G8KEPR implements the technical controls required by the GDPR Security Rule. We provide a Data Processing Agreement, Standard Contractual Clauses for EU data transfers, and full data subject rights tooling.
What our 90% readiness score means. G8KEPR covers the technical controls for most GDPR articles and will sign a DPA and SCCs before your deployment processes EU personal data. Two articles are partially implemented: Art. 17 (individual DSAR erasure pipeline in progress) and Art. 25 (Privacy by Design documentation in progress). We are not formally audited by a third-party GDPR assessor. The 90% score is based on internal controls tracking.
The articles most relevant to a data processor running an AI gateway. Status is based on actual implementation, not aspirational roadmap.
Art. 5Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity are all enforced at the API layer.
Art. 6Consent flows, legitimate interests assessment, and contractual necessity are captured per-request via the consent management API.
Art. 17Organisation-level erasure is fully implemented (tenant delete + cascade). Individual DSAR erasure requests are accepted and tracked; the full async purge pipeline is in progress.
Art. 20GDPR Art. 20-compatible export in structured JSON and CSV. All user-provided data and derived decisions are included.
Art. 2297% coverage. logic_involved + significance_and_consequences fields on all AI decision responses; /explainability endpoint + regulator-ready export bundle.
Art. 25Row-Level Security, data minimisation headers, and field-level encryption are in place. Formal PbD documentation and DPIA templates are in progress.
Art. 30Full RoPA API: create, update, export for regulators. Fields: purposes, lawful basis, data categories, recipients, third-country transfers, retention period.
Art. 32AES-256 at rest, TLS 1.3 in transit, pseudonymisation, access controls, audit logging, and incident response procedures all documented and enforced.
Article 22 is the hardest GDPR article for AI systems to satisfy — it requires meaningful explanation of automated decisions that significantly affect people. G8KEPR implements this at the API response level, not just as an audit log.
Every AI decision response includes a structured explanation of which rules, models, or thresholds triggered the outcome.
Human-readable description of what the decision means for the affected individual — required by Art. 22(2)(b).
GET /api/decisions/{id}/explain returns the full decision audit trail in a format designed for DPOs and regulators.
Signed, tamper-proof export package for supervisory authority requests. Includes decision logic, input data, and outcome.
DSARs accepted via API and compliance dashboard. Response timeline tracked against 30-day statutory deadline.
Data correction requests routed to the owning system. Audit trail records who changed what and when.
Org-level cascade delete is fully implemented. Individual-level async purge pipeline in progress — stubs exist, full execution not yet deployed.
Structured JSON/CSV export of all personal data. Machine-readable, includes AI decision history.
Objection to automated profiling is honoured via the /opt-out endpoint. Consent withdrawal stops processing immediately.
97% coverage. Every AI-generated decision includes a human-readable explanation and a structured regulator export.
A DPA is required under Art. 28 before G8KEPR processes personal data on your behalf. It documents the subject matter, duration, nature, and purpose of the processing. Typical turnaround is 1–2 business days.
Contact us and tell us which personal data categories your deployment will process and the lawful basis.
We confirm processing activities, sub-processors, data transfers, and retention periods. We list all sub-processors upfront.
Sign electronically. If you are transferring data outside the EU/EEA, EU Standard Contractual Clauses (Module 2 — controller to processor) are attached automatically.
Appropriate security of processing
RoPA API — regulator-exportable
Export via the compliance dashboard or API in JSON/CSV. Signed for regulator submission.
72-hour SA notification obligation
The right to erasure is one of the most technically complex GDPR rights for AI systems. G8KEPR has implemented the parts that cover most use cases, and is actively building the remainder.
Full organisation + all tenant data deleted on request. Immediate, synchronous, irreversible.
POST /gdpr/dsar/erasure creates a tracked request with deadline calculation and audit trail.
Async pipeline to purge a specific data subject across all tables. Stubs exist; full execution in progress.
Removal of a data subject from AI model training sets. Stub endpoint exists; full retraining-free erasure pipeline is not yet built.
Keep data in the EU — self-hosted or cloud
Self-hosted G8KEPR runs in any region you choose. Deploy in Frankfurt, Amsterdam, or Dublin and personal data never crosses EU borders. No Chapter V transfer mechanisms needed.
We will walk you through the processing activities, sign the DPA with SCCs, and help you configure data residency and retention before you go live.