Cursor Rules Template: GDPR DSAR with Node.js + Express + PostgreSQL
Cursor Rules Template for building a GDPR DSAR data subject request management app on a Node.js + Express + PostgreSQL stack, including deadlines, workflows, and audit logs.
Target User
Developers building GDPR DSAR management apps
Use Cases
- Handle data subject access requests (DSARs)
- Track DSAR deadlines
- Orchestrate GDPR workflows
- Audit and report data handling activities
Markdown Template
Cursor Rules Template: GDPR DSAR with Node.js + Express + PostgreSQL
# GDPR DSAR Cursor Rules for Node.js/Express/PostgreSQL with Sequelize
# Cursor Rules Template for safe AI-assisted development
framework: "node-express-postgres-sequelize"
version: "1.0"
stack: "Node.js, Express, PostgreSQL, Sequelize"
# Framework Role & Context
role: "You are Cursor AI assistant specialized for a Node.js + Express + PostgreSQL stack. Your guidance must align with GDPR DSAR requirements, auditability, and safe AI usage."
# Code Style and Style Guides
styleGuide: "ESLint (Airbnb), Prettier, editorsconfig-compatible"
lintCommands: ["eslint 'src/**/*.js'","prettier --write 'src/**/*.js'","npm run test"]
# Architecture & Directory Rules
directories:
- "src/controllers"
- "src/routes"
- "src/models"
- "src/services"
- "src/middlewares"
- "src/utils"
- "migrations"
- "seeders"
- "config"
architectureRules:
- "MVC-like separation: controllers -> services -> models"
- "Migrations and seeders in dedicated folders"
- "Environment-based config via process.env"
# Authentication & Security Rules
auth:
method: "JWT"
audience: "dsar-api"
roles: ["admin", "data_protection_officer", "data_subject_access"]
security:
- "Do not log PII (names, emails, or subject identifiers)"
- "Use parameterized queries; avoid string concatenation"
- "Hash or tokenize sensitive identifiers at rest"
- "Audit every DSAR state transition"
# Database and ORM patterns
database:
orm: "Sequelize"
migrations: true
patterns:
- "Use transactions for multi-step DSAR processing"
- " RBAC data access via scopes"
- "Avoid raw SQL; use replacements"
- "Index DSARs, statuses, deadlines for fast lookups"
# Testing & Linting Workflows
testing:
unit: "Jest for controllers and models"
integration: "SuperTest for endpoints"
ci:
workflow: "GitHub Actions: Node.js 20"
# Prohibited Actions and Anti-patterns
antiPatterns:
- "Do not bypass authorization checks"
- "Do not log PII during production"
- "Do not hard-code deadlines or secrets"
- "Do not perform bulk deletions without explicit approval"
- "Do not bypass ORM protections or rely on string-building for queries"Overview
This Cursor rules template defines a ready-to-paste .cursorrules block for building a GDPR DSAR (data subject access request) management app on a Node.js + Express + PostgreSQL stack using Sequelize. It ensures DSAR intake, deadline tracking, multi-step workflows, and auditable logs with safe AI-assisted development patterns. It also provides stack-specific guidance to keep your implementation aligned with GDPR requirements and Cursor AI best practices.
Direct answer: paste the copyable .cursorrules block below into your project root to enforce Node.js/Express/PostgreSQL rules for DSAR handling, deadlines, and auditability while guiding Cursor AI safely.
When to Use These Cursor Rules
- Building a GDPR DSAR workflow with intake, verification, and fulfillment steps
- Enforcing deadlines and SLA checks for subject requests
- Auditing state transitions and data access for compliance
- Implementing RBAC controls for data subjects, agents, and admins
- Guiding AI-generated code to adhere to stack conventions and security
- Preventing unsafe actions like mass deletes without approval
Copyable .cursorrules Configuration
# GDPR DSAR Cursor Rules for Node.js/Express/PostgreSQL with Sequelize
# Cursor Rules Template for safe AI-assisted development
framework: "node-express-postgres-sequelize"
version: "1.0"
stack: "Node.js, Express, PostgreSQL, Sequelize"
# Framework Role & Context
role: "You are Cursor AI assistant specialized for a Node.js + Express + PostgreSQL stack. Your guidance must align with GDPR DSAR requirements, auditability, and safe AI usage."
