**Owner-only.** Open /settings/account and click "Download workspace as ZIP" in the "Export this workspace" section. Kodori streams a single zip containing:
- **`documents/`** — every readable document (one file per record). Permission-trimmed via the same canReadDocument gate the search index uses, so even an owner's export excludes records they have an explicit deny on. Filenames are deduplicated (`Smith.docx`, `Smith (2).docx`) and MIME-derived extensions are appended when the display name doesn't carry one. - **`documents.csv`** — manifest mapping each archive filename to its document id, MIME type, sensitivity, version hash, and created-at. - **`collections.json`** — every collection's metadata + per-collection memberships. - **`retention-classes.json`** — retention class definitions. - **`legal-holds.json`** — legal holds + bound subjects (subjects are kept on hold rows even after release as audit evidence). - **`members.json`** — workspace members (id / email / role). - **`audit-log.json`** — full hash-chained event log, verbatim. An external verifier can re-run SHA-256 against the canonicalized event payload to prove tamper-evidence offline. - **`agent-conversations.json`** — your own agent conversations only (per-user persistence — the export doesn't dump teammates' chats). - **`manifest.json`** — top-level summary, counts per artifact, and truncation flags. - **`README.txt`** — describes the layout and walks through the audit-chain verification procedure.
Caps: 1000 documents · 5 GB total bytes · 100k audit events. The manifest flags any cap that tripped — a script can resume against the public REST API to pick up where the sync export stopped. We chose deterministic caps over an unbounded stream because Vercel's 300-second function timeout makes any unbounded export a roulette wheel for "did it finish?"
Drives three use cases:
1. **GDPR Article 20** — a tenant owner can hand a customer their full bundle without our involvement. The permission-trim + audit log shape fit the regulatory definition of "structured, commonly used, machine-readable format." 2. **Pre-migration backup** — leaving Kodori shouldn't be hard. The CSV + JSON layout makes it straightforward to import into another system. 3. **SOC 2 / 21 CFR Part 11 evidence handoff** — auditors love a manifest.json. The hash-chained audit log is the strongest tamper-evidence claim Kodori has, and it travels intact in the export.
Other members who want their personal data have per-user surfaces: the agent drawer's conversation export (Markdown), the audit CSV export, and the per-collection export all run for any member regardless of role.