include data access, data deletion, data correction, and opt-out requests.
Navigate to Settings > Privacy Rights > Request Types and create entries for each type you need to support. Each type can have its own SLA deadlines and default workflow.
Build an Intake Form
Use the no-code form builder to create your intake form. Add fields, configure conditional visibility rules, and set validation requirements.
{
"name": "General DSAR Form",
"fields": [
{
"type": "select",
"label": "Request Type",
"key": "requestType",
"required": true,
"options": ["Data Access", "Data Deletion", "Correction", "Opt-Out"]
},
{
"type": "text",
"label": "Additional Details",
"key": "details",
"visibleWhen": {
"field": "requestType",
"operator": "equals",
"value": "Data Access"
}
}
]
}
Use Publish to make the form live or Discard to revert draft changes. Each publish creates a new version.
Set Up a Workflow
Create a workflow that defines the stages a request passes through after verification.
Workflows follow a draft/publish cycle. Changes to a workflow do not take effect until you publish. Existing in-flight requests continue using the workflow version they started with.
Define stages such as "Triage", "Data Collection", "Legal Review", and "Fulfillment". For each stage, configure:
- Assignment rules (auto-assign to a team or individual)
- Due date offsets (e.g., 5 days from stage entry)
- Transition rules (conditions that trigger movement to the next stage)
Configure Identity Verification
Enable email verification and digital affidavit signing. When a data subject submits a request, they receive a verification email. After confirming their email, they are presented with a digital signature pad (powered by Vue Signature Pad) to sign an affidavit.
Deploy the Subject Portal
The subject portal gives data subjects a self-service interface to track their requests, exchange messages with your team, and download any files you provide.
Embed the portal link in your verification emails and response communications.
API Reference
These endpoints are accessible without authentication and are intended for data subjects.
Submit a Subject Request
curl -X POST https://api.neostra.io/v1/public/subject-request/create \
-H "Content-Type: application/json" \
-d '{
"intakeFormId": "form_abc123",
"formData": {
"requestType": "Data Access",
"firstName": "Jane",
"lastName": "Doe",
"email": "jane.doe@example.com",
"details": "Please provide all data associated with my account."
}
}'
const response = await fetch("https://api.neostra.io/v1/public/subject-request/create", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
intakeFormId: "form_abc123",
formData: {
requestType: "Data Access",
firstName: "Jane",
lastName: "Doe",
email: "jane.doe@example.com",
details: "Please provide all data associated with my account."
}
})
});
Response (201 Created):
{
"requestId": "sr_7f3a9b2e",
"status": "SUBMITTED",
"verificationEmailSent": true
}
Complete Identity Verification
curl -X POST https://api.neostra.io/v1/public/subject-request/verification \
-H "Content-Type: application/json" \
-d '{
"requestId": "sr_7f3a9b2e",
"verificationToken": "tok_abc123",
"affidavitSignature": "<base64-encoded-signature>"
}'
These endpoints require authentication and appropriate permissions.
List Subject Requests
curl -X GET https://api.neostra.io/v1/subjectrequest/ \
-H "Authorization: Bearer <token>"
Required permission: subject-requests:list
Query parameters:
| Parameter | Type | Description |
|---|---|---|
status | string | Filter by status |
type | string | Filter by request type |
assignee | string | Filter by assigned user |
page | int | Page number (default: 0) |
size | int | Page size (default: 20) |
View a Subject Request
curl -X GET https://api.neostra.io/v1/subjectrequest/{requestId} \
-H "Authorization: Bearer <token>"
Required permission: subject-requests:view
Update a Subject Request
curl -X PUT https://api.neostra.io/v1/subjectrequest/{requestId} \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"status": "IN_REVIEW",
"assigneeId": "user_456"
}'
Required permission: subject-requests:create
Manage intake form configurations through the IntakeFormController.
Create an Intake Form
curl -X POST https://api.neostra.io/v1/intake-forms \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "CCPA Request Form",
"fields": [ ... ]
}'
Publish a Form Version
curl -X POST https://api.neostra.io/v1/intake-forms/{formId}/publish \
-H "Authorization: Bearer <token>"
Discard Draft Changes
curl -X POST https://api.neostra.io/v1/intake-forms/{formId}/discard \
-H "Authorization: Bearer <token>"
Manage workflow configurations through the WorkflowController.
