Confidentiality Declaration
Data Entity
Description
Records a peer mentor's formal digital sign-off on a confidentiality agreement, primarily used in the Expense & Reimbursement area (e.g. driver honoraria declarations for Blindeforbundet). Captures the signed declaration text, version, timestamp, and audit metadata to provide a tamper-evident compliance record.
Data Structure
| Name | Type | Description | Constraints |
|---|---|---|---|
id |
uuid |
Primary key — unique identifier for this declaration record | PKrequiredunique |
user_id |
uuid |
Foreign key to users — the peer mentor who signed the declaration | required |
organization_id |
uuid |
Foreign key to organizations — the tenant under which this declaration was issued | required |
declaration_type |
enum |
Categorises the type of confidentiality agreement being signed | required |
status |
enum |
Lifecycle state of the declaration | required |
declaration_version |
string |
Semantic version of the declaration template that was presented and agreed to (e.g. '1.2.0'). Enables auditors to retrieve the exact text shown at sign time. | required |
declaration_text_snapshot |
text |
Full text of the declaration as it was displayed to the user at sign time. Stored immutably to support legal audit even if the template is later updated. | required |
signed_at |
datetime |
UTC timestamp when the user confirmed the declaration. Null if status is pending. | - |
valid_from |
datetime |
UTC datetime from which the declaration is considered active. Defaults to signed_at. | - |
expires_at |
datetime |
UTC datetime when the declaration lapses and must be re-signed. Null means the declaration does not expire unless explicitly revoked. | - |
related_expense_id |
uuid |
Optional foreign key to expenses — links the declaration to a specific expense claim when the sign-off is triggered by an expense submission. | - |
signature_token |
string |
Cryptographic acknowledgment token generated at sign time (HMAC of user_id + declaration_version + signed_at). Used to verify the record has not been tampered with post-signature. | - |
ip_address |
string |
IP address of the device at time of signing, stored for audit trail purposes. | - |
device_info |
string |
User-agent or device identifier string captured at sign time for the audit trail. | - |
revoked_at |
datetime |
UTC timestamp of revocation. Null unless status is 'revoked'. | - |
revoked_by |
uuid |
Foreign key to users — the admin who revoked the declaration. Null unless status is 'revoked'. | - |
revocation_reason |
text |
Free-text explanation for why the declaration was revoked. Required when status transitions to 'revoked'. | - |
created_at |
datetime |
UTC timestamp of record creation (declaration presented to user, before signing). | required |
updated_at |
datetime |
UTC timestamp of last record modification. | required |
Database Indexes
idx_confidentiality_declarations_user_id
Columns: user_id
idx_confidentiality_declarations_organization_id
Columns: organization_id
idx_confidentiality_declarations_user_org_type_status
Columns: user_id, organization_id, declaration_type, status
idx_confidentiality_declarations_expires_at
Columns: expires_at
idx_confidentiality_declarations_related_expense_id
Columns: related_expense_id
idx_confidentiality_declarations_status
Columns: status
Validation Rules
signed_at_required_when_signed
error
Validation failed
expires_at_after_valid_from
error
Validation failed
declaration_text_snapshot_non_empty
error
Validation failed
declaration_version_semver
error
Validation failed
valid_related_expense
error
Validation failed
revocation_fields_consistent
error
Validation failed
Business Rules
sign_before_expense_submission
If an expense type requires a confidentiality declaration, the peer mentor must have an active (status=signed, not expired, not revoked) declaration of the required type before the expense can be submitted. The expense service blocks submission if no valid declaration exists.
one_active_declaration_per_type
A user may only have one active (signed, non-expired, non-revoked) declaration per declaration_type per organization at any time. Attempting to create a duplicate must either supersede the existing one or be rejected.
immutable_after_signing
Once a declaration reaches status=signed, its declaration_text_snapshot, declaration_version, signed_at, and signature_token fields are immutable. Only status, revoked_at, revoked_by, and revocation_reason may be updated afterwards.
expiry_auto_transition
Declarations whose expires_at is in the past and status is still 'signed' must be treated as expired at read time. A background job or query view transitions status to 'expired' for overdue records. Re-signing creates a new record.
revocation_requires_reason
Transitioning a declaration to status=revoked requires a non-empty revocation_reason and a valid revoked_by user ID. Revocation is an admin action and must be logged in the audit trail.
audit_log_on_state_change
Every status transition (pending→signed, signed→expired, signed→revoked) must emit an audit log entry via audit-log-service with actor, timestamp, and the declaration ID.