PHPackages azaharizaman/nexus-data-privacy - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. azaharizaman/nexus-data-privacy ActiveLibrary[Security](/categories/security) azaharizaman/nexus-data-privacy =============================== Framework-agnostic data privacy core: data subject rights, consent management, retention policies, breach notification v0.1.0-alpha1(1mo ago)002MITPHPPHP ^8.3 Since May 5Pushed 1mo agoCompare [ Source](https://github.com/azaharizaman/nexus-data-privacy)[ Packagist](https://packagist.org/packages/azaharizaman/nexus-data-privacy)[ RSS](/packages/azaharizaman-nexus-data-privacy/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependencies (3)Versions (2)Used By (2) Nexus\\DataPrivacy ================== [](#nexusdataprivacy) **Version:** 1.0.0 **PHP Version:** ^8.3 **Type:** Atomic Package (Framework-Agnostic) **Status:** ✅ Production Ready Overview -------- [](#overview) `Nexus\DataPrivacy` provides a **regulation-agnostic foundation** for personal data protection and privacy compliance. It implements core privacy management capabilities without embedding any specific jurisdiction's rules. This package follows the **Progressive Disclosure Pattern** - it serves as the core abstraction layer, while jurisdiction-specific packages (like `Nexus\GDPR` or `Nexus\PDPA`) extend it with regulatory requirements. Key Features ------------ [](#key-features) - ✅ **Consent Management** - Track, grant, withdraw, and renew data processing consents - ✅ **Data Subject Requests (DSARs)** - Full lifecycle management for access, erasure, rectification, and portability requests - ✅ **Retention Policy Engine** - Configurable data retention with category-based policies - ✅ **Breach Incident Management** - Record, track, and manage data breach incidents - ✅ **Processing Activity Records (ROPA)** - Maintain records of processing activities for compliance - ✅ **Audit Trail Integration** - Full audit logging for all privacy-related operations - ✅ **Request Handlers** - Pluggable handlers for each request type - ✅ **Framework-Agnostic** - Pure PHP 8.3+, works with any framework Installation ------------ [](#installation) ``` composer require azaharizaman/nexus-data-privacy ``` Installation ------------ [](#installation-1) ``` composer require azaharizaman/nexus-data-privacy ``` Architecture ------------ [](#architecture) ### Progressive Disclosure Pattern [](#progressive-disclosure-pattern) This package serves as the **regulation-agnostic core**. Jurisdiction-specific requirements are provided by extension packages: ``` ┌─────────────────────────────────────────────────────────┐ │ Application Layer │ └───────────────────────┬─────────────────────────────────┘ │ uses ┌──────────────┼──────────────┐ ▼ ▼ ▼ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ Nexus\GDPR │ │ Nexus\PDPA │ │ Nexus\CCPA │ │ (EU Rules) │ │ (MY Rules) │ │ (CA Rules) │ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ extends │ extends │ extends └────────────────┼────────────────┘ ▼ ┌─────────────────────┐ │ Nexus\DataPrivacy │ ← This package │ (Core Abstractions)│ └─────────────────────┘ ``` ### Package Structure [](#package-structure) ``` DataPrivacy/ ├── src/ │ ├── Contracts/ │ │ ├── External/ # Interfaces for framework dependencies │ │ │ ├── AuditLoggerInterface.php │ │ │ ├── DataEncryptorInterface.php │ │ │ ├── NotificationDispatcherInterface.php │ │ │ ├── PartyProviderInterface.php │ │ │ └── StorageInterface.php │ │ ├── ConsentQueryInterface.php │ │ ├── ConsentPersistInterface.php │ │ ├── ConsentManagerInterface.php │ │ ├── DataSubjectRequestQueryInterface.php │ │ ├── DataSubjectRequestPersistInterface.php │ │ ├── DataSubjectRequestManagerInterface.php │ │ ├── RetentionPolicyQueryInterface.php │ │ ├── RetentionPolicyPersistInterface.php │ │ ├── RetentionPolicyManagerInterface.php │ │ ├── BreachRecordQueryInterface.php │ │ ├── BreachRecordPersistInterface.php │ │ ├── BreachRecordManagerInterface.php │ │ ├── ProcessingActivityQueryInterface.php │ │ ├── ProcessingActivityPersistInterface.php │ │ ├── ProcessingActivityManagerInterface.php │ │ └── RequestHandlerInterface.php │ ├── Enums/ │ │ ├── RequestType.php # ACCESS, ERASURE, RECTIFICATION, etc. │ │ ├── RequestStatus.php # State machine for request lifecycle │ │ ├── ConsentStatus.php # GRANTED, WITHDRAWN, EXPIRED, etc. │ │ ├── DataCategory.php # Personal data categories with risk levels │ │ ├── LawfulBasisType.php # GDPR Article 6 lawful bases │ │ ├── BreachSeverity.php # LOW, MEDIUM, HIGH, CRITICAL │ │ ├── RetentionCategory.php # Document retention categories │ │ └── ConsentPurpose.php # Standard consent purposes │ ├── ValueObjects/ │ │ ├── DataSubjectId.php # Unique data subject identifier │ │ ├── Consent.php # Immutable consent record │ │ ├── DataSubjectRequest.php # DSAR with state machine │ │ ├── RetentionPolicy.php # Retention policy configuration │ │ ├── BreachRecord.php # Data breach incident record │ │ └── ProcessingActivity.php # ROPA entry │ ├── Services/ │ │ ├── ConsentManager.php │ │ ├── DataSubjectRequestManager.php │ │ ├── RetentionPolicyManager.php │ │ ├── BreachRecordManager.php │ │ ├── ProcessingActivityManager.php │ │ ├── RequestHandlerRegistry.php │ │ └── Handlers/ │ │ ├── AccessRequestHandler.php │ │ ├── ErasureRequestHandler.php │ │ ├── RectificationRequestHandler.php │ │ └── PortabilityRequestHandler.php │ └── Exceptions/ │ ├── DataPrivacyException.php │ ├── Invalid*Exception.php # Validation exceptions │ └── *NotFoundException.php # Not found exceptions └── tests/ ``` Quick Start ----------- [](#quick-start) ### 1. Consent Management [](#1-consent-management) ``` use Nexus\DataPrivacy\Contracts\ConsentManagerInterface; use Nexus\DataPrivacy\Enums\ConsentPurpose; use Nexus\DataPrivacy\Enums\LawfulBasisType; use Nexus\DataPrivacy\ValueObjects\DataSubjectId; public function __construct( private readonly ConsentManagerInterface $consentManager ) {} // Grant consent $consent = $this->consentManager->grantConsent( subjectId: DataSubjectId::fromPartyId('party-12345'), purpose: ConsentPurpose::MARKETING_EMAIL, lawfulBasis: LawfulBasisType::CONSENT, expiresAt: new \DateTimeImmutable('+1 year'), metadata: ['ip_address' => '192.168.1.1', 'source' => 'web_form'] ); // Check if consent is active $hasConsent = $this->consentManager->hasActiveConsent( subjectId: DataSubjectId::fromPartyId('party-12345'), purpose: ConsentPurpose::MARKETING_EMAIL ); // Returns: bool // Withdraw consent $this->consentManager->withdrawConsent( consentId: $consent->getId(), reason: 'User requested via preference center' ); // Renew consent before expiry $renewed = $this->consentManager->renewConsent( consentId: $consent->getId(), newExpiresAt: new \DateTimeImmutable('+2 years') ); ``` ### 2. Data Subject Requests (DSARs) [](#2-data-subject-requests-dsars) ``` use Nexus\DataPrivacy\Contracts\DataSubjectRequestManagerInterface; use Nexus\DataPrivacy\Enums\RequestType; use Nexus\DataPrivacy\ValueObjects\DataSubjectId; public function __construct( private readonly DataSubjectRequestManagerInterface $dsrManager ) {} // Create an access request $request = $this->dsrManager->createRequest( subjectId: DataSubjectId::fromEmail('customer@example.com'), type: RequestType::ACCESS, metadata: ['verification_method' => 'email_otp'] ); // Verify the request $this->dsrManager->verifyRequest($request->getId()); // Process the request (moves to IN_PROGRESS) $this->dsrManager->startProcessing($request->getId()); // Execute the request through handler $result = $this->dsrManager->executeRequest( requestId: $request->getId(), handlerResult: ['export_url' => 'https://...', 'expires_at' => '...'] ); // Complete the request $this->dsrManager->completeRequest( requestId: $request->getId(), result: $result ); // Get overdue requests for monitoring $overdue = $this->dsrManager->getOverdueRequests(); ``` ### 3. Retention Policies [](#3-retention-policies) ``` use Nexus\DataPrivacy\Contracts\RetentionPolicyManagerInterface; use Nexus\DataPrivacy\Enums\DataCategory; use Nexus\DataPrivacy\Enums\RetentionCategory; public function __construct( private readonly RetentionPolicyManagerInterface $retentionManager ) {} // Create a retention policy $policy = $this->retentionManager->createPolicy( name: 'Customer Invoice Retention', dataCategory: DataCategory::FINANCIAL, retentionMonths: 84, // 7 years autoDelete: false, // Require manual review description: 'Retain invoices for tax compliance' ); // Find applicable policies for a data category $policies = $this->retentionManager->findPoliciesForCategory(DataCategory::FINANCIAL); // Get items due for deletion $dueItems = $this->retentionManager->getItemsDueForDeletion(); // Execute retention (delete expired data) $this->retentionManager->executeRetention( policyId: $policy->getId(), dryRun: true // Preview what would be deleted ); ``` ### 4. Breach Management [](#4-breach-management) ``` use Nexus\DataPrivacy\Contracts\BreachRecordManagerInterface; use