SID-PRIV-03 — Right-to-Erasure Bulk Deletion API

Property	Value
Status	to_do
Owner	platform
Category	technical
CSF Function	protect
Group	Privacy Controls

Description

GDPR Art. 17 requires the ability to erase all personal data for a data subject on request. The existing DeleteUser function cascades across users, credentials, and presentations. PR #89 adds ChallengeStore.DeleteByUserID and InviteStore.ClearUsedBy to close gaps in the erasure chain. Remaining gap: Redis session cleanup (SessionStore.DeleteByUser exists but is not called from UserService). See compliance/gdpr-findings.md §2 P-4. Issue: go-wallet-backend#87.

Components

Wallet Backend (Go)

Source References

go-wallet-backend/internal/service/user.go
go-wallet-backend/pull/89

Audit Findings

Finding	Severity	Status
P-4 — Incomplete right-to-erasure cascade	medium	in progress

Description​

Components​

Source References​

Audit Findings​

Description

Components

Source References

Audit Findings