Build this with alleex
Build your DSAR portal in a day — on infrastructure you own
A branded data-subject-access-request workflow, consent ledger, and deletion tracker, composed from the compliance-eu module and deployed to your EU-hosted instance.
FileCheck
End-to-end DSAR workflow
Data subjects submit requests via a branded portal. Each request is verified by email token, routed to the responsible handler, tracked against the 30-day deadline, and fulfilled by a background job.
Clock
30-day deadline tracking
The DSAR module tracks every open request against the GDPR Article 12 timeline. Overdue requests surface in your dashboard — no manual spreadsheet required.
Lock
Self-hosted, EU-resident
Your DSAR portal runs on your EU Neon instance, not a US SaaS. Request data stays in the EU and is covered by the alleex DPA.
How it works
Compose these modules
Data-subject access request (Art. 15)
A data subject submits an access request through the branded portal. After email verification, a background job collects their data from every module handler and packages it for download.
compliance-eu module
Erasure and right to be forgotten (Art. 17)
Erasure requests trigger a deletion workflow across every data store that holds the subject's data — with a hash-chained audit record that proves deletion without revealing deleted content.
compliance-eu module + audit-log module
Data portability (Art. 20)
Portability requests produce a structured JSON export of the subject's data — machine-readable, ready to send to a competing controller.
compliance-eu module
Consent ledger
A record of every consent given — what was consented to, when, at which privacy-policy version, and whether re-consent is due. Each record is an Ed25519-signed receipt.
compliance-eu module
Auth without a US vendor in the customer data path
The DSAR portal authenticates requestors via Better Auth — self-hosted in your EU Neon database. No Clerk or Auth0 in the customer data path.
Better Auth module (ADR-0001 compliant)
Customer stories
Real customer stories — none yet.
We are in private beta. The first case studies will feature named customers who share real results. We do not publish testimonials we have not earned.
Become a design partner →FAQ
Common questions
Does the DSAR portal handle all three GDPR request types?
Yes — access (Art. 15), erasure (Art. 17), and portability (Art. 20). Each request type has its own workflow, deadline tracker, and audit record. Rectification (Art. 16) requires a custom handler per data type and is configured per-app.
How does the deletion workflow prove deletion?
Each deletion step writes a hash-chained audit record that records what was deleted (data category and count) without retaining the deleted content. The chain is Sigstore-witnessed, so a third party can verify the record was not altered after the fact.
Can I white-label the DSAR portal for my end customers?
Yes. The portal carries your branding — your domain, your logo, your privacy policy link. alleex branding is not present in the generated app.
What if a subject requests data that spans multiple modules?
The compliance-eu module orchestrates a fan-out across all installed modules that register a DSAR handler. Each module returns its portion of the subject's data; the orchestrator packages the full response. You do not wire this manually.
Your DSAR portal. EU-hosted. Running today.
Compose the compliance-eu module, configure your data categories, and deploy to your EU instance. The DSAR workflow, consent ledger, and 30-day tracker are included.
Free €0 · Pro €29/mo · Business €59/mo · Enterprise custom. See full pricing. Prices may change before general availability.