Required permissions: workflows:create, workflows:edit
Create a Workflow
curl -X POST https://api.neostra.io/v1/workflows \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "Standard DSAR Workflow",
"stages": [
{
"name": "Triage",
"order": 1,
"autoAssign": { "type": "ROUND_ROBIN", "teamId": "team_privacy" },
"dueDateOffset": 2
},
{
"name": "Data Collection",
"order": 2,
"autoAssign": { "type": "SPECIFIC_USER", "userId": "user_789" },
"dueDateOffset": 10
},
{
"name": "Legal Review",
"order": 3,
"autoAssign": { "type": "ROUND_ROBIN", "teamId": "team_legal" },
"dueDateOffset": 5
}
]
}'
Publish a Workflow
curl -X POST https://api.neostra.io/v1/workflows/{workflowId}/publish \
-H "Authorization: Bearer <token>"
Tasks are auto-generated from workflow stages. Manage them through the TaskController.
Required permissions: tasks:view, tasks:edit
List Tasks
curl -X GET https://api.neostra.io/v1/tasks \
-H "Authorization: Bearer <token>"
Update a Task
curl -X PUT https://api.neostra.io/v1/tasks/{taskId} \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"status": "COMPLETED",
"notes": "All requested data has been compiled."
}'
Workflow Configuration
Stages
Each workflow consists of ordered stages. A stage defines a phase of work with its own assignment rules, due dates, and transition conditions. Stages execute sequentially — when all tasks in a stage are completed, the request automatically advances to the next stage.
Assignment Rules
Each stage supports auto-assignment via: Round Robin (distributes tasks evenly across a team), Specific User (always assigns to a designated person), Manager (assigns to the team manager), or Manual (leaves unassigned for manual pickup).
Conversations and Subject Portal
The Conversations system (via ConversationController) enables secure messaging between your privacy team and data subjects.
- View and respond to messages from the internal dashboard
- Attach files for the data subject to download
- Internal notes (visible only to your team) can be added to any request
- Access the portal using the secure link from verification emails
- View request status updates in real time
- Send messages and upload supporting documents
- Download response files provided by your team
Dashboard and Analytics
The DSAR dashboard provides real-time visibility into request volumes, SLA compliance, and team workload.
Dashboard data is powered by materialized views that are refreshed nightly for historical metrics. Incremental updates for current-day activity are applied in real time via AOP interceptors, so the dashboard always reflects the latest state.
Key metrics include:
| Metric | Description |
|---|---|
| Open Requests | Total requests currently in progress |
| Average Resolution Time | Mean days from submission to closure |
| SLA Compliance Rate | Percentage of requests resolved within deadline |
| Requests by Type | Breakdown by request type (access, deletion, etc.) |
| Overdue Requests | Requests past their SLA deadline |
| Tasks by Assignee | Workload distribution across team members |
Audit Logging
All actions within the DSAR module are captured by the AOP-based audit system using the @LogAudit annotation.
@LogAudit(action = "SUBJECT_REQUEST_UPDATED", resource = "SubjectRequest")
public SubjectRequest updateRequest(String requestId, UpdateRequestDTO dto) {
// Business logic here
}
{
"timestamp": "2026-03-16T14:32:00Z",
"actor": {
"userId": "user_456",
"email": "analyst@company.com",
"role": "PRIVACY_ANALYST"
},
"action": "SUBJECT_REQUEST_UPDATED",
"resource": "SubjectRequest",
"resourceId": "sr_7f3a9b2e",
"metadata": {
"previousStatus": "IN_REVIEW",
"newStatus": "TASKS_IN_PROGRESS",
"ipAddress": "192.168.1.100"
}
}
Every audit entry captures the actor, the action performed, the affected resource, and contextual metadata. Audit logs are immutable and retained according to your organization's data retention policy.
Permissions Reference
| Permission | Description |
|---|---|
subject-requests:create | Create and update subject requests |
subject-requests:view | View individual subject request details |
subject-requests:list | List and search subject requests |
workflows:create | Create new workflows |
workflows:edit | Edit and publish/discard workflow drafts |
tasks:view | View task details and task queue |
tasks:edit | Update task status, assignment, and notes |
Public endpoints (/api/v1/public/*) do not require authentication. Ensure your network policies and rate limiting are configured appropriately to prevent abuse.
Last updated 1 week ago
Built with Documentation.AI