Implement proper data handling, privacy controls, and GDPR/CCPA compliance for Gamma integrations.
| Type | Classification | Retention | Handling |
|---|---|---|---|
| Presentation content | User data | User-controlled | Encrypted at rest |
| AI-generated text | Derived data | With source | Standard |
| User prompts | PII potential | 30 days | Anonymize logs |
| Export files | User data | 24 hours cache | Auto-delete |
Check user consent before Gamma operations. Require explicit consent for data processing and AI analysis separately.
Mask emails, hash names, and remove sensitive fields before logging. Never log raw PII in production.
Auto-delete exports (1 day), anonymize prompts (30 days), archive logs (90 days), delete presentations (365 days). Schedule daily enforcement.
Log all significant actions (create, update, delete, share, export) with user ID, IP, timestamp, and resource details.
See detailed implementation for consent management, PII sanitization, retention enforcement, GDPR request handlers, and audit trail code.
| Error | Cause | Solution |
|---|---|---|
| Consent not obtained | New user flow | Add consent gate before first operation |
| Deletion incomplete | Gamma API timeout | Retry with exponential backoff |
| Audit gap | Missing log entry | Add audit middleware to all routes |
| Retention not running | Scheduler stopped | Monitor cron job health |
Proceed to gamma-enterprise-rbac for access control.
