GDPR
EU General Data Protection Regulation — how Scrydon supports controllers and processors on lawful basis, minimisation, retention, and the data-subject rights.
The General Data Protection Regulation (Regulation 2016/679) governs the processing of personal data in the European Union. This page covers Scrydon's GDPR-relevant controls.
In a typical Scrydon deployment, you are the controller for the personal data your organisation processes through the platform; Scrydon (the vendor) is not a processor of your data because the platform runs in your cluster and Scrydon has no access to it. This is the architectural reason "data sovereignty" maps so directly to GDPR.
Key principles → platform support
Article 5 — Principles
| Principle | Scrydon support |
|---|---|
| Lawfulness, fairness, transparency | Per-workflow disclosure (intended purpose, data sources). User-facing AI disclosure on chat. |
| Purpose limitation | Workflow definition declares purpose; deviation triggers a change-management event. |
| Data minimisation | Column masking, row filters. Process only what the workflow needs. See Classification & masking. |
| Accuracy | Managed-table profiles, evaluator block, ontology provenance. |
| Storage limitation | Configurable retention per organisation. |
| Integrity & confidentiality | mTLS, encryption at rest, audit. See Security. |
| Accountability | The whole audit + governance posture. |
Article 6 — Lawful basis
The platform doesn't determine your lawful basis — that's a legal question for the controller. It does help you record and enforce one:
- Consent: a consent capture flow can be wired into workflows that handle personal data.
- Legitimate interest: documented per-workflow as part of the AI governance impact assessment.
- Contract / legal obligation: documented in workflow metadata.
Article 9 — Special categories
Special-category data (health, biometric, political opinion, …) gets restricted classification by default and a redact mask strategy for non-admin readers. Workflows that process special-category data require an explicit override and are flagged in the AI inventory.
Data-subject rights
GDPR grants data subjects rights you have to honour. The platform supports the technical side:
| Right | Scrydon support |
|---|---|
| Article 15 — Right to access | Per-org export of personal data: workflows, knowledge-base documents, managed-table rows, audit events tied to a subject. |
| Article 16 — Rectification | Standard write operations on managed tables and knowledge-base documents. |
| Article 17 — Right to erasure | Per-subject erase across managed tables, knowledge base, chat history, audit metadata (the event remains but the subject reference is hashed). |
| Article 18 — Restriction | Mark a record for restriction; it's excluded from query results until lifted. |
| Article 20 — Portability | Structured export (JSON / CSV) of all personal data tied to a subject. |
| Article 21 — Objection | Workflow runs against an opted-out subject are blocked at execution time. |
The data-subject-request UI is at Settings → Platform → Privacy.
Retention
The default retention windows are conservative:
| Data type | Default | Rationale |
|---|---|---|
| Audit events | 365 days | Aligns with SOC 2, extendable for financial-services compliance |
| Workflow run logs | 90 days | Operational debugging window |
| Chat history | 365 days | User expectation |
| Knowledge-base documents | indefinite | Controlled by user delete |
| Managed-table rows | indefinite | Controlled by table delete |
All windows are configurable per organisation. Decreasing the audit retention requires org-owner approval and only affects new events.
International transfers
If your installed integrations call cloud vendors outside the EU (OpenAI in the US, for example), those are international transfers. The platform makes this explicit:
- The vendor catalogue declares each integration's data-residency profile.
- Org admins can restrict the integration registry to EU-only or self-hosted providers.
- An audit event is emitted on every transfer-relevant call (LLM call to a cross-border vendor).
See Cortex for routing controls.
Data Processing Agreement (DPA)
Scrydon publishes a DPA at https://scrydon.com/legal/dpa. For a customer-deployed platform where Scrydon has no access to your data, the DPA primarily covers:
- The licensing relationship.
- The support relationship (when Scrydon support engineers help debug, they don't have access to your cluster).
- The phone-home heartbeat (no personal data flows).
Related
- Classification & masking — the data-minimisation controls.
- Audit logging — how requests are evidenced.
- Compliance → EU AI Act — applies in parallel to GDPR for AI systems.