GDPR
[ aligned ]eu data protection — aligned by architecture
[ what it actually means ]
The GDPR is not a certification — there is no official 'GDPR certified' stamp, and any vendor claiming one is selling you something. It is a legal regime: lawful basis for every processing activity, enforceable rights for the people whose data is processed, and real obligations on us as both controller and processor. 'Aligned' is the honest word for our status: we run the practices the regulation requires and our DPA reflects them, but alignment is a continuous obligation, not a finish line we have crossed.
[ our posture ]
Rights are product features, not request forms
Access, export, correction, and deletion are built into the product. Export is a button, deletion completes within 30 days, and neither requires a support negotiation — which is also our reading of the regulation's spirit, not just its letter.
A DPA with Standard Contractual Clauses
Our data processing agreement incorporates the EU Standard Contractual Clauses for transfers outside the EEA and lists every subprocessor with purpose and region. It is public at /legal/dpa, not gated behind a sales call.
Data minimization enforced by the trust kernel
The kernel's task-scoped reads are data minimization implemented as architecture: the system cannot read more than the task requires, which is a stronger position than promising not to.
Records of processing, kept current
We maintain Article 30 records of processing activities and review them when the product changes, not when a regulator asks. Breach notification commitments — 72 hours to authorities where required — are written into our incident-response runbook.
[ request documentation ]
Our DPA, subprocessor list, and a summary of our records of processing are available on request; the DPA is also public at /legal/dpa.