Data export / portability

Severity: Critical

GDPR Article 20 gives users the right to receive their data in a machine-readable format.

Check automatically:

# Look for export endpoints or functionality
grep -riE "export.*data|download.*data|data.*portability|user.*export|gdpr.*export|my.*data" src/ app/ routes/ controllers/ --include="*.ts" --include="*.js" --include="*.py"

# Check for export format handling
grep -riE "to.*json|to.*csv|export.*format|serialize.*user" src/ app/ lib/ --include="*.ts" --include="*.js" --include="*.py"

# Look for export documentation
grep -riE "export.*data|download.*your.*data|data.*portability" docs/ README.md --include="*.md"

# Check for admin export tools
grep -riE "admin.*export|generate.*export|user.*dump" src/ app/ --include="*.ts" --include="*.js"

Ask user:

• "Can users export their data?" (self-service or request-based?)
• "What format?" (JSON, CSV, other?)
• "Is the export complete?" (all user data, or just some?)
• "How do users access this feature?"

Data completeness checklist:

Data Type	Included?
Profile information
Activity/usage history
User-generated content
Preferences/settings
Transaction history
Communications (messages, emails sent)

Pass criteria:

• Export mechanism exists (self-service or documented request process)
• Machine-readable format (JSON or CSV, not PDF)
• Covers all user data (not just profile basics)

Fail criteria:

• No export capability
• Export exists but incomplete (only profile, missing activity)
• Non-portable format (PDF, screenshots)

Notes: Self-service is ideal but not required. Request-based export (email support, respond within 30 days) is compliant. Machine-readable is key - users should be able to import elsewhere.

Evidence to capture:

• Export mechanism (self-service endpoint, request process)
• Format(s) available
• Data coverage (complete or partial - list what's included)

---