# Risk Compliance Domain Boundary ## Purpose Risk and compliance workflows for data protection incidents, DPIAs, compliance controls, audit measures, risk registers, and internal-control evidence. ## Owns - risk registers - compliance controls - DPIA records - data protection incident records - audit measures - internal-control evidence ## Does Not Own - immutable audit log storage - records retention engine - inspection fieldwork ## Integration Candidates - audit - policy - records - inspections - files - tasks - notifications ## Seed State The current repository state is intentionally small: - module manifest and entry point - tenant-level permission definitions - manager and viewer role templates - documentation topic describing the module boundary - Gitea issue workflow templates - manifest contract test No runtime API, database model, migration, WebUI route, or navigation item is registered yet. The first implementation slice should preserve the boundary above and only add user-visible surfaces once the workflow model is clear. ## First Implementation Slice Define risk register, control, evidence, DPIA, incident, measure, and review-cycle concepts.