Data Erasure¶

Xybern Redact stores a pseudonym mapping in the entity map for every real value it encounters. When a data subject exercises their right to erasure under GDPR Article 17 (or a similar right under CCPA or other privacy regulations), you can delete their real values from the entity map permanently.

What Gets Deleted¶

When you submit an erasure request, Xybern deletes every entity map entry for the specified real values within your workspace. This means:

Future requests containing those values are treated as new and receive fresh pseudonyms
Existing de-anonymization lookups for those values stop working
The original real values are no longer stored

The erasure operation is scoped to your workspace. Other workspaces are not affected.

What Is Not Deleted¶

Vault records - the provenance vault is an immutable audit log. Existing vault records that reference those values are not modified or deleted. The hashes and HMAC signatures in those records remain intact.
LLM provider data - Xybern cannot delete data that was already sent to an upstream LLM provider. Ensure your provider's data retention settings are configured appropriately.

Audit Trail¶

Every erasure operation creates an immutable vault record with:

Number of entity map entries deleted
Breakdown by entity type (Person, Email, Phone, etc.)
SHA-256 hash of the erasure payload
Chain hash linking it to the prior vault record
Timestamp

The vault record appears in the Provenance Vault with status Erasure audit and cannot be modified or deleted.

Using the Dashboard¶

Open your Redact workspace and click Erasure in the sidebar
Paste the real values to erase, one per line (up to 500 values per request)
Click Erase Values
Confirm in the modal that appears
The result card shows how many entries were deleted and the breakdown by entity type
A vault record is created automatically

Using the API¶

POST /api/redact/{workspace_id}/erasure
Authorization: <session cookie>
Content-Type: application/json

{
  "values": [
    "Michael Chen",
    "michael.chen@example.com",
    "+1 212 555 0199"
  ]
}

Response¶

{
  "ok": true,
  "deleted": 3,
  "by_entity_type": {
    "PERSON": 1,
    "EMAIL": 1,
    "PHONE": 1
  }
}

Parameters¶

Field	Type	Description
`values`	array of strings	Real values to erase. Maximum 500 per request.

Response fields¶

Field	Type	Description
`ok`	boolean	`true` on success
`deleted`	integer	Number of entity map entries deleted
`by_entity_type`	object	Deleted count keyed by entity type

Handling No-Matches¶

If none of the submitted values exist in the entity map (for example, they were never anonymized or a TTL already expired them), the response returns "deleted": 0 with an empty by_entity_type. No error is raised. A vault audit record is still created to document that the request was processed.

Bulk Erasure¶

The values array accepts up to 500 entries per request. For larger erasure requests, split the values into batches of 500 and submit each batch as a separate request.

Entity Map TTL, automatic expiry of pseudonym mappings to support data minimisation
Vault Retention Policy, automatic deletion of vault records older than a configured window
Provenance Vault, immutable audit log for all workspace events