Skip to content

Dormant-vault cleanup

Don't keep a citizen's sensitive documents forever once they stop using the service. This feature detects vaults that have gone unused, warns the owner ahead of time, and then crypto-erases the vault - GDPR data minimization, but never a deletion without warning and a chance to act.

It is off by default and opt-in: nothing is ever warned or erased until an operator sets a deletion age.

What counts as activity

Dormancy is measured per (tenant, owner) vault by a last_activity timestamp, not by the Drupal account's last login. It is updated when:

  • the owner logs in, or opens their vault page; and
  • a vault item is read, created or updated - including by a consumer over the API, since data that is actively used is not dormant.

Any of these resets the clock (and cancels a pending deletion). A login or a vault-page visit keeps all of the owner's vaults alive; a read or write keeps the one realm it touched alive.

Configure it

At Configuration -> Personal Data Vault (/admin/config/pdv/settings), under Dormant-vault cleanup:

  • Delete after (days of inactivity) - crypto-erase a vault once it has been idle this many days. 0 turns the feature off. Set it conservatively, for example 730 (two years).
  • Reminder lead-times (days before deletion) - one value per line, each smaller than the deletion age. With 30, 7, 2, 1 the owner is warned 30 days before deletion, then again at 7, 2 and 1 day. Leave empty for no reminders (not recommended).

What happens, and when

A vault's deletion deadline is its last activity plus the deletion age. On each cron run, in bounded chunks:

  1. As each reminder lead-time arrives, one warning is sent (escalating). The owner can keep the vault by simply using it, or download a copy of their data first.
  2. At the deadline, with no activity since, the vault is crypto-erased: its Subject KEK is destroyed (an O(1) operation that makes every document unrecoverable), and the now-unreadable rows are reaped by the garbage collector over subsequent runs. The work is bounded per run, never a single blanket sweep.

Every step is recorded in the audit trail (the pdv.dormancy channel: warned, erased).

Preview before you commit

Before enabling the feature, or after changing the thresholds, check the Dormant-vault cleanup panel on Vault subjects (/admin/config/pdv/subjects). It is a read-only dry run of the cron pass against the current thresholds: how many vaults are in the reminder window, and how many are past the deadline (and would be erased on the next run). It changes nothing.

Delivering the warnings

Each lifecycle step dispatches a domain event; pdv core sends no email itself. Enable the PDV Mail submodule (Submodules) for a default warning email, or subscribe to the pdv.dormancy events to deliver them your own way (for example with ECA or the Message stack).