# Code Style and Style Guides
styleGuide: "ESLint (Airbnb), Prettier, editorsconfig-compatible"
lintCommands: ["eslint 'src/**/*.js'","prettier --write 'src/**/*.js'","npm run test"]
# Architecture & Directory Rules
directories:
- "src/controllers"
- "src/routes"
- "src/models"
- "src/services"
- "src/middlewares"
- "src/utils"
- "migrations"
- "seeders"
- "config"
architectureRules:
- "MVC-like separation: controllers -> services -> models"
- "Migrations and seeders in dedicated folders"
- "Environment-based config via process.env"
# Authentication & Security Rules
auth:
method: "JWT"
audience: "dsar-api"
roles: ["admin", "data_protection_officer", "data_subject_access"]
security:
- "Do not log PII (names, emails, or subject identifiers)"
- "Use parameterized queries; avoid string concatenation"
- "Hash or tokenize sensitive identifiers at rest"
- "Audit every DSAR state transition"
# Database and ORM patterns
database:
orm: "Sequelize"
migrations: true
patterns:
- "Use transactions for multi-step DSAR processing"
- " RBAC data access via scopes"
- "Avoid raw SQL; use replacements"
- "Index DSARs, statuses, deadlines for fast lookups"
# Testing & Linting Workflows
testing:
unit: "Jest for controllers and models"
integration: "SuperTest for endpoints"
ci:
workflow: "GitHub Actions: Node.js 20"
# Prohibited Actions and Anti-patterns
antiPatterns:
- "Do not bypass authorization checks"
- "Do not log PII during production"
- "Do not hard-code deadlines or secrets"
- "Do not perform bulk deletions without explicit approval"
- "Do not bypass ORM protections or rely on string-building for queries"
Recommended Project Structure
project-root/
src/
controllers/
routes/
models/
services/
middlewares/
utils/
migrations/
seeders/
config/
tests/
.env.example
package.json
Core Engineering Principles
- Security-first by default: minimize data exposure and enforce RBAC
- GDPR-aligned data handling with complete audit trails
- Declarative Cursor AI rules that are easy to review and test
- Idempotent operations and explicit side-effect boundaries
- Clear separation of concerns across controllers, services, and models
- Observability through structured logging and metrics
Code Construction Rules
- Controllers must validate input with DTOs; do not trust client data
- Use Sequelize transactions for DSAR state transitions (open → in_review → fulfilled)
- All database access must use parameterized queries or ORM methods; no string concatenation
- Significant actions (approval, denial, export) must emit an audit log entry
- Authentication must rely on JWTs with short expiry and rotate tokens
- Environment-sensitive behavior via config, not hard-coded values
- Tests must cover happy and edge cases for DSAR lifecycle
- Do not implement business logic in hooks that bypass controllers
Security and Production Rules
- Use HTTPS in all production deployments; enable HSTS
- Store secrets in a vault or environment manager; never commit them
- Mask or tokenize PII in logs and analytics
- Enforce CSRF protection for state-changing endpoints if using cookies
- Audit, rotate, and monitor JWT signing keys and access controls
- Implement server-side rate limiting and robust input validation
Testing Checklist
- Unit tests for controllers, services, and models with mocked DB calls
- Integration tests for DSAR intake, workflow transitions, and deadline checks
- End-to-end tests for DSAR creation, processing, and export paths
- Linting and formatting checks in CI; run npm test locally
- Security checks for input validation and no sensitive data exposure
Common Mistakes to Avoid
- Storing or logging PII in plain text
- Skipping input validation or using unsafe query construction
- Over-sharing DSAR data across roles beyond授权 scope
- Relying on client-side checks for security decisions
- Ignoring audit log completeness during state changes
Related Cursor rules templates
Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.
- Cursor Rules Template: Construction Project Management Stack
- Cursor Rules Template: Restaurant Reservation SaaS with Node.js Stack
- Bug Tracking System Cursor Rules Template for Cursor AI
- Cursor Rules Template: Customer Success Platform with Health Scores, Renewals, NPS and AI Churn
FAQ
What is a .cursorrules configuration?
A .cursorrules configuration is a Cursor AI instruction block that guides code generation and guidance for a specific stack. This template provides a ready-to-paste configuration for a GDPR DSAR app built with Node.js, Express, PostgreSQL, and Sequelize.
Does this template target Node.js/Express with PostgreSQL?
Yes. The included rules emphasize Sequelize ORM usage, Express route handlers, and PostgreSQL data modeling for DSAR workflows and audit trails.
How do I run the DSAR workflow safely?
Follow the provided project structure, use the included DTOs for input validation, wrap multi-step operations in transactions, and rely on the audit log entries to verify each state transition.
How are deadlines enforced in this template?
Deadlines are modeled as date fields with status transitions managed by a central service. AI guidance ensures SLA checks trigger notifications and workflow progress without bypassing authorization.
How are audit logs stored and retrieved?
Audit logs are stored in dedicated tables with subject IDs, action types, timestamps, and actor roles. They are queryable by DSAR ID, status, and deadline events for compliance reporting.