EU/EEA · Regulation 2016/679

GDPR with the accountability principle built in.

99 articles, 173 recitals, one platform. Notice, lawful basis, principal rights, transfers, and breach reporting — running from the same control library auditors and supervisory authorities trust.

Request a demo Open workspace

Article 5 · Principles

Seven principles, six articles, one accountability obligation

The platform makes Article 5(2) demonstrable — every principle has a control, an owner, and live evidence.

Art 5(1)(a)

Lawfulness, fairness, transparency

Notice obligations and a defensible legal basis for every purpose.

Art 5(1)(b)

Purpose limitation

Stated purpose at collection, no incompatible secondary use.

Art 5(1)(c)

Data minimisation

Only what is necessary. Audited via field-level mapping.

Art 5(1)(d)

Accuracy

Mechanisms to keep personal data current and correctable.

Art 5(1)(e)

Storage limitation

Retention rules per category, automated tombstoning.

Art 5(1)(f)

Integrity & confidentiality

Security measures appropriate to risk — Article 32.

Art 5(2)

Accountability

Documentation that proves you operate under (1) (a)–(f).

Chapter III · Rights of the data subject

Eight rights, eight workflows

Each right has an SLA (typically one calendar month, extensible to three) and a fulfilment trail.

Art 15

Access

Art 16

Rectification

Art 17

Erasure

Art 18

Restriction

Art 19

Notification

Art 20

Portability

Art 21

Object

Art 22

Auto-decision

Chapter V · International transfers

Pick the right mechanism. Document the assessment. Audit the change.

Mechanism	Scope	Typical trigger
Adequacy decision	Approved third country list	Default — when listed by Commission
Standard Contractual Clauses	Module 1–4 per controller / processor relationship	Most common SaaS path
Binding Corporate Rules	Intra-group, requires DPA approval	Group multinationals
Derogations · Art 49	Limited and exceptional	Last resort only

Articles 33–34 · Breach notification

72-hour decision, documented end to end

T+0

Detection

Automatic incident from SIEM, IDS, or fiduciary triggers

T+24

Assessment

Severity, data classes, risk to data subjects

T+48

DPO review

Notifiability decision, drafting of communications

T+72

Notification

Supervisory authority — Article 33

T+>72

Communication

Data subjects when high-risk — Article 34

More frameworks

Pair GDPR with

SOC 2Trust services criteria controls and evidence ISO 27001ISMS controls and continuous monitoring DPDPIndia Digital Personal Data Protection framework IT Act / CERT-InIndian cyber compliance requirements HIPAAHealthcare data security and privacy controls PCI DSSPayment card data security standard controls Custom FrameworksBuild or import your own control library

Demonstrable accountability — not slide ware

Run RoPA, DSAR, transfers, and breach decisions on one operational graph supervisory authorities recognize.

Request a demo Workspace