Compliance
HelloJohn's compliance features for GDPR, SOC 2, and HIPAA — data export, erasure, retention, audit logs, and data processing agreements.
Compliance
HelloJohn provides built-in features to help you meet GDPR, SOC 2, and HIPAA requirements for your authentication layer. This page covers the compliance tools available and how to use them.
GDPR
Data HelloJohn Collects
HelloJohn collects and stores the following user data on your behalf:
| Data | Purpose | Stored |
|---|---|---|
| Email address | Authentication, communication | Yes |
| Password hash (Argon2id) | Authentication | Yes |
| Name (first, last) | Profile | Yes (optional) |
| Phone number | MFA, optional profile | Yes (optional) |
| IP address | Security, rate limiting | Yes (last known) |
| User agent | Session identification | Yes |
| MFA factors (TOTP seeds, passkey credentials) | Authentication | Yes |
| OAuth provider IDs | Social login linking | Yes |
| Session timestamps | Security | Yes |
| Audit log entries | Compliance | Yes |
As the controller, you are responsible for your privacy policy covering this data. HelloJohn processes data on your behalf as a data processor.
Data Processing Agreement (DPA)
A Data Processing Agreement is available for HelloJohn Cloud customers. Request it via the dashboard under Tenant Settings → Compliance → DPA.
User Data Export (Portability)
Export all data held for a user (GDPR Article 20 — right to data portability):
Via Admin API:
curl "https://api.hellojohn.dev/v1/admin/users/usr_01HABCDEF123456/export" \
-H "Authorization: Bearer sk_live_abc123" \
-H "X-Tenant-ID: tnt_01HABCDEF654321"Response:
{
"user": {
"id": "usr_01HABCDEF123456",
"email": "jane@example.com",
"name": { "first": "Jane", "last": "Doe" },
"created_at": "2024-01-15T09:00:00Z",
"last_sign_in_at": "2024-06-01T14:32:00Z"
},
"sessions": [...],
"mfa_factors": [{ "type": "totp", "created_at": "..." }],
"oauth_connections": [...],
"audit_events": [...],
"organizations": [...]
}The export includes all data categories in JSON format. Provide this to users upon request.
Right to Erasure (Right to Be Forgotten)
Delete a user and all associated data (GDPR Article 17):
curl -X DELETE "https://api.hellojohn.dev/v1/admin/users/usr_01HABCDEF123456" \
-H "Authorization: Bearer sk_live_abc123" \
-H "X-Tenant-ID: tnt_01HABCDEF654321"This permanently deletes:
- User profile and credentials
- All sessions
- MFA factors
- OAuth connections
- Organization memberships
Audit log entries are retained (minimum 90 days by default) — you may need to retain them for legal/compliance reasons.
Active access tokens remain valid until expiry (up to 15 minutes). To invalidate immediately, use API-based token verification.
Data Retention
Configure how long HelloJohn retains inactive session data:
curl -X PATCH "https://api.hellojohn.dev/v1/admin/config" \
-H "Authorization: Bearer sk_live_abc123" \
-H "X-Tenant-ID: tnt_01HABCDEF654321" \
-H "Content-Type: application/json" \
-d '{
"session_inactive_ttl_days": 30,
"audit_log_retention_days": 365
}'| Setting | Default | Minimum | Maximum |
|---|---|---|---|
session_inactive_ttl_days | 90 | 1 | 365 |
audit_log_retention_days | 90 | 30 | 730 |
SOC 2
HelloJohn Cloud is designed with SOC 2 Type II controls in mind:
Relevant Controls
| Control | How HelloJohn Addresses It |
|---|---|
| Access control | Role-based admin API access, audit logging of all admin actions |
| Logical access | Ed25519 JWT signing, token expiry, session revocation |
| Availability | 99.9% uptime SLA, multi-region failover |
| Confidentiality | AES-256-GCM field encryption, bcrypt/Argon2id password hashing |
| Change management | Versioned API, changelog maintained |
| Incident response | Status page at status.hellojohn.dev |
Audit Logs
All security-relevant events are logged with timestamp, user ID, IP address, and outcome:
# List audit events for your tenant
curl "https://api.hellojohn.dev/v1/admin/audit?limit=100" \
-H "Authorization: Bearer sk_live_abc123" \
-H "X-Tenant-ID: tnt_01HABCDEF654321"Logged event types:
| Event | Logged |
|---|---|
user.sign_in | ✅ |
user.sign_in_failed | ✅ |
user.password_reset | ✅ |
user.mfa_enabled | ✅ |
user.mfa_disabled | ✅ |
admin.user_impersonated | ✅ |
admin.user_deleted | ✅ |
session.revoked | ✅ |
org.member_invited | ✅ |
config.updated | ✅ |
Export audit logs for SIEM integration:
# Export last 30 days as NDJSON
curl "https://api.hellojohn.dev/v1/admin/audit/export?format=ndjson&since=30d" \
-H "Authorization: Bearer sk_live_abc123" \
-H "X-Tenant-ID: tnt_01HABCDEF654321" \
-o audit_export.ndjsonSecurity Assessment
For SOC 2 auditors requiring security documentation, request a security summary from the dashboard under Tenant Settings → Compliance → Security Documentation.
HIPAA
HelloJohn Cloud is not currently HIPAA-certified. If you require HIPAA compliance for authentication data:
- Use self-hosted HelloJohn on HIPAA-compliant infrastructure
- Do not store Protected Health Information (PHI) in user profile fields
- Enable audit logging and configure retention to meet HIPAA requirements (minimum 6 years)
- Sign a Business Associate Agreement (BAA) with your infrastructure provider
For BAA inquiries, contact compliance@hellojohn.dev.
Data Residency
HelloJohn Cloud
By default, HelloJohn Cloud stores data in us-east-1 (AWS Virginia).
EU data residency is available on Enterprise plans. Contact sales to provision an EU tenant (eu-west-1).
Self-Hosted
With self-hosted HelloJohn, you control where data is stored. Deploy PostgreSQL in your preferred region to meet data residency requirements.
IP Collection
HelloJohn logs the IP address of sign-in requests for security and rate limiting. To disable IP collection:
curl -X PATCH "https://api.hellojohn.dev/v1/admin/config" \
-H "Authorization: Bearer sk_live_abc123" \
-H "X-Tenant-ID: tnt_01HABCDEF654321" \
-H "Content-Type: application/json" \
-d '{ "collect_ip_addresses": false }'When disabled, IP addresses are not stored in sessions or audit logs. Rate limiting falls back to tenant-level limits.
Security Disclosure
See Responsible Disclosure for our vulnerability reporting policy and SLA.