Nexus\DataPrivacy\Enums\BreachSeverity; use Nexus\DataPrivacy\Enums\DataCategory; public function __construct( private readonly BreachRecordManagerInterface $breachManager ) {} // Report a data breach $breach = $this->breachManager->reportBreach( title: 'Unauthorized Database Access', description: 'External actor gained access to customer table', discoveredAt: new \DateTimeImmutable(), affectedSubjectCount: 1500, affectedCategories: [DataCategory::CONTACT, DataCategory::FINANCIAL], severity: BreachSeverity::HIGH ); // Notify regulatory authority (within 72 hours for GDPR) $this->breachManager->notifyRegulator( breachId: $breach->getId(), authorityName: 'ICO', notifiedAt: new \DateTimeImmutable(), referenceNumber: 'ICO-2024-12345' ); // Record containment actions $this->breachManager->recordContainmentAction( breachId: $breach->getId(), action: 'Revoked compromised API keys', performedBy: 'security-team', performedAt: new \DateTimeImmutable() ); // Resolve the breach $this->breachManager->resolveBreach( breachId: $breach->getId(), resolution: 'All affected users notified, credentials reset, security audit completed', resolvedAt: new \DateTimeImmutable() ); ``` ### 5. Processing Activities (ROPA) [](#5-processing-activities-ropa) ``` use Nexus\DataPrivacy\Contracts\ProcessingActivityManagerInterface; use Nexus\DataPrivacy\Enums\DataCategory; use Nexus\DataPrivacy\Enums\LawfulBasisType; public function __construct( private readonly ProcessingActivityManagerInterface $ropaManager ) {} // Register a processing activity $activity = $this->ropaManager->registerActivity( name: 'Customer Order Processing', purpose: 'Process and fulfill customer orders', lawfulBasis: LawfulBasisType::CONTRACT, dataCategories: [DataCategory::CONTACT, DataCategory::FINANCIAL, DataCategory::TRANSACTION], dataSubjectCategories: ['customers', 'shipping_recipients'], recipients: ['payment_processor', 'shipping_provider'], retentionPeriod: '7 years', technicalMeasures: ['encryption_at_rest', 'tls_1_3', 'access_controls'], organizationalMeasures: ['staff_training', 'data_minimization', 'access_reviews'] ); // Check if DPIA is required if ($activity->requiresDpia()) { $this->ropaManager->markDpiaRequired($activity->getId()); } // Mark activity as reviewed $this->ropaManager->markReviewed( activityId: $activity->getId(), reviewedBy: 'dpo@company.com', nextReviewDate: new \DateTimeImmutable('+1 year') ); // Get activities needing review $needReview = $this->ropaManager->getActivitiesNeedingReview(); ``` External Dependencies --------------------- [](#external-dependencies) This package defines interfaces for external dependencies. Your application must provide implementations: ### PartyProviderInterface [](#partyproviderinterface) Provides access to personal data stored in `Nexus\Party` or your party system: ``` use Nexus\DataPrivacy\Contracts\External\PartyProviderInterface; final readonly class PartyAdapter implements PartyProviderInterface { public function __construct( private PartyManagerInterface $partyManager ) {} public function partyExists(string $partyId): bool { return $this->partyManager->exists($partyId); } public function getPersonalData(string $partyId): array { $party = $this->partyManager->findById($partyId); return [ 'name' => $party->getName(), 'email' => $party->getEmail(), 'phone' => $party->getPhone(), // ... other personal data fields ]; } public function deletePersonalData(string $partyId): void { $this->partyManager->anonymize($partyId); } // ... implement other methods } ``` ### AuditLoggerInterface [](#auditloggerinterface) Logs all privacy operations for compliance: ``` use Nexus\DataPrivacy\Contracts\External\AuditLoggerInterface; final readonly class AuditLoggerAdapter implements AuditLoggerInterface { public function __construct( private AuditLogManagerInterface $auditLogger ) {} public function log(string $action, string $entityType, string $entityId, array $metadata = []): void { $this->auditLogger->log( entityId: $entityId, action: $action, description: "Privacy action: {$action} on {$entityType}", metadata: $metadata ); } // ... implement other methods } ``` ### Binding in Laravel [](#binding-in-laravel) ``` // AppServiceProvider.php public function register(): void { $this->app->singleton( PartyProviderInterface::class, PartyAdapter::class ); $this->app->singleton( AuditLoggerInterface::class, AuditLoggerAdapter::class ); $this->app->singleton( ConsentQueryInterface::class, EloquentConsentRepository::class ); $this->app->singleton( ConsentPersistInterface::class, EloquentConsentRepository::class ); // ... bind other interfaces } ``` Enums Reference --------------- [](#enums-reference) ### RequestType [](#requesttype) ValueDescriptionTypical Deadline`ACCESS`Right to access personal data30 days (GDPR)`ERASURE`Right to be forgotten30 days (GDPR)`RECTIFICATION`Right to correct data30 days (GDPR)`RESTRICTION`Right to restrict processing30 days (GDPR)`PORTABILITY`Right to data portability30 days (GDPR)`OBJECTION`Right to object to processing30 days (GDPR)`AUTOMATED_DECISION`Rights related to automated decisions30 days (GDPR)### RequestStatus [](#requeststatus) ``` PENDING → VERIFIED → IN_PROGRESS → COMPLETED ↘ ↗ → REJECTED → CANCELLED ``` ### DataCategory [](#datacategory) CategorySpecial CategoryRisk Level`BASIC_IDENTITY`NoLow`CONTACT`NoLow`FINANCIAL`NoHigh`HEALTH`YesCritical`BIOMETRIC`YesCritical`GENETIC`YesCritical`RACIAL_ETHNIC`YesHigh`POLITICAL`YesHigh`RELIGIOUS`YesHigh`SEXUAL_ORIENTATION`YesHigh`TRADE_UNION`YesHigh`CRIMINAL`YesCritical`CHILDREN`YesCritical`LOCATION`NoMedium`BEHAVIORAL`NoMedium`COMMUNICATION`NoMedium`TRANSACTION`NoMedium`EMPLOYMENT`NoMedium### BreachSeverity [](#breachseverity) SeverityResponse TimeCriteria`LOW`5 days< 100 subjects, no special categories`MEDIUM`48 hours100-1000 subjects, low-risk categories`HIGH`24 hours1000-10000 subjects or sensitive categories`CRITICAL`Immediate> 10000 subjects or highly sensitiveExtension Packages ------------------ [](#extension-packages) ### Nexus\\GDPR (EU General Data Protection Regulation) [](#nexusgdpr-eu-general-data-protection-regulation) ``` // Enforces GDPR-specific rules: // - 30-day response deadline for DSARs // - 72-hour breach notification to regulators // - Data Protection Impact Assessments (DPIA) // - Mandatory DPO appointment checks ``` ### Nexus\\PDPA (Malaysia Personal Data Protection Act) [](#nexuspdpa-malaysia-personal-data-protection-act) ``` // Enforces PDPA-specific rules: // - 21-day response deadline for DSARs // - Sector-specific requirements (banking, healthcare) // - Data Commissioner notification rules ``` Testing ------- [](#testing) ``` # Run tests composer test # Run with coverage composer test:coverage # Target: 85%+ code coverage ``` Dependencies ------------ [](#dependencies) ``` { "require": { "php": "^8.3", "azaharizaman/nexus-common": "^1.0" } } ``` License ------- [](#license) MIT License. See [LICENSE](LICENSE) file for details. --- **Last Updated**: December 2025 **Maintained By**: Nexus Architecture Team ### Health Score 35 — LowBetter than 77% of packages Maintenance93 Actively maintained with recent releases Popularity0 Limited adoption so far Community10 Small or concentrated contributor base Maturity34 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 36d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/117408?v=4)[Azahari Zaman](/maintainers/azaharizaman)[@azaharizaman](https://github.com/azaharizaman) --- Top Contributors [![azaharizaman](https://avatars.githubusercontent.com/u/117408?v=4)](https://github.com/azaharizaman "azaharizaman (6 commits)") --- Tags privacyconsent-managementdata privacydata-portabilityright-to-erasuredata-subject-rightsretention-policybreach-notification ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/azaharizaman-nexus-data-privacy/health.svg) ``` [![Health](https://phpackages.com/badges/azaharizaman-nexus-data-privacy/health.svg)](https://phpackages.com/packages/azaharizaman-nexus-data-privacy) ``` ### Alternatives [matomo/matomo Matomo is the leading Free/Libre open analytics platform 21.6k38.2k](/packages/matomo-matomo)[tempest/framework The PHP framework that gets out of your way. 2.2k31.1k11](/packages/tempest-framework)[api-platform/metadata API Resource-oriented metadata attributes and factories 244.5M180](/packages/api-platform-metadata)[soved/laravel-gdpr GDPR compliance with ease 299134.1k2](/packages/soved-laravel-gdpr)[devrabiul/laravel-cookie-consent A GDPR-compliant cookie consent solution for Laravel applications with fully customizable cookie banners, granular consent control, and enterprise-grade compliance features. 18148.5k1](/packages/devrabiul-laravel-cookie-consent)[jfeltkamp/cookiesjsr COOKiES JSR is a consent management tool and provides UI and API to manage 3rd party services within the GDPR. 27853.1k](/packages/jfeltkamp-cookiesjsr) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)