--- canonical: "https://yuanhaochen.dev/work/datasentinel" path: "/work/datasentinel" section: "Work" title: "lawdit GDPR" language: "en" agentUse: "summary, retrieval, citation, hiring evaluation" --- # lawdit GDPR Models the governance loop around scattered personal-data evidence: scan, redact, assign owner, review, and audit - without claiming production tenant-wide deletion. Why this article exists A one-time PII scan can find sensitive data and still leave the organization with no visible owner, review state, or decision record. I used this prototype to model the governance loop around personal-data evidence: discovery, redaction, owner routing, human review, and audit. Problem Organizations often know that personal data is spread across documents, tables, archives, email exports, images, and shared drives. The hard part is not only finding it. The hard part is proving what was found, who should review it, which action is allowed, and whether the review process improved. What shipped Python backend, scanner pipeline, redacted evidence flow, review workflow, owner routing, audit events, evaluation metrics, OpenAPI contract, Vite/React console, Fumadocs user guide, validation commands, and a controlled public demo path. Evidence The README exposes the live demo, user guide, API contract, repository map, validation commands, and project boundaries around deletion, legal advice, and production tenant integrations. Inspect path Inspect the README first, then `contracts/openapi.yaml`, the product docs, backend review/audit modules, evidence assembly paths, and tests around review decisions. Boundary Deletion is simulated. This is not legal advice, not a production tenant-wide Microsoft 365 inventory, and not proof of production deletion integration or compliance readiness. What changed The useful boundary became sharper: sensitive-data AI is credible only when review state, redaction, owner routing, and audit events remain visible after the scan. Next question Which review event should become impossible to skip before a sensitive-data system earns trust? Open public repository https://github.com/89325516/datasentinel-gdpr