GDPR & CCPA API requests

Example use case for the data access API for GDPR and CCPA compliance.

GDPR and CCPA compliance

BugSnag provides APIs that enable you to retrieve and delete data that relate to individual users to ensure that you can comply with GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) legislation.

The following examples find events with a user.id of 123456789, but you can also search using user.name, user.email, or any other filters to specify the events to be retrieved/deleted in your BugSnag organization. Pleases note that substring matching is performed when using filtering by user.email and user.name.

There are also project specific endpoints that can be used to find events for a specific project rather than an entire organization.

Retrieve events containing a user’s personal information

Get a list of events from the user 123456789 with the Event data requests endpoint.

$ curl -X POST --globoff 'https://api.bugsnag.com/organizations/{organization_id}/event_data_requests?
                filters[user.id][][value]=123456789&
                filters[user.id][][type]=eq&
                report_type=gdpr' \
       --header 'Authorization: token {your_user_auth_token}' \
       --header 'X-Version: 2' \
       --header 'Content-Length: 0'

  {
      "id":"5952b72acce9f50018000000",
      "status":"PREPARING",
      "total":null,
      "filters":{"user.id":[{"value":"123456789","type":"eq"}]},
      "report_type":"gdpr",
      "created_at":"2018-12-11T22:12:15.589Z",
      "completed_at":null,
      "expires_at":null
  }

Since the data is created asynchronously by this API request, you can check the status using the Check the status of an event data request endpoint. This example checks the status of a request by taking the organization_id and the unique id of the event data request returned from the API call above.

$ curl -X GET 'https://api.bugsnag.com/organizations/{organization_id}/event_data_requests/{id}' \
       --header 'Authorization: token {your_user_auth_token}' \
       --header 'X-Version: 2'

Once the request is completed processing, the url field will be populated, which you can use to retrieve the output file. This file will contain user and device information for each event, similar to what you would find in the user and device tabs in the BugSnag app. This file will be available for 7 days, until the expired_at date.

  {
      "id":"5952b72acce9f50018000000",
      "status":"COMPLETED",
      "total":10,
      "filters":{"user.id":[{"value":"123456789","type":"eq"}]},
      "report_type":"gdpr",
      "created_at":"2018-12-17T12:12:15.589Z",
      "completed_at":"2018-12-17T19:47:27.260Z",  
      "expires_at":"2018-12-24T19:47:27.260Z",
      "url":"https://storage.url.com/bugsnag-event-data-requests/request_id"
  }

Delete events containing a user’s personal information

This example shows how to delete all events from a user 123456789 using the event data deletions endpoint.

$ curl -X POST --globoff 'https://api.bugsnag.com/organizations/{organization_id}/event_data_deletions?
                filters[user.id][][value]=123456789&
                filters[user.id][][type]=eq&
                skip_confirmation=false' \
       --header 'Authorization: token {your_user_auth_token}' \
       --header 'X-Version: 2'\
       --header 'Content-Length: 0'
  {
      "id":"5952b72acce9f50018000000",
      "status":"PREPARING",
      "total":null,
      "filters":{"user.id":[{"value":"123456789","type":"eq"}]},
      "created_at":"2018-12-11T22:12:15.589Z",
      "completed_at":null
  }

Once the request has been made, you can check the status of a event data deletion request using the Check the status of an event data request endpoint. This example checks the status of a request by taking the organization_id and the unique id of the event data request returned from the API call above.

$ curl -X GET 'https://api.bugsnag.com/organizations/{organization_id}/event_data_deletions/{id}' \
       --header 'Authorization: token {your_user_auth_token}' \
       --header 'X-Version: 2'
  {
      "id":"5952b72acce9f50018000000",
      "status":"AWAITING_CONFIRMATION",
      "total":10,
      "filters":{"user.id":[{"value":"123456789","type":"eq"}]},
      "created_at":"2018-12-11T22:12:15.589Z",
      "completed_at":"2018-12-11T23:12:15.589Z"
  }

As you can see in the response above, the status may be in AWAITING_CONFIRMATION as a result of the request parameter skip_confirmation=false. Although you can skip this confirmation step by setting skip_confirmation=true, it’s recommended to ensure the filters used are correct since event deletions are not reversible. The best way to do this is to verify the events returned or total event count via the retrieval endpoint. Once you’re sure that this request is correct, you can confirm and update the status of the request.

$ curl -X POST --globoff 'https://api.bugsnag.com/organizations/{organization_id}/event_data_deletions/{id}/confirm' \
       --header 'Authorization: token {your_user_auth_token}' \
       --header 'X-Version: 2' \
       --header 'Content-Length: 0'
  {
      "id":"5952b72acce9f50018000000",
      "status":"ACCEPTED",
      "total":10,
      "filters":{"user.id":[{"value":"123456789","type":"eq"}]},
      "created_at":"2018-12-11T22:12:15.589Z",
      "completed_at":null
  }

You can use the same endpoint as above to check the status of an event data request to see when it is COMPLETED.

$ curl -X GET 'https://api.bugsnag.com/organizations/{organization_id}/event_data_deletions/{id}' \
       --header 'Authorization: token {your_user_auth_token}' \
       --header 'X-Version: 2'
  {
      "id":"5952b72acce9f50018000000",
      "status":"COMPLETED",
      "total":10,
      "filters":{"user.id":[{"value":"123456789","type":"eq"}]},
      "created_at":"2018-12-11T22:12:15.589Z",
      "completed_at":"2018-12-11T23:12:15.589Z"